바로가기 메뉴
본문내용 바로가기
메인메뉴 바로가기

상단배너



Customer Center

Notice · Security Issue · Account Guide · Global Traffic Test

HOME > Customer Center > Tech Note

기술노트

루트킷 점검툴
2016.02.19
보안툴의 첫번째로 chkrootkit을 설치하고 실행하는 방법을 설명한다.
프로그램은 http://www.chkrootkit.org에서 받을 수 있다.
chkrootkit는 로컬시스템에 루트킷이 설치되어 있는지 단순히 체크만 해주는 기능을 한다
현재 최신 버전은 0.33이다.

[root@ns sec]# tar xvzf chkrootkit.tar.gz
chkrootkit-0.33/
chkrootkit-0.33/COPYRIGHT
chkrootkit-0.33/Makefile
chkrootkit-0.33/README.chklastlog
chkrootkit-0.33/README.chkwtmp
chkrootkit-0.33/chklastlog.c
chkrootkit-0.33/chkproc.c
chkrootkit-0.33/chkrootkit
chkrootkit-0.33/chkrootkit.lsm
chkrootkit-0.33/chkwtmp.c
chkrootkit-0.33/ifpromisc.c
[root@ns sec]# cd chkrootkit-0.33/

chklastlog.c의 다음과 같이 로그위치 부분에 리눅스를 추가한다.
[root@ns chkrootkit-0.33]# vi chklastlog.c

#ifdef __FreeBSD__
#define LASTLOG_FILENAME "/var/log/lastlog"
#endif
#ifdef __OpenBSD__
#define LASTLOG_FILENAME "/var/log/lastlog"
#endif
#ifdef __linux__
#define LASTLOG_FILENAME "/var/log/lastlog"
#endif
#ifndef LASTLOG_FILENAME
#define LASTLOG_FILENAME "/var/adm/lastlog"
#endif

[root@ns chkrootkit-0.33]# make
*** stoping make sense ***
make[1]: Entering directory `/root/sec/chkrootkit-0.33"
gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c
gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c
gcc -DHAVE_LASTLOG_H -o ifpromisc ifpromisc.c
*** ATTENTION chkproc is for Linux systems ONLY ***
*** FAILURES HERE ARE OK IF YOUR SYSTEM IS NOT LINUX ***
gcc -o chkproc chkproc.c
make[1]: Leaving directory `/root/sec/chkrootkit-0.33"

[root@ns chkrootkit-0.33]# ls -l
total 93
-r--r--r-- 1 root root 1344 May 31 09:00 COPYRIGHT
-r--r--r-- 1 root root 1236 Jun 3 03:16 Makefile
-r--r--r-- 1 root root 1323 May 31 09:00 README.chklastlog
-r--r--r-- 1 root root 1292 May 31 09:00 README.chkwtmp
-rwxr-xr-x 1 root root 6580 Aug 1 13:25 chklastlog*
-r--r--r-- 1 root root 6533 Aug 1 13:25 chklastlog.c
-rwxr-xr-x 1 root root 5428 Aug 1 13:17 chkproc*
-r--r--r-- 1 root root 2069 May 31 09:00 chkproc.c
-rwxr--r-- 1 netsaint users 44787 Jun 3 13:46 chkrootkit*
-r--r--r-- 1 root root 514 Jun 3 02:34 chkrootkit.lsm
-rwxr-xr-x 1 root root 4284 Aug 1 13:17 chkwtmp*
-r--r--r-- 1 root root 1945 May 31 09:00 chkwtmp.c
-rwxr-xr-x 1 root root 4544 Aug 1 13:17 ifpromisc*
-r--r--r-- 1 root root 3356 May 31 09:00 ifpromisc.c

[root@ns chkrootkit-0.33]# ./chkrootkit
ROOTDIR is `/"
Checking `amd"... NOT TESTED
Checking `basename"... Not vulnerable
Checking `biff"... NOT TESTED
Checking `chfn"... Not vulnerable
Checking `chsh"... Not vulnerable
Checking `cron"... Not vulnerable
Checking `date"... Not vulnerable
Checking `du"... Not vulnerable
Checking `dirname"... Not vulnerable
Checking `echo"... Not vulnerable
Checking `egrep"... Not vulnerable
Checking `env"... Not vulnerable
Checking `find"... Not vulnerable
Checking `fingerd"... Not vulnerable
Checking `gpm"... Not vulnerable
Checking `grep"... Not vulnerable
Checking `su"... Not vulnerable
Checking `ifconfig"... Not vulnerable
Checking `inetd"... Not vulnerable
Checking `identd"... NOT TESTED
Checking `killall"... Not vulnerable
Checking `login"... Not vulnerable
Checking `ls"... Not vulnerable
Checking `mail"... Not vulnerable
Checking `mingetty"... Not vulnerable
Checking `netstat"... Not vulnerable
Checking `named"... Not vulnerable
Checking `passwd"... Not vulnerable
Checking `pidof"... Not vulnerable
Checking `pop2"... NOT TESTED
Checking `pop3"... NOT TESTED
Checking `ps"... Not vulnerable
Checking `pstree"... Not vulnerable
Checking `rpcinfo"... Not vulnerable
Checking `rlogind"... NOT TESTED
Checking `rshd"... NOT TESTED
Checking `slogin"... Not vulnerable
Checking `sendmail"... Not vulnerable
Checking `sshd"... Not vulnerable
Checking `syslogd"... Not vulnerable
Checking `tar"... Not vulnerable
Checking `tcpd"... Not vulnerable
Checking `top"... Not vulnerable
Checking `telnetd"... Not vulnerable
Checking `timed"... NOT TESTED
Checking `traceroute"... Not vulnerable
Checking `write"... Not vulnerable
Checking `asp"... Not vulnerable
Checking `bindshell"... Not vulnerable
Checking `z2"... Not Tested: can"t exec ./chklastlog
Checking `wted"... Not Tested: can"t exec ./chkwtmp
Checking `rexedcs"... Not vulnerable
Checking `sniffer"... Not Tested: can"t exec ./ifpromisc
Checking `aliens"... No suspect files
Searching for sniffer"s logs, it may take a while... Nothing found
Searching for t0rn"s default files and dirs... Nothing found
Searching for t0rn"s v8 defaults... Nothing found
Searching for Lion Worm default files and dirs... Nothing found
Searching for RSHA"s default files and dir... Nothing found
Searching for RH-Sharpe"s default files... Nothing found
Searching for Ambient"s rootkit (ark) default files and dirs... Nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.00503/i386-linux/.packlist /usr/lib/perl5/5.00503/i386-linux/auto/File/Spec/.packlist /usr/lib/perl5/5.00503/i386-linux/auto/CPAN/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/SNMP/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Compress/Zlib/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Archive/Tar/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Term/ReadLine/.packlist /lib/modules/2.2.14/.rhkmvtag

Searching for LPD Worm files and dirs... Nothing found
Searching for Ramen Worm files and dirs... Nothing found
Searching for Maniac files and dirs... Nothing found
Searching for RK17 files and dirs... Nothing found
Searching for Adore Worm... Nothing found
Searching for ShitC Worm... Nothing found
Searching for Omega Worm... Nothing found
Searching for anomalies in shell history files... Warning: `//root/.cpan/build/perl-5.6.1/pod/perlaix.pod
//root/.cpan/build/perl-5.6.1/pod/perlamiga.pod
//root/.cpan/build/perl-5.6.1/pod/perlbs2000.pod
//root/.cpan/build/perl-5.6.1/pod/perlcygwin.pod
//root/.cpan/build/perl-5.6.1/pod/perldos.pod
//root/.cpan/build/perl-5.6.1/pod/perlepoc.pod
//root/.cpan/build/perl-5.6.1/pod/perlhpux.pod
//root/.cpan/build/perl-5.6.1/pod/perlmachten.pod
//root/.cpan/build/perl-5.6.1/pod/perlmacos.pod
//root/.cpan/build/perl-5.6.1/pod/perlmpeix.pod
//root/.cpan/build/perl-5.6.1/pod/perlos2.pod
//root/.cpan/build/perl-5.6.1/pod/perlos390.pod
//root/.cpan/build/perl-5.6.1/pod/perlsolaris.pod
//root/.cpan/build/perl-5.6.1/pod/perlvmesa.pod
//root/.cpan/build/perl-5.6.1/pod/perlvos.pod
//root/.cpan/build/perl-5.6.1/pod/perlwin32.pod
//root/.cpan/build/perl-5.6.1/pod/perlvms.pod
//root/.cpan/build/perl-5.6.1/t/perl
//root/.netscape/lock" is linked to another file
Checking `lkm"... Not Tested: can"t exec ./chkproc

This article comes from dbakorea.pe.kr (Leave this line as is)


이호스트데이터센터(http://www.ehostidc.co.kr)
첨부파일