LinuxSoft


Rootkit Hunter Ρ

Rootkit Hunter ʥ롼ȥåȡϥ󥿡ˤäƲ

ޤϤˡRootkitʥ롼ȥåȡˤȤΤ UNIX ƥԤäꡢΥץ򱣤ꡢ¾ΥۥȤ򥹥󤷤깶⤷Ȥä륯åѤΥġ̤λؤޤ

Rootkit Hunter ȤȤǡ֤줿ġθФ䡢ꥸʥΥե㤨 ps ls ǥץե򱣤ꤹ뤳Ȥˤ򸡽Ф뤳ȤޤμΥեȤȤƤ chkrootkit ͭ̾ǤRootkit Hunter Ϸ빽٤Ĵ٤ƤΤǡ빽Ǥ

Rootkit Hunter ⤷򸡽Фȡġ

   /usr/bin/stat                                              [ OK ]
   /usr/bin/users                                             [ BAD ]
   /usr/bin/w                                                 [ BAD ]
   /usr/bin/watch                                             [ BAD ]
   /usr/bin/who                                               [ BAD ]
   /usr/bin/whoami                                            [ BAD ]
--------------------------------------------------------------------------------
Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
binaries or updated packages (which give other hashes). Be sure your hashes are
fully updated (rkhunter --update). If you're in doubt about these hashes, contact
the author (fill in the contact form).
--------------------------------------------------------------------------------

Τ褦˲⤵ƤǽΤե뤬 [BAD] ɽޤ

󥹥ȡ뤷ȤŪ cron Ȥäƴ԰˥᡼褦ˤƤǤ͡Tripwire Τ褦˺٤ʥեޤǤθФϽޤ󤬡ִפȤǧŬڤʽ֤ԤˤϽʬʥġǤ

ȡ

Rootkit ʡѤʥġ 99.9% 򸡽Ф뤳Ȥݾڤޤʡˤ rootkit*1 Хåɥ(backdoor)*2ץ(exploit)*3򼡤ˡˤäƸФޤ

  • MD5 ϥåͤ
  • rootkit ˤäѤǥ쥯ȥ
  • ¹ԥեŬڤʥѡߥå
  • LKM*4 KLD*5 Ȼפʥƥ⥸塼ο¬
  • Ƥեθ
  • ƥȷȥХʥˤե븡

ȤλǤ

饤󥻥󥹤 GPL ʤΤ̵Ѥ뤳ȤޤȯԤγ˴դǤ͡

Rootkit Hunter

GNU General Public License (GPL)

ưĶ

Ȥε򻲹ͤˤȡʤμ Linux ƥбƤ褦ǤFedora Core4 Ͻ񤫤Ƥޤ󤬡䤬ưǧޤ

Rootkit Hunter 󥹥ȡ

󥹥ȡ

ɤ֤ˤϥ󥹥ȡѤΥɥȤϤޤǤRootkit Hunter FAQʱѸˤɤǤȤλǤȤꤢ򻲹ͤˤƥåȥåפǤܸ FAQ ϤǤ

ޤϥեμŸޤǤǤ

$ cd /usr/local/src
$ wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
$ tar xfz rkhunter-1.2.7.tar.gz
$ cd rkhunter

ΤϤ«Ǥ͡ä¤ޤ礦

root ˤʤޤĶˤäƤ sudo Ƥ⹽ޤ

$ su
# ./install.sh

ʾǥåȥå׽ꡪ

åȥåΥѥ

/usr/local/bin/rkhunter

Ǥ

ʤߤ ./install.sh ¹ԤȡʴǥåФƤޤϤޤ

# ./installer.sh

Rootkit Hunter installer 1.2.4 (Copyright 2003-2005, Michael Boelen)
---------------
Starting installation/update

Checking  /usr/local... OK
Checking file retrieval tools... /usr/bin/wget
Checking installation directories...
- Checking /usr/local/rkhunter...Created
- Checking /usr/local/rkhunter/etc...Created
- Checking /usr/local/rkhunter/bin...Created
- Checking /usr/local/rkhunter/lib/rkhunter/db...Created
- Checking /usr/local/rkhunter/lib/rkhunter/docs...Created
- Checking /usr/local/rkhunter/lib/rkhunter/scripts...Created
- Checking /usr/local/rkhunter/lib/rkhunter/tmp...Created
- Checking /usr/local/etc...Exists
- Checking /usr/local/bin...Exists
Checking system settings...
    - Perl... OK
Installing files...
Installing Perl module checker... OK
Installing Database updater... OK
Installing Portscanner... OK
Installing MD5 Digest generator... OK
Installing SHA1 Digest generator... OK
Installing Directory viewer... OK
Installing Database Backdoor ports... OK
Installing Database Update mirrors... OK
Installing Database Operating Systems... OK
Installing Database Program versions... OK
Installing Database Program versions... OK
Installing Database Default file hashes... OK
Installing Database MD5 blacklisted files... OK
Installing Changelog... OK
Installing Readme and FAQ... OK
Installing Wishlist and TODO... OK
Installing RK Hunter configuration file... OK
Installing RK Hunter binary... OK
Configuration updated with installation path (/usr/local/rkhunter) 

Installation ready.
See /usr/local/rkhunter/lib/rkhunter/docs for more information. Run 'rkhunter' (/usr/local/bin/rkhunter)

󥤥󥹥ȡ

󥤥󥹥ȡˤǰΤ Rootkit ǡ١򹹿Ƥޤ⤷鿷 rootkit ȯơбǤ뤫⤷ޤ

# /usr/local/bin/rkhunter --update

Ȥꤢ¹ԤƤߤ褦

-c ץĤȡȤˤ󤬻Ϥޤޤ--skip-keypress ĤʤƤɤΤǤݤʤΤǡȤꤢĤƤޤ礦

# /usr/local/bin/rkhunter -c --skip-keypress

餺äȽФƤޤܤϰʲΥڡǷ̤Ȥ碌ޤ

rkhunter ޥɤΥץ

ץϤĤޤǼºݤ˻ȤΤ

  • -c ¹ԡʥƥΥå
  • --cronjob cron Ѥνϡ顼̵ΤȰ᡼Ѥ
  • --nocolors 顼ɽʤ
  • --createlogfile Υ /var/log/rkhunter.log դ¸ޤ
  • --update rootkit ǡ١ι ʴǤ

Ū˥ƥξ᡼褦ˤ

äʥġʤΤǡcron Ū˼ư¹Ԥ褦ˤƤߤޤ礦̤ƤΤǡ¿Ǥroot 桼¤Ǽ¹ԤǤ륹ץȤޤޤʼư᡼դ줿Τǡˡ

# vi /usr/local/bin/rkhunter-mail.sh

եȤϰʲΤ褦ˤޤ

#!/bin/sh
/usr/local/bin/rkhunter -c --skip-keypress --cronjob | \
        mail -s "[Rootkit Hunter] HOSTNAME `date +%Y-%m-%d`" admin@example.jp

Τ褦˵ҤƤHOSTNAME ϼʬΥۥ̾ admin@example.jp ϼʬʤ뤤ϥдԡˤΥ᡼륢ɥ쥹򵭽Ҥޤ

˼¹Ը¤Ϳޤ

# chmod +x /usr/local/bin/rkhunter-mail.sh

cron ؤϿǤ

# crontab -e

ȼ¹Ԥޤvi cron Խ̤ˤʤޤΤǡ

00 01 * * *     /usr/local/bin/rkhunter-mail.sh  > /dev/null 2>&1
00 01 * * sun   /usr/local/bin/rkhunter --update > /dev/null 2>&1

εǤϡ rkhunter (Rootkit Hunter ¹ԥץ) ¹Ԥơ᡼ admin@example.jp ̾[Rootkit Hunter] HOSTNAME 2005-07-18١ʺǴǯˤȤΤǤ̾ʬɬפ˱Ŭ˽񤭴ƻȤäƤߤƤ

ιԤǤ轵θ Rootkit Hunter Υǡ١ưޤ

Rootkit Hunter FAQ

Rootkit Hunter FAQ ϤǤ http://www.rootkit.nl/articles/rootkit_hunter_faq.html

Rootkit Hunter FAQ ܸ

Rootkit Hunter FAQ ܸ첽Ƥߤޤ


*1 ƥե⤷ץαäʤɥƥ˲ưŪȤġ뷲λǤ
*2 ԤѤ뤿οѤΥݡȡ⤷ϥġΤȤؤޤ
*3 ˥ƥ˲ root ø桼¤å褹뤳ȤŪȤ밭ʥġǤ
*4 Lodable Kanerl Module = ͥ⥸塼
*5 Kernel LoaDable? object = ưŪʥͥ⥸塼

ȥå   Խ ʬ Хåå ź ʣ ̾ѹ   ñ측 ǽ   إ   ǽRSS
Last-modified: Mon, 25 Jul 2005 19:30:22 JST (5607d)