질문&답변
클라우드/리눅스에 관한 질문과 답변을 주고 받는 곳입니다.
리눅스 분류

chkrootkit

작성자 정보

  • 관리자 작성
  • 작성일

컨텐츠 정보

본문

chkrootkit

 

t.gif
t.gif
보안툴의 첫번째로 chkrootkit을 설치하고 실행하는 방법을 설명한다.
프로그램은 http://www.chkrootkit.org에서 받을 수 있다.
chkrootkit는 로컬시스템에 루트킷이 설치되어 있는지 단순히 체크만 해주는 기능을 한다
현재 최신 버전은 0.33이다.

[root@ns sec]# tar xvzf chkrootkit.tar.gz
chkrootkit-0.33/
chkrootkit-0.33/COPYRIGHT
chkrootkit-0.33/Makefile
chkrootkit-0.33/README.chklastlog
chkrootkit-0.33/README.chkwtmp
chkrootkit-0.33/chklastlog.c
chkrootkit-0.33/chkproc.c
chkrootkit-0.33/chkrootkit
chkrootkit-0.33/chkrootkit.lsm
chkrootkit-0.33/chkwtmp.c
chkrootkit-0.33/ifpromisc.c
[root@ns sec]# cd chkrootkit-0.33/

chklastlog.c의 다음과 같이 로그위치 부분에 리눅스를 추가한다.
[root@ns chkrootkit-0.33]# vi chklastlog.c

#ifdef __FreeBSD__
#define LASTLOG_FILENAME "/var/log/lastlog"
#endif
#ifdef __OpenBSD__
#define LASTLOG_FILENAME "/var/log/lastlog"
#endif
#ifdef __linux__
#define LASTLOG_FILENAME "/var/log/lastlog"
#endif
#ifndef LASTLOG_FILENAME
#define LASTLOG_FILENAME "/var/adm/lastlog"
#endif

[root@ns chkrootkit-0.33]# make
*** stoping make sense ***
make[1]: Entering directory `/root/sec/chkrootkit-0.33'
gcc -DHAVE_LASTLOG_H   -o chklastlog chklastlog.c
gcc -DHAVE_LASTLOG_H   -o chkwtmp chkwtmp.c
gcc -DHAVE_LASTLOG_H    -o ifpromisc ifpromisc.c
*** ATTENTION chkproc is for Linux systems ONLY ***
*** FAILURES HERE ARE OK IF YOUR SYSTEM IS NOT LINUX ***
gcc  -o chkproc chkproc.c
make[1]: Leaving directory `/root/sec/chkrootkit-0.33'

[root@ns chkrootkit-0.33]# ls -l
total 93
-r--r--r--    1 root     root         1344 May 31 09:00 COPYRIGHT
-r--r--r--    1 root     root         1236 Jun  3 03:16 Makefile
-r--r--r--    1 root     root         1323 May 31 09:00 README.chklastlog
-r--r--r--    1 root     root         1292 May 31 09:00 README.chkwtmp
-rwxr-xr-x    1 root     root         6580 Aug  1 13:25 chklastlog*
-r--r--r--    1 root     root         6533 Aug  1 13:25 chklastlog.c
-rwxr-xr-x    1 root     root         5428 Aug  1 13:17 chkproc*
-r--r--r--    1 root     root         2069 May 31 09:00 chkproc.c
-rwxr--r--    1 netsaint users       44787 Jun  3 13:46 chkrootkit*
-r--r--r--    1 root     root          514 Jun  3 02:34 chkrootkit.lsm
-rwxr-xr-x    1 root     root         4284 Aug  1 13:17 chkwtmp*
-r--r--r--    1 root     root         1945 May 31 09:00 chkwtmp.c
-rwxr-xr-x    1 root     root         4544 Aug  1 13:17 ifpromisc*
-r--r--r--    1 root     root         3356 May 31 09:00 ifpromisc.c

[root@ns chkrootkit-0.33]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... NOT TESTED
Checking `basename'... Not vulnerable
Checking `biff'... NOT TESTED
Checking `chfn'... Not vulnerable
Checking `chsh'... Not vulnerable
Checking `cron'... Not vulnerable
Checking `date'... Not vulnerable
Checking `du'... Not vulnerable
Checking `dirname'... Not vulnerable
Checking `echo'... Not vulnerable
Checking `egrep'... Not vulnerable
Checking `env'... Not vulnerable
Checking `find'... Not vulnerable
Checking `fingerd'... Not vulnerable
Checking `gpm'... Not vulnerable
Checking `grep'... Not vulnerable
Checking `su'... Not vulnerable
Checking `ifconfig'... Not vulnerable
Checking `inetd'... Not vulnerable
Checking `identd'... NOT TESTED
Checking `killall'... Not vulnerable
Checking `login'... Not vulnerable
Checking `ls'... Not vulnerable
Checking `mail'... Not vulnerable
Checking `mingetty'... Not vulnerable
Checking `netstat'... Not vulnerable
Checking `named'... Not vulnerable
Checking `passwd'... Not vulnerable
Checking `pidof'... Not vulnerable
Checking `pop2'... NOT TESTED
Checking `pop3'... NOT TESTED
Checking `ps'... Not vulnerable
Checking `pstree'... Not vulnerable
Checking `rpcinfo'... Not vulnerable
Checking `rlogind'... NOT TESTED
Checking `rshd'... NOT TESTED
Checking `slogin'... Not vulnerable
Checking `sendmail'... Not vulnerable
Checking `sshd'... Not vulnerable
Checking `syslogd'... Not vulnerable
Checking `tar'... Not vulnerable
Checking `tcpd'... Not vulnerable
Checking `top'... Not vulnerable
Checking `telnetd'... Not vulnerable
Checking `timed'... NOT TESTED
Checking `traceroute'... Not vulnerable
Checking `write'... Not vulnerable
Checking `asp'... Not vulnerable
Checking `bindshell'... Not vulnerable
Checking `z2'... Not Tested: can't exec ./chklastlog
Checking `wted'... Not Tested: can't exec ./chkwtmp
Checking `rexedcs'... Not vulnerable
Checking `sniffer'... Not Tested: can't exec ./ifpromisc
Checking `aliens'... No suspect files
Searching for sniffer's logs, it may take a while... Nothing found
Searching for t0rn's default files and dirs... Nothing found
Searching for t0rn's v8 defaults... Nothing found
Searching for Lion Worm default files and dirs... Nothing found
Searching for RSHA's default files and dir... Nothing found
Searching for RH-Sharpe's default files... Nothing found
Searching for Ambient's rootkit (ark) default files and dirs... Nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.00503/i386-linux/.packlist /usr/lib/perl5/5.00503/i386-linux/auto/File/Spec/.packlist /usr/lib/perl5/5.00503/i386-linux/auto/CPAN/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/SNMP/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Term/ReadLine/.packlist /lib/modules/2.2.14/.rhkmvtag

Searching for LPD Worm files and dirs... Nothing found
Searching for Ramen Worm files and dirs... Nothing found
Searching for Maniac files and dirs... Nothing found
Searching for RK17 files and dirs... Nothing found
Searching for Adore Worm... Nothing found
Searching for ShitC Worm... Nothing found
Searching for Omega Worm... Nothing found
Searching for anomalies in shell history files... Warning: `//root/.cpan/build/perl-5.6.1/pod/perlaix.pod
//root/.cpan/build/perl-5.6.1/pod/perlamiga.pod
//root/.cpan/build/perl-5.6.1/pod/perlbs2000.pod
//root/.cpan/build/perl-5.6.1/pod/perlcygwin.pod
//root/.cpan/build/perl-5.6.1/pod/perldos.pod
//root/.cpan/build/perl-5.6.1/pod/perlepoc.pod
//root/.cpan/build/perl-5.6.1/pod/perlhpux.pod
//root/.cpan/build/perl-5.6.1/pod/perlmachten.pod
//root/.cpan/build/perl-5.6.1/pod/perlmacos.pod
//root/.cpan/build/perl-5.6.1/pod/perlmpeix.pod
//root/.cpan/build/perl-5.6.1/pod/perlos2.pod
//root/.cpan/build/perl-5.6.1/pod/perlos390.pod
//root/.cpan/build/perl-5.6.1/pod/perlsolaris.pod
//root/.cpan/build/perl-5.6.1/pod/perlvmesa.pod
//root/.cpan/build/perl-5.6.1/pod/perlvos.pod
//root/.cpan/build/perl-5.6.1/pod/perlwin32.pod
//root/.cpan/build/perl-5.6.1/pod/perlvms.pod
//root/.cpan/build/perl-5.6.1/t/perl
//root/.netscape/lock' is linked to another file
Checking `lkm'... Not Tested: can't exec ./chkproc

This article comes from dbakorea.pe.kr (Leave this line as is)

관련자료

댓글 0
등록된 댓글이 없습니다.

공지사항


뉴스광장


  • 현재 회원수 :  60,138 명
  • 현재 강좌수 :  36,196 개
  • 현재 접속자 :  366 명