보안 체킹 프로그램 - rootkit hunter

rootkit hunter

- 루트킷 탐지 프로그램으로 chkrootkit 과 상호 보완적인 측면에서 같이 사용하는 것이 좋다.


-------------------------------------------------------------------

http://www.rootkit.nl/

http://www.rootkit.nl/projects/rootkit_hunter.html

rkhunter-1.3.4.tar.gz : (다운로드)

-------------------------------------------------------------------



1. 다운 및 압축 해제

[root@server3 Desktop]# pwd /root/Desktop [root@server3 Desktop]# ls rkhunter-1.3.4.tar.gz [root@server3 Desktop]# tar xvfz rkhunter-1.3.4.tar.gz rkhunter-1.3.4/ rkhunter-1.3.4/files/ rkhunter-1.3.4/files/WISHLIST rkhunter-1.3.4/files/programs_bad.dat rkhunter-1.3.4/files/rkhunter rkhunter-1.3.4/files/defaulthashes.dat rkhunter-1.3.4/files/i18n/ rkhunter-1.3.4/files/i18n/cn rkhunter-1.3.4/files/i18n/zh.utf8 rkhunter-1.3.4/files/i18n/zh rkhunter-1.3.4/files/i18n/en rkhunter-1.3.4/files/tools/ rkhunter-1.3.4/files/tools/README rkhunter-1.3.4/files/tools/update_client.sh rkhunter-1.3.4/files/tools/update_server.sh rkhunter-1.3.4/files/README rkhunter-1.3.4/files/filehashmd5.pl rkhunter-1.3.4/files/programs_good.dat rkhunter-1.3.4/files/contrib/ rkhunter-1.3.4/files/contrib/run_rkhunter.sh rkhunter-1.3.4/files/contrib/README.txt rkhunter-1.3.4/files/contrib/rkhunter_remote_howto.txt rkhunter-1.3.4/files/testing/ rkhunter-1.3.4/files/testing/stringscanner.sh rkhunter-1.3.4/files/testing/rootkitinfo.txt rkhunter-1.3.4/files/testing/rkhunter.conf rkhunter-1.3.4/files/filehashsha1.pl rkhunter-1.3.4/files/mirrors.dat rkhunter-1.3.4/files/backdoorports.dat rkhunter-1.3.4/files/check_modules.pl rkhunter-1.3.4/files/md5blacklist.dat rkhunter-1.3.4/files/rkhunter.conf rkhunter-1.3.4/files/check_port.pl rkhunter-1.3.4/files/CHANGELOG rkhunter-1.3.4/files/os.dat rkhunter-1.3.4/files/check_update.sh rkhunter-1.3.4/files/FAQ rkhunter-1.3.4/files/ACKNOWLEDGMENTS rkhunter-1.3.4/files/stat.pl rkhunter-1.3.4/files/LICENSE rkhunter-1.3.4/files/readlink.sh rkhunter-1.3.4/files/development/ rkhunter-1.3.4/files/development/createfilehashes.pl rkhunter-1.3.4/files/development/osinformation.sh rkhunter-1.3.4/files/development/search_dead_sysmlinks.sh rkhunter-1.3.4/files/development/i18nchk rkhunter-1.3.4/files/development/createhashes.sh rkhunter-1.3.4/files/development/rpmprelinkhashes.sh rkhunter-1.3.4/files/development/createhashesall.sh rkhunter-1.3.4/files/development/rpmhashes.sh rkhunter-1.3.4/files/suspscan.dat rkhunter-1.3.4/files/rkhunter.8 rkhunter-1.3.4/files/showfiles.pl rkhunter-1.3.4/files/rkhunter.spec rkhunter-1.3.4/installer.sh [root@server3 Desktop]# ls rkhunter-1.3.4 rkhunter-1.3.4.tar.gz [root@server3 Desktop]# mv rkhunter-1.3.4 /usr/local/src/

2. 설치

[root@server3 Desktop]# cd /usr/local/src [root@server3 src]# ls rkhunter-1.3.4 [root@server3 src]# cd rkhunter-1.3.4/ [root@server3 rkhunter-1.3.4]# ls files  installer.sh [root@server3 rkhunter-1.3.4]# cd files/ [root@server3 files]# ls ACKNOWLEDGMENTS    check_port.pl      md5blacklist.dat   rkhunter.conf CHANGELOG          check_update.sh    mirrors.dat        rkhunter.spec FAQ                contrib            os.dat             showfiles.pl LICENSE            defaulthashes.dat  programs_bad.dat   stat.pl README             development        programs_good.dat  suspscan.dat WISHLIST           filehashmd5.pl     readlink.sh        testing backdoorports.dat  filehashsha1.pl    rkhunter           tools check_modules.pl   i18n               rkhunter.8 [root@server3 files]# vi README [root@server3 files]# cd .. [root@server3 rkhunter-1.3.4]# ls files  installer.sh [root@server3 rkhunter-1.3.4]# ./installer.sh --help Rootkit Hunter installer 1.2.8 Usage: ./installer.sh <parameters> Ordered valid parameters: --help (-h)      : Show this help. --examples       : Show layout examples. --layout <value> : Choose installation template (mandatory switch).                    The templates are:                     - default: (FHS compliant),                     - /usr,                     - /usr/local,                     - oldschool: previous version file locations,                     - custom: supply your own prefix,                     - RPM: for building RPM's. Requires $RPM_BUILD_ROOT.                     - DEB: for building DEB's. Requires $DEB_BUILD_ROOT. --striproot      : Strip path from custom layout (for package maintainers). --install        : Install according to chosen layout. --show           : Show chosen layout. --remove         : Uninstall according to chosen layout. --version        : Show the installer version. [root@server3 rkhunter-1.3.4]# ./installer.sh --layout default --install Checking system for:  Rootkit Hunter installer files: found. OK  Available file retrieval tools:     wget: found. OK Starting installation/update Checking PREFIX /usr/local: exists, and is writable. OK Checking installation directories:  Directory /usr/local/share/doc/rkhunter-1.3.4: creating: OK.  Directory /usr/local/share/man/man8: exists, and is writable. OK  Directory /etc: exists, and is writable. OK  Directory /usr/local/bin: exists, and is writable. OK  Directory /usr/local/lib: exists, and is writable. OK  Directory /var/lib: exists, and is writable. OK  Directory /usr/local/lib/rkhunter/scripts: creating: OK.  Directory /var/lib/rkhunter/db: creating: OK.  Directory /var/lib/rkhunter/tmp: creating: OK.  Directory /var/lib/rkhunter/db/i18n: creating: OK.  Installing check_modules.pl: OK.  Installing check_update.sh: OK.  Installing check_port.pl: OK.  Installing filehashmd5.pl: OK.  Installing filehashsha1.pl: OK.  Installing showfiles.pl: OK.  Installing stat.pl: OK.  Installing readlink.sh: OK.  Installing backdoorports.dat: OK.  Installing mirrors.dat: OK.  Installing os.dat: OK.  Installing programs_bad.dat: OK.  Installing programs_good.dat: OK.  Installing defaulthashes.dat: OK.  Installing md5blacklist.dat: OK.  Installing suspscan.dat: OK.  Installing rkhunter.8: OK.  Installing ACKNOWLEDGMENTS: OK.  Installing CHANGELOG: OK.  Installing FAQ: OK.  Installing LICENSE: OK.  Installing README: OK.  Installing WISHLIST: OK.  Installing language support files: OK.  Installing rkhunter: OK.  Installing rkhunter.conf: OK. Installation finished. [root@server3 rkhunter-1.3.4]#

3. 실행

[root@server3 rkhunter-1.3.4]# cd files/ [root@server3 files]# ls ACKNOWLEDGMENTS    check_port.pl      md5blacklist.dat   rkhunter.conf CHANGELOG          check_update.sh    mirrors.dat        rkhunter.spec FAQ                contrib            os.dat             showfiles.pl LICENSE            defaulthashes.dat  programs_bad.dat   stat.pl README             development        programs_good.dat  suspscan.dat WISHLIST           filehashmd5.pl     readlink.sh        testing backdoorports.dat  filehashsha1.pl    rkhunter           tools check_modules.pl   i18n               rkhunter.8 [root@server3 files]# ./rkhunter --help Usage: rkhunter {--check | --update | --versioncheck |                  --propupd [{filename | directory | package name},...] |                  --list [{tests | {lang | languages} | rootkits},...] |                  --version | --help} [options] Current options are:          --append-log                  Append to the logfile, do not overwrite          --bindir <directory>...       Use the specified command directories      -c, --check                       Check the local system   --cs2, --color-set2                  Use the second color set for output          --configfile <file>           Use the specified configuration file          --cronjob                     Run as a cron job                                        (implies -c, --sk and --nocolors options)          --dbdir <directory>           Use the specified database directory          --debug                       Debug mode                                        (Do not use unless asked to do so)          --disable <test>[,<test>...]  Disable specific tests                                        (Default is to disable no tests)          --display-logfile             Display the logfile at the end          --enable  <test>[,<test>...]  Enable specific tests                                        (Default is to enable all tests)          --hash {MD5 | SHA1 | NONE |   Use the specified file hash function                  <command>}            (Default is SHA1)      -h, --help                        Display this help menu, then exit - 중략 [root@server3 files]# ./rkhunter --check - 시스템 스캔 실행 [ Rootkit Hunter version 1.3.4 ] Checking system commands...   Performing 'strings' command checks     Checking 'strings' command                               [ OK ]   Performing 'shared libraries' checks     Checking for preloading variables                        [ None found ]     Checking for preload file                                [ Not found ]     Checking LD_LIBRARY_PATH variable                        [ Not found ] - 중략 System checks summary ===================== File properties checks...     Required commands check failed     Files checked: 129     Suspect files: 5 Rootkit checks...     Rootkits checked : 118     Possible rootkits: 0 Applications checks...     Applications checked: 7     Suspect applications: 0 The system checks took: 1 minute and 30 seconds All results have been written to the logfile (/var/log/rkhunter.log) - 로그 파일이 저장되는 경로이다. One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log) [root@server3 ~]# vi /var/log/rkhunter.log - log 파일을 확인하면 warning에 대해서 자세하게 알수 있다. [root@server3 files]# ./rkhunter --versioncheck - rootkit hunter의 버전을 확인 [ Rootkit Hunter version 1.3.4 ] Checking rkhunter version...   This version  : 1.3.4   Latest version: 1.3.4 [root@server3 files]# ./rkhunter --update - rootkit hunter의 DB 업데이트 [ Rootkit Hunter version 1.3.4 ] Checking rkhunter data files...   Checking file mirrors.dat                                  [ No update ]   Checking file programs_bad.dat                             [ No update ]   Checking file backdoorports.dat                            [ No update ]   Checking file suspscan.dat                                 [ No update ]   Checking file i18n/cn                                      [ No update ]   Checking file i18n/en                                      [ No update ]   Checking file i18n/zh                                      [ No update ]   Checking file i18n/zh.utf8                                 [ No update ] [root@server3 files]# ./rkhunter -c --rwo - 비정상적인 결과를 출력한다. Warning: Checking for prerequisites               [ Warning ]          The file of stored file properties (rkhunter.dat) does not exist, and so must be created. To do this type in 'rkhunter --propupd'. Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option          is used, all the files on their system are known to be genuine, and installed from a          reliable source. The rkhunter '--check' option will compare the current file properties          against previously stored values, and report if any values differ. However, rkhunter          cannot determine what has caused the change, that is for the user to do. Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable Warning: Found enabled xinetd service: /etc/xinetd.d/rsync Warning: Found enabled xinetd service: /etc/xinetd.d/telnet Warning: The SSH configuration option 'PermitRootLogin' has not been set.          The default value may be 'yes', to allow root access. Warning: Hidden directory found: /etc/.java Warning: Hidden directory found: /dev/.udev Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log) [root@server3 files]#

- 참고
rootkit hunter 스캔 순서
1. 알려진 rootkit 존재 여부에 대한 스캔
2. 알려진 rootkit 관련 파일 존재 여부, 백어도 존재 여부, sniffer 로그 존재 여부 스캔
3. /etc/rc.d/rc.sysint, /etc/xinetd.conf 파일에 의심스런 설정 추가 여부 스캔
4. /bin/ps, /bin/ls, /bin/netstat 등 자주 변조되는 파일의 변조 여부 스캔
5. 로드된 모듈 스캔
6. 자주 쓰는 백도어 포트 스캔(2001, 2006, 2128, 14856, 47107, 60922)
7. NIC 의 promisc 여부 스캔
8. 유저와 그룹 파일의 변조 여부 스캔
9. /etc/rc.d/rc.local 및 rc.d/디렉토리 이하 여부 스캔
10. /dev 내 수상한 파일 스캔
11. 특정 응용 프로그램의 패치 여부 스캔
12. ssh 보안 설정 등 기타 보안 설정 스캔