보안툴의 첫번째로 chkrootkit을 설치하고 실행하는 방법을 설명한다. 프로그램은 http://www.chkrootkit.org에서 받을 수 있다. chkrootkit는 로컬시스템에 루트킷이 설치되어 있는지 단순히 체크만 해주는 기능을 한다 현재 최신 버전은 0.33이다.
[root@ns sec]# tar xvzf chkrootkit.tar.gz chkrootkit-0.33/ chkrootkit-0.33/COPYRIGHT chkrootkit-0.33/Makefile chkrootkit-0.33/README.chklastlog chkrootkit-0.33/README.chkwtmp chkrootkit-0.33/chklastlog.c chkrootkit-0.33/chkproc.c chkrootkit-0.33/chkrootkit chkrootkit-0.33/chkrootkit.lsm chkrootkit-0.33/chkwtmp.c chkrootkit-0.33/ifpromisc.c [root@ns sec]# cd chkrootkit-0.33/
chklastlog.c의 다음과 같이 로그위치 부분에 리눅스를 추가한다. [root@ns chkrootkit-0.33]# vi chklastlog.c
#ifdef __FreeBSD__ #define LASTLOG_FILENAME "/var/log/lastlog" #endif #ifdef __OpenBSD__ #define LASTLOG_FILENAME "/var/log/lastlog" #endif #ifdef __linux__ #define LASTLOG_FILENAME "/var/log/lastlog" #endif #ifndef LASTLOG_FILENAME #define LASTLOG_FILENAME "/var/adm/lastlog" #endif
[root@ns chkrootkit-0.33]# make *** stoping make sense *** make[1]: Entering directory `/root/sec/chkrootkit-0.33' gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c gcc -DHAVE_LASTLOG_H -o ifpromisc ifpromisc.c *** ATTENTION chkproc is for Linux systems ONLY *** *** FAILURES HERE ARE OK IF YOUR SYSTEM IS NOT LINUX *** gcc -o chkproc chkproc.c make[1]: Leaving directory `/root/sec/chkrootkit-0.33'
[root@ns chkrootkit-0.33]# ls -l total 93 -r--r--r-- 1 root root 1344 May 31 09:00 COPYRIGHT -r--r--r-- 1 root root 1236 Jun 3 03:16 Makefile -r--r--r-- 1 root root 1323 May 31 09:00 README.chklastlog -r--r--r-- 1 root root 1292 May 31 09:00 README.chkwtmp -rwxr-xr-x 1 root root 6580 Aug 1 13:25 chklastlog* -r--r--r-- 1 root root 6533 Aug 1 13:25 chklastlog.c -rwxr-xr-x 1 root root 5428 Aug 1 13:17 chkproc* -r--r--r-- 1 root root 2069 May 31 09:00 chkproc.c -rwxr--r-- 1 netsaint users 44787 Jun 3 13:46 chkrootkit* -r--r--r-- 1 root root 514 Jun 3 02:34 chkrootkit.lsm -rwxr-xr-x 1 root root 4284 Aug 1 13:17 chkwtmp* -r--r--r-- 1 root root 1945 May 31 09:00 chkwtmp.c -rwxr-xr-x 1 root root 4544 Aug 1 13:17 ifpromisc* -r--r--r-- 1 root root 3356 May 31 09:00 ifpromisc.c
[root@ns chkrootkit-0.33]# ./chkrootkit ROOTDIR is `/' Checking `amd'... NOT TESTED Checking `basename'... Not vulnerable Checking `biff'... NOT TESTED Checking `chfn'... Not vulnerable Checking `chsh'... Not vulnerable Checking `cron'... Not vulnerable Checking `date'... Not vulnerable Checking `du'... Not vulnerable Checking `dirname'... Not vulnerable Checking `echo'... Not vulnerable Checking `egrep'... Not vulnerable Checking `env'... Not vulnerable Checking `find'... Not vulnerable Checking `fingerd'... Not vulnerable Checking `gpm'... Not vulnerable Checking `grep'... Not vulnerable Checking `su'... Not vulnerable Checking `ifconfig'... Not vulnerable Checking `inetd'... Not vulnerable Checking `identd'... NOT TESTED Checking `killall'... Not vulnerable Checking `login'... Not vulnerable Checking `ls'... Not vulnerable Checking `mail'... Not vulnerable Checking `mingetty'... Not vulnerable Checking `netstat'... Not vulnerable Checking `named'... Not vulnerable Checking `passwd'... Not vulnerable Checking `pidof'... Not vulnerable Checking `pop2'... NOT TESTED Checking `pop3'... NOT TESTED Checking `ps'... Not vulnerable Checking `pstree'... Not vulnerable Checking `rpcinfo'... Not vulnerable Checking `rlogind'... NOT TESTED Checking `rshd'... NOT TESTED Checking `slogin'... Not vulnerable Checking `sendmail'... Not vulnerable Checking `sshd'... Not vulnerable Checking `syslogd'... Not vulnerable Checking `tar'... Not vulnerable Checking `tcpd'... Not vulnerable Checking `top'... Not vulnerable Checking `telnetd'... Not vulnerable Checking `timed'... NOT TESTED Checking `traceroute'... Not vulnerable Checking `write'... Not vulnerable Checking `asp'... Not vulnerable Checking `bindshell'... Not vulnerable Checking `z2'... Not Tested: can't exec ./chklastlog Checking `wted'... Not Tested: can't exec ./chkwtmp Checking `rexedcs'... Not vulnerable Checking `sniffer'... Not Tested: can't exec ./ifpromisc Checking `aliens'... No suspect files Searching for sniffer's logs, it may take a while... Nothing found Searching for t0rn's default files and dirs... Nothing found Searching for t0rn's v8 defaults... Nothing found Searching for Lion Worm default files and dirs... Nothing found Searching for RSHA's default files and dir... Nothing found Searching for RH-Sharpe's default files... Nothing found Searching for Ambient's rootkit (ark) default files and dirs... Nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.00503/i386-linux/.packlist /usr/lib/perl5/5.00503/i386-linux/auto/File/Spec/.packlist /usr/lib/perl5/5.00503/i386-linux/auto/CPAN/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/SNMP/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Term/ReadLine/.packlist /lib/modules/2.2.14/.rhkmvtag
Searching for LPD Worm files and dirs... Nothing found Searching for Ramen Worm files and dirs... Nothing found Searching for Maniac files and dirs... Nothing found Searching for RK17 files and dirs... Nothing found Searching for Adore Worm... Nothing found Searching for ShitC Worm... Nothing found Searching for Omega Worm... Nothing found Searching for anomalies in shell history files... Warning: `//root/.cpan/build/perl-5.6.1/pod/perlaix.pod //root/.cpan/build/perl-5.6.1/pod/perlamiga.pod //root/.cpan/build/perl-5.6.1/pod/perlbs2000.pod //root/.cpan/build/perl-5.6.1/pod/perlcygwin.pod //root/.cpan/build/perl-5.6.1/pod/perldos.pod //root/.cpan/build/perl-5.6.1/pod/perlepoc.pod //root/.cpan/build/perl-5.6.1/pod/perlhpux.pod //root/.cpan/build/perl-5.6.1/pod/perlmachten.pod //root/.cpan/build/perl-5.6.1/pod/perlmacos.pod //root/.cpan/build/perl-5.6.1/pod/perlmpeix.pod //root/.cpan/build/perl-5.6.1/pod/perlos2.pod //root/.cpan/build/perl-5.6.1/pod/perlos390.pod //root/.cpan/build/perl-5.6.1/pod/perlsolaris.pod //root/.cpan/build/perl-5.6.1/pod/perlvmesa.pod //root/.cpan/build/perl-5.6.1/pod/perlvos.pod //root/.cpan/build/perl-5.6.1/pod/perlwin32.pod //root/.cpan/build/perl-5.6.1/pod/perlvms.pod //root/.cpan/build/perl-5.6.1/t/perl //root/.netscape/lock' is linked to another file Checking `lkm'... Not Tested: can't exec ./chkproc
|
This article comes from dbakorea.pe.kr (Leave this line as is)
|