LinuxSoft


README (rkdat - rookit detector for Linux)

ܸǥɥȤˤĤ

ܸǤΥɥȸˤĤƤǰΤԤ䤤碌Ǥβ饤󥹤ˤäƤϥɥȤˤʤ⤢ޤ

ɥȤƤϽꥸʥѸ¤褦ؤޤܸȤŬڤʬܸȤɤߤ䤹褦֤Ƥ⤢ޤʤջȤơܸǤѼԤѤˤꡢʤԤϤդɤޤʡȽ񤯤ΤŪǤΤǡ񤫤Ƥˡ

ꥸʥɽ

rkdet rootkit detector

Andrew Daviel <andrew@vancouver-webpages.com>
February 2000
Revised March 2001

Tiny Abstract -

ץ򥤥󥹥ȡ뤹뤳ȤˤäơåΥƥ˲ư򸡽Фޤ

Abstract -

Υǡ(rkdet) Rootkit*1 ѥåȥ˥եʥѥåȥץˤտޤ԰٤٤뤳ȤŪȤΤǤǡΤ̵˾ưDzƯǤ褦߷פƤޤ⤷۾򸡽Фȡեźդ᡼ľ˥ͥåȥ⤷ϥƥߤޤǽȤ̾Υޥ桼ƥǺǾ¤DzƯ褦߷פƤꡢLinux ͥѹ䥷ƥѹɬפȤޤ

License - 饤

rkdet ϥե꡼Ǥrkdet David A. Curry ˤäƺޤ
⤷եȥμ̤ΤǤХѥ֥åɥᥤ*2Ǥ

Background - ȯ˻ط

ԤϤȤʤѤƤʤѤƤ륷ƥؤοߤ뤫⤷ޤ󡣿ˡȤƤϸ¤Τ桼ΥѥɤफΤޤ󤷡ͥåȥΥѥåİʥ˥åեˤˤäƥѥɾꤹ뤫⤷ޤ󡣤뤤ϡƥưǡФƥХåեХȤäƥۡؤιߤ뤫ΤʤΤǤ⤷Ԥ˥Ƥޤȡå*3ˤä Eggdrop Ȥä IRC ܥåȤưΰ٤ CPU 񤵤ꡢʼʤǥѥɾꤹ뤫⤷ޤʤȤƥΥѥɤɥƤƤǤˡ뤤Ͻ˥åѥġǡ¸Ƥ⤷ޤ󡣤ȤϤäƤ⡢åפõ갭ʥץ¹Ԥ褦ˤʤޤǤϡĤΥƥåפƧޤʤƤϤޤ󡣤ޤƥü٤ˤ root 桼¤ɬפǤΤˤ setuid 줿 mountcron뤤ϥץʤɤФ빶ѤΥץѤޤθ塢¿ΥåãϰŪ˽פʥƥॢȤ̵ˤꡢΥϿ褦ȤޤѤ륷ƥ˲åġ뤬̤ "Rootkit"(롼ȥå)ȸƤФƤΤǤŵŪʤΤ "ps" "netstat" ޥɤ⤷åѤץ³ IP ɥ쥹򱣤Ưޤ饷ƥॳޥɤФƴƻ򤷤ĤŤС˿򸡤뤳Ȥ뤫⤷ޤ

⤦ŵŪʤΤϥѥåȡ˥ե򥷥ƥ˥󥹥ȡ뤹뤳ȤǤޥ֤ƤƱͥåȥˤޥؤ telnet ftp Υ桼̾ȥѥɾ뤳ȤǤƱͤ IMAP POP3 Ȥä᡼ Windows ΥͥåȥΥƤޤǤ礦⤷Τ褦İưƻ뤹뤳ȤǤСʥͥåȥ󥿡եξ֤ promiscuous*3 ⡼ɤˤʤС줿ǽ⤤ȽǤǤǤ礦ʤʤ顢åϥͥåȥΥ⡼ɤѹޥξƻ뤷ĤŤ⤷ޤˡ

Description - եȥβ

Υץ rootkit ˤäƲ⤵뤳Ȥ¿ŪʥץΥå򸡺򤹤ΤǤоݤȤʤեϥѥ˻ꤷޤ*4եꥹȤϥƥॳޥɤƼΥåȶХʥꡦɤȤƤ˥ѥ뤵ΤǡѻˤϲɤŤ餤֤ˤʤäƤޤƲ르ꥺϺ٤Ǥѥ뤵줿ץϳץ饤֥ɬפȤޤ

ץˤˤǤդȤޤ⤷Ѥʰ㤨Хӥå 0 åȤˤС󥿡ե "ech0" promiscus *5 ֡ʥѥåȼˤǤʤĴ٤ޤ⤷ӥå 1 ꥢȡץϥͥåȥ route 褦ˤʤäƤޤ⤷ӥå 1 åȤȡץ eth0 󥿡ե̵ˤޤƥबʣΥ󥿡եƤˤϡ"xstrings.txt" ˴ޤޤ륤󥿡եξѹ뤫ץबʣΥ󥿡եбǤ褦ˤʤФʤǤ礦ޥɤϤɤΤ褦ˤǤѹǤޤ㤨 "init 1" ǥ󥰥롦桼⡼ɤ˰ܹԤ "shutdown -h now" ˤ¨åȥ򤵤ꡢ뤤 "panic.sh" Τ褦ʥץȤ¹Ԥ뤳Ȥޤpanic.sh ϥɤΥ֤˴ޤޤƤޤˡ

Enhanced Security - ƥγĥ

ƥˤĤ"ޤʾ"ȤΤϿΰ̣ǰǤϤޤ󤬡ʤˤ⤷ʤϤޤǤLIDS Ȥäͥĥ⥸塼Ѥ˿Ԥ֤줿ץ򸡽Ф뤳Ȥ񤷤ǤǤñ rkdet 줿ɤ "ps ax|grep rkdet" "locate rkdat" 뤤 "find /proc -name exe -exec grep -l md5sum {} \;" ȤäˡĴ٤뤳ȤϽΤǤƥɱҤΤˤϡΥɥȤ䥤󥹥ȡ˻Ѥե뷲򥤥󥹥ȡϺ줿ۤɤǤ礦줫顢󥹥ȡ̾Ѥɤ⤷ޤ makefile ѿ "ME" ϥѥ¹ԥե̾Ǥʬ RPC .spec ե "name" ޤǤդ̾ǥѥ뤹뤳ȤǤޤˡxstrings.txt ǤϷٹå䥳ޥɤΥꥹȡɽåĴǽǤޤxstrings.txt ˴ޤޤ2Ĥֹ XPAT rkdet.cʤ mkfil.plˤƤۤʤäѥǥѥ뤹Ѥޤѥˤäƺ줿¹ԥեϡξˤưۤʤäĹåĤ褦ˤʤޤԤϤߤ褦ȤƤѥޥåȤäˡǤϲϤޤ

Υץɤ뤳Ȥ softdog.o Ȥäƻ⥸塼Ȥơ۾︡л˥֡ȤԤ褦ˤ뤳ȤǤ礦ͤ᤮⤷ޤ󤬡ƻ⥸塼ˤä cookie 󥸥ѥɡ LIDS ȤäѥåΥåޤǽ褦ˤʤ뤫⤷ޤLIDS /proc/ ե륷ƥफץ򸫤ʤ뤳ȤˤȤ뤫Ǥ

Other Security Systems - ¾Υƥƥ

LIDS - LIDS Linux ȹХƥǤ⥸塼ޥȥݥȤꤹ륫ͥΥѥåǤLIDS ξϤhttp://www.soaring-bird.com.cn/oss_proj/lids/

Bastille*6 Linux ϥѡߥå䵡ǽ̵뤳Ȥˤä Linux ƥ륹ץȤǤü˸СƳˤäƹˡŪʺȤ˸뤫⤷ޤ󤷡ष¸ۥȤե륵ФȤäȯƥˤդ路Ǥ礦
Bastille ξϤ餫顣 http://www.bastille-linux.org/

PortSentry ϥƥ TCP UDP ץȥˤ륢ΥȤꡢץȤ̿Ǥ뵡ǽƤޤޤ䤹ӥʸŤС imap ftp ˤθȥ(Back Orifice Netbus ʤ)θФƤޤ
PortSentry http://www.psionic.com

Caveat - ٹ

оݤȤʤäƤեι䥢åץ졼ɤ rkdet ߤƤʤʤȼưǥͥåȥǤ줿ꥵФߤޤˡȸ rkdet ӥƳƤ

ưåץǡȤԤƥƤˤϡ̤бʤߤƤʤȤ apt ӥȤäƼưåץ졼ɤԤ褦ʥƥǤϡ rkdet ߤ rkdet Ƴ褦ˤʤƤϤޤˡ


*1 ƥǥץäХåɥߤ˲ưŪȤƥġ뷲ΤȤǤ
*2 PDFĤߤʤ˻Ȥ褦եȥؤޤ
*3 դΤϥå
*4 Ÿǥ쥯ȥˤ xfiles.txt
*5 ץߥ㥹⡼ɡͥåȥǥѥåȤư⡼
*6 Х

ȥå   Խ ʬ Хåå ź ʣ ̾ѹ   ñ측 ǽ   إ   ǽRSS
Last-modified: Tue, 19 Jul 2005 17:38:28 JST (5546d)