Kozupon.com    
 
 rkhunterでバックドアを見つける!


これは、rootkitのようなバックドア仕掛けるツールとかトロイの木馬系のツールを発見するのに効果有り、chkrootkit こんなのと併用すると良いかもしれない。これは、簡単にチェックできるツールなので九龍に仕掛けて定期的に実行してlogを出力しておくと、後で管理者がチェックできるのでとても効果的だ。クラックな方々は、特に侵入をした形跡を残さないのが常である。したがって、こういった検出ツールで発見することが大切である。さらに、このツールの便利なところは、システム設定の不備も見つけてくれる。以下が、rkhunterの効用。

■ MD5ハッシュを比較する
■ ルートキットで使われるデフォルトファイルを検出する
■ 不正なアクセス権が与えられたバイナリファイルを検出する
■ LKMモジュールとKLDモジュールに疑わしい文字列を検出する
■ 隠しファイルを探す

セットアップ環境 )
OS:Debian GNU Linux3.1 Sarge(本来Sargeにはrkhunterのdebパッケージ有り。apt-getでインストール可能)
マシン:PentiumU


1.ソースをゲットする
rkhunterのソースは、ここ からゲットする。

jerry:~# cd /usr/local/src/
jerry:/usr/local/src# wget http://freshmeat.net/redir/rkhunter/46074/url_tgz/rkhunter-1.2.8.tar.gz

--14:54:52-- http://freshmeat.net/redir/rkhunter/46074/url_tgz/rkhunter-1.2.8.tar.gz
=> `rkhunter-1.2.8.tar.gz'
Resolving freshmeat.net... 66.35.250.168
Connecting to freshmeat.net[66.35.250.168]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz [following]
--14:54:56-- http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
=> `rkhunter-1.2.8.tar.gz'
Resolving downloads.rootkit.nl... 62.177.200.5
Connecting to downloads.rootkit.nl[62.177.200.5]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 126,314 [application/x-tar]

100%[========================================================>] 126,314 33.11K/s ETA 00:00

14:55:01 (33.07 KB/s) - `rkhunter-1.2.8.tar.gz' saved [126314/126314]


2.ソース展開&インストール
jerry:/usr/local/src# tar zxvf rkhunter-1.2.8.tar.gz
./rkhunter/files/
./rkhunter/files/CHANGELOG
./rkhunter/files/LICENSE
./rkhunter/files/README
./rkhunter/files/WISHLIST
./rkhunter/files/backdoorports.dat
./rkhunter/files/check_modules.pl
./rkhunter/files/check_port.pl
./rkhunter/files/defaulthashes.dat
./rkhunter/files/filehashmd5.pl
./rkhunter/files/filehashsha1.pl
./rkhunter/files/mirrors.dat
./rkhunter/files/os.dat
./rkhunter/files/rkhunter
./rkhunter/files/rkhunter.conf
./rkhunter/files/rkhunter.spec
./rkhunter/files/showfiles.pl
./rkhunter/files/md5blacklist.dat
./rkhunter/files/tools/
./rkhunter/files/tools/update_server.sh
./rkhunter/files/tools/update_client.sh
./rkhunter/files/tools/README
./rkhunter/files/check_update.sh
./rkhunter/files/programs_bad.dat
./rkhunter/files/contrib/
./rkhunter/files/contrib/run_rkhunter.sh
./rkhunter/files/contrib/README.txt
./rkhunter/files/testing/
./rkhunter/files/testing/stringscanner.sh
./rkhunter/files/testing/rootkitinfo.txt
./rkhunter/files/testing/rkhunter.conf
./rkhunter/files/development/
./rkhunter/files/development/createfilehashes.pl
./rkhunter/files/development/createhashes.sh
./rkhunter/files/development/rpmhashes.sh
./rkhunter/files/development/rpmprelinkhashes.sh
./rkhunter/files/development/osinformation.sh
./rkhunter/files/development/rkhunter.8
./rkhunter/files/development/createhashesall.sh
./rkhunter/files/development/search_dead_sysmlinks.sh
./rkhunter/files/programs_good.dat
./rkhunter/installer.sh
jerry:/usr/local/src# chown -R root.root rkhunter
jerry:/usr/local/src# cd rkhunter
jerry:/usr/local/src/rkhunter# ./installer.sh

Rootkit Hunter installer 1.2.4 (Copyright 2003-2005, Michael Boelen)
---------------
Starting installation/update

Checking /usr/local... OK
Checking file retrieval tools... /usr/bin/wget
Checking installation directories...
- Checking /usr/local/rkhunter...Created
- Checking /usr/local/rkhunter/etc...Created
- Checking /usr/local/rkhunter/bin...Created
- Checking /usr/local/rkhunter/lib/rkhunter/db...Created
- Checking /usr/local/rkhunter/lib/rkhunter/docs...Created
- Checking /usr/local/rkhunter/lib/rkhunter/scripts...Created
- Checking /usr/local/rkhunter/lib/rkhunter/tmp...Created
- Checking /usr/local/etc...Created
- Checking /usr/local/bin...Exists
Checking system settings...
- Perl... OK
Installing files...
Installing Perl module checker... OK
Installing Database updater... OK
Installing Portscanner... OK
Installing MD5 Digest generator... OK
Installing SHA1 Digest generator... OK
Installing Directory viewer... OK
Installing Database Backdoor ports... OK
Installing Database Update mirrors... OK
Installing Database Operating Systems... OK
Installing Database Program versions... OK
Installing Database Program versions... OK
Installing Database Default file hashes... OK
Installing Database MD5 blacklisted files... OK
Installing Changelog... OK
Installing Readme and FAQ... OK
Installing Wishlist and TODO... OK
Installing RK Hunter configuration file... OK
Installing RK Hunter binary... OK
Configuration updated with installation path (/usr/local/rkhunter)

Installation ready.
See /usr/local/rkhunter/lib/rkhunter/docs for more information. Run 'rkhunter' (/usr/local/bin/rkhunter)


3.とにかく動かしてみる
1)アップデートされてないか確認する
jerry:/usr/local/src/rkhunter# /usr/local/bin/rkhunter --update
Running updater...

Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://www.rootkit.nl/rkhunter
[DB] Mirror file : Update available
Action: Database updated (current version: 2005050700, new version 2006041300)
[DB] MD5 hashes system binaries : Update available
Action: Database updated (current version: 2006021400, new version 2006022800)
[DB] Operating System information : Update available
Action: Database updated (current version: 2005102800, new version 2006051200)
[DB] MD5 blacklisted tools/binaries : Up to date
[DB] Known good program versions : Update available
Action: Database updated (current version: 2006021400, new version 2006031400)
[DB] Known bad program versions : Update available
Action: Database updated (current version: 2006021400, new version 2006031400)


Ready.

2)動かす

jerry:/usr/local/src/rkhunter# /usr/local/bin/rkhunter -c --createlogfile


Rootkit Hunter 1.2.8 is running

Determining OS... Ready


Checking binaries
* Selftests
Strings (command) [ OK ]


* System tools
Performing 'known bad' check...
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/csh [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/sh [ OK ]
/bin/su [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ OK ]
/sbin/ifup [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ksyms [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/du [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/test [ OK ]
省略

[Press <ENTER> to continue]

Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
ADM Worm... [ OK ]
Rootkit 'AjaKit'... [ OK ]
Rootkit 'aPa Kit'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'Balaur Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'beX2'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Danny-Boy's Abuse Kit'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'Dreams Rootkit'... [ OK ]
Rootkit 'Duarawkz'... [ OK ]
Rootkit 'Flea Linux Rootkit'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit 'Fuck`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'Heroin LKM'... [ OK ]
Rootkit 'HjC Kit'... [ OK ]
Rootkit 'ignoKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Irix Rootkit'... [ OK ]
Rootkit 'Kitko'... [ OK ]
Rootkit 'Knark'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'Lockit / LJK2'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'Ni0 Rootkit'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Rootkit 'R3dstorm Toolkit'... [ OK ]
Rootkit 'RH-Sharpe's rootkit'... [ OK ]
Rootkit 'RSHA's rootkit'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'Shutdown'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'SHV5'... [ OK ]
Rootkit 'Sin Rootkit'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'Sneakin Rootkit'... [ OK ]
Rootkit 'Suckit Rootkit'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'Superkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'TeLeKiT'... [ OK ]
Rootkit 'T0rn Rootkit'... [ OK ]
Rootkit 'Trojanit Kit'... [ OK ]
Rootkit 'Tuxtendo'... [ OK ]
Rootkit 'URK'... [ OK ]
Rootkit 'VcKit'... [ OK ]
Rootkit 'Volc Rootkit'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]
Rootkit 'zaRwT.KiT Rootkit'... [ OK ]

* Suspicious files and malware
Scanning for known rootkit strings [ OK ]
Scanning for known rootkit files [ OK ]
Testing running processes... [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous directories [ OK ]
Software related files [ OK ]
Sniffer logs [ OK ]

[Press <ENTER> to continue]


* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit [ Not found ]
Checking /etc/inetd.conf [ Clean ]
Checking /etc/xinetd.conf [ Skipped ]

* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /bin/login [ Clean ]

* OS dependant tests

Linux
Checking loaded kernel modules... [ OK ]
Checking files attributes
Checking LKM module path [ OK ]

Networking
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]
Port 60922: zaRwT.KiT [ OK ]

* Interfaces
Scanning for promiscuous interfaces [ OK ]

[Press <ENTER> to continue]

System checks
* Allround tests
Checking hostname... Found. Hostname is jerry
Checking for passwordless user accounts... OK
Checking for differences in user accounts... [ NA ]
Checking for differences in user groups... Creating file It seems this is your first time.
Checking boot.local/rc.local file...
- /etc/rc.local [ Not found ]
- /etc/rc.d/rc.local [ Not found ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
- /etc/conf.d/local.start [ Not found ]
- /etc/init.d/boot.local [ Not found ]
Checking rc.d files... [ Not found ]
Checking history files
Bourne Shell [ OK ]

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]

[Press <ENTER> to continue]

Application advisories
* Application scan
Checking Apache2 modules ... [ OK ]
Checking Apache configuration ... [ OK ]

* Application version scan
- GnuPG 1.4.1 [ OK ]
- OpenSSL 0.9.7e [ Old or patched version ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.8.1p1 [ OK ]

Security advisories
* Check: Groups and Accounts
Searching for /etc/passwd... [ Found ]
Checking users with UID '0' (root)... [ OK ]

* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... [ OK (Remote root login disabled) ]
Checking for allowed protocols... [ Warning ]
info: Users can use SSH1-protocol (see logfile for more information).

* Check: Events and Logging
Search for syslog configuration... [ OK ]
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]
[Press <ENTER> to continue]

---------------------------- Scan results ----------------------------

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 1

Scanning took 442 seconds
Scan results written to logfile (/var/log/rkhunter.log)

-----------------------------------------------------------------------

Do you have some problems, undetected rootkits, false positives, ideas
or suggestions?
Please e-mail me by filling in the contact form (@http://www.rootkit.nl)

-----------------------------------------------------------------------


[15:03:11] Running Rootkit Hunter 1.2.8 on jerry
[15:03:11]
Rootkit Hunter 1.2.8, Copyright 2003-2006, Michael Boelen

Rootkit Hunter comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under the terms of the GNU General
Public License. See LICENSE for details.

この動作は、正常終了だ。1件アプリケーションに「Warning」が出ているが、これはSSHの設定の不備のようだ
。このように正常なら「OK」だが、怪しいファイルには「Warning」を出力する。プロセスは対話形式でチェックが進められる。最後にトータル結果を出力して終了となる。さらに、/var/log/rkhunter.logへlogを出力する。


4.ログの内容
jerry:/usr/local/src/rkhunter# more /var/log/rkhunter.log

[15:03:11] Info: Shell /bin/bash
[15:03:11] ------------------------ Configuration check --------------------------
[15:03:11] Parsing configuration file (/usr/local/etc/rkhunter.conf)
[15:03:11] Info: No mail-on-warning address configured
[15:03:11] Info: Using /usr/local/rkhunter/lib/rkhunter/tmp as temporary directory
[15:03:11] Info: Using /usr/local/rkhunter/lib/rkhunter/db as database directory
[15:03:11] Info: Using '/usr/sbin /usr/bin /usr/local/bin /usr/local/sbin /bin /sbin /sw/bin /usr/local/libexec /usr/libexec' as binary directory
[15:03:11] -------------------------- Application scan ---------------------------
[15:03:11] Found /usr/sbin/lsof
[15:03:11] Found /usr/bin/find
[15:03:12] Found /usr/bin/lsattr
[15:03:12] Found /usr/bin/lsof
[15:03:12] Found /usr/bin/md5sum
[15:03:12] Found /usr/bin/stat
[15:03:12] Found /usr/bin/strings
[15:03:12] Found /usr/bin/wget
[15:03:12] Found /usr/bin/perl (version 5.8.4)
[15:03:12] Found /bin/ls
[15:03:12] Found /bin/lsmod
[15:03:12] Info: WGET found
[15:03:12] Info: NMAP not found
[15:03:12] Info: LSOF found
[15:03:12] Info: ip not found
[15:03:12] Application scan ended
[15:03:13] ---------------------------- System checks ----------------------------
[15:03:14] Info: kernel is 2.6
[15:03:14] Info: Found /etc/debian_version
[15:03:15] Info: Full OS name = Debian 3.1 (i386)
[15:03:15] Info: OS ID = 156
[15:03:15] Info: Using /usr/bin/md5sum to verify MD5 hashes
[15:03:15] Info: /usr/bin/md5sum found
[15:03:15] Info: using /usr/local/rkhunter/lib/rkhunter/tmp as temporary directory
[15:03:15] Info: UID is zero (root)
[15:03:15] Info: Perl version 5.8.4 found
[15:03:16] Info: Digest::MD5 installed (version 2.33).
[15:03:16] Info: Using Perl Digest::MD5 module instead of /usr/bin/md5sum
[15:03:16] Info: ksyms file check will be skipped (/proc/ksyms not available on this system)
[15:03:16] ---------------------------- File checks -----------------------------
[15:03:16] Checking /usr/local/rkhunter/lib/rkhunter/db/md5blacklist.dat... OK
[15:03:16] Checking /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat... OK
[15:03:16] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_bad.dat... OK
[15:03:16] Checking /usr/local/rkhunter/lib/rkhunter/db/programs_good.dat... OK
[15:03:17] ------------------------------ Selftests ------------------------------
[15:03:17] Strings selftest: scanning for string /usr/sbin/ntpsx... OK
[15:03:18] Strings selftest: scanning for string /usr/lib/.../ls... OK
[15:03:18] Strings selftest: scanning for string /usr/lib/.../netstat... OK
[15:03:18] Strings selftest: scanning for string /usr/lib/.../lsof... OK
[15:03:18] Strings selftest: scanning for string /usr/lib/.../bkit-ssh/bkit-shdcfg... OK
[15:03:18] Strings selftest: scanning for string /usr/lib/.../bkit-ssh/bkit-shhk... OK
[15:03:18] Strings selftest: scanning for string /usr/lib/.../bkit-ssh/bkit-pw... OK
[15:03:18] Strings selftest: scanning for string /usr/lib/.../bkit-ssh/bkit-shrs... OK
[15:03:18] Strings selftest: scanning for string /usr/lib/.../uconf.inv... OK
[15:03:19] Strings selftest: scanning for string /usr/lib/.../psr... OK
[15:03:19] Strings selftest: scanning for string /usr/lib/.../find... OK
[15:03:19] Strings selftest: scanning for string /usr/lib/.../pstree... OK
[15:03:19] Strings selftest: scanning for string /usr/lib/.../slocate... OK
[15:03:19] Strings selftest: scanning for string /usr/lib/.../du... OK
[15:03:19] Strings selftest: scanning for string /usr/lib/.../top... OK
[15:03:19] Strings selftest: scanning for string /usr/lib/...... OK
[15:03:19] Strings selftest: scanning for string /usr/lib/.../bkit-ssh... OK
[15:03:19] Strings selftest: scanning for string /usr/lib/.bkit-... OK
[15:03:19] Strings selftest: scanning for string /tmp/.bkp... OK
[15:03:20] Strings selftest: scanning for string /tmp/.cinik... OK
[15:03:20] Strings selftest: scanning for string /tmp/.font-unix/.cinik... OK
[15:03:20] Strings selftest: scanning for string /lib/.sso... OK
[15:03:20] Strings selftest: scanning for string /lib/.so... OK
[15:03:20] Strings selftest: scanning for string /var/run/...dica/clean... OK
[15:03:20] Strings selftest: scanning for string /var/run/...dica/xl... OK
[15:03:20] Strings selftest: scanning for string /var/run/...dica/xdr... OK
[15:03:20] Strings selftest: scanning for string /var/run/...dica/psg... OK
[15:03:20] Strings selftest: scanning for string /var/run/...dica/secure... OK
[15:03:20] Strings selftest: scanning for string /var/run/...dica/rdx... OK

省略

[15:07:29] --------------------------- File attributes ---------------------------
[15:07:30] Checking /usr/sbin file attributes
[15:07:37] Checking /usr/bin file attributes
[15:08:08] Checking /usr/local/bin file attributes
[15:08:09] Checking /usr/local/sbin file attributes
[15:08:09] Checking /bin file attributes
[15:08:13] Checking /sbin file attributes
[15:08:18] Checking /sw/bin file attributes
[15:08:18] Checking /usr/local/libexec file attributes
[15:08:18] Checking /usr/libexec file attributes
[15:08:18] ----------------------------- LKM modules -----------------------------
[15:08:24] ------------------------------- Backdoors -----------------------------
[15:08:30] Checking network interfaces (promiscuous mode)... [ OK ]
[15:09:17] Checking passwordless user accounts...
[15:09:23] ---------------------------- History files ----------------------------
[15:09:26] Start scanning for hidden files in /dev...
[15:09:26] Value of hiddendirs:
[15:09:26] End of scanning /dev
[15:09:26] Start scanning for hidden files in /bin...
[15:09:26] Value of hiddendirs:
[15:09:26] End of scanning /bin
[15:09:26] Start scanning for hidden files in /usr...
[15:09:26] Value of hiddendirs:
[15:09:26] End of scanning /usr
[15:09:26] Start scanning for hidden files in /usr/man...
[15:09:26] End of scanning /usr/man
[15:09:26] Start scanning for hidden files in /usr/man/man1...
[15:09:26] End of scanning /usr/man/man1
[15:09:26] Start scanning for hidden files in /usr/man/man8...
[15:09:26] End of scanning /usr/man/man8
[15:09:26] Start scanning for hidden files in /usr/bin...
[15:09:26] Value of hiddendirs:
[15:09:26] End of scanning /usr/bin
[15:09:26] Start scanning for hidden files in /usr/sbin...
[15:09:26] Value of hiddendirs:
[15:09:26] End of scanning /usr/sbin
[15:09:26] Start scanning for hidden files in /sbin...
[15:09:27] Value of hiddendirs:
[15:09:27] End of scanning /sbin
[15:09:27] Start scanning for hidden files in /etc...
[15:09:27] Value of hiddendirs: /etc/.pwd.lock
[15:09:27] End of scanning /etc
[15:09:27] Hidden file/dir /etc/.pwd.lock [empty] seems to be OK
[15:09:48] ------------------------ Application advisories -----------------------
[15:09:49] Checking Apache2 modules in /etc/apache2/mods-enabled /etc/apache2/mods-enabled/cgid.conf
... [15:09:49] OK
[15:09:49] Checking Apache2 modules in /etc/apache2/mods-enabled /etc/apache2/mods-enabled/cgid.load
... [15:09:49] OK
[15:09:49] Checking Apache2 modules in /etc/apache2/mods-enabled /etc/apache2/mods-enabled/userdir.conf... [15:09:49] OK
[15:09:49] Checking Apache2 modules in /etc/apache2/mods-enabled /etc/apache2/mods-enabled/userdir.load... [15:09:49] OK
[15:09:50] ---------------------- Application version check ----------------------
[15:09:51] ----------------------------------------------------------
[15:09:51] Scanning Exim%%MTA...
[15:09:51] Application not found
[15:09:51] ----------------------------------------------------------
[15:09:51] Scanning GnuPG...
[15:09:51] /usr/bin/gpg found
[15:09:52] Version 1.4.1 is available in non-vulnerable group and seems to be OK!
[15:09:52] ----------------------------------------------------------
[15:09:52] Scanning Apache...
[15:09:52] Application not found
[15:09:52] ----------------------------------------------------------
[15:09:52] Scanning Bind%%DNS...
[15:09:53] Application not found
[15:09:53] ----------------------------------------------------------
[15:09:53] Scanning OpenSSL...
[15:09:53] /usr/bin/openssl found
[15:09:53] Version 0.9.7e seems to be vulnerable (if unpatched)!
[15:09:56] ----------------------------------------------------------
[15:09:56] Scanning PHP...
[15:09:56] Application not found
[15:09:56] ----------------------------------------------------------
[15:09:56] Scanning Procmail%%MTA...
[15:09:56] /usr/bin/procmail found
[15:09:57] Version 3.22 is available in non-vulnerable group and seems to be OK!
[15:09:57] ----------------------------------------------------------
[15:09:57] Scanning ProFTPd...
[15:09:57] Application not found
[15:09:57] ----------------------------------------------------------
[15:09:57] Scanning OpenSSH...
[15:09:57] /usr/sbin/sshd found
[15:09:58] Version 3.8.1p1 is available in non-vulnerable group and seems to be OK!
[15:09:59] ------------------------- Security advisories -------------------------
[15:10:01] Unknown PermitRootLogin state
[15:10:02] Hint: Change the 'Protocol xxx' line into 'Protocol 2'
[15:10:36] Scanned for: 55808 Trojan - Variant A, AjaKit, aPa Kit, Apache Worm, Ambient (ark) Rootkit, Balaur Rootkit, BeastKit, beX2, BOBKit, CiNIK Worm (Slapper.B variant), Danny-Boy's Abuse Kit, Devil RootKit, Dica, Dreams Rootkit, Duarawkz, Flea Linux Rootkit, FreeBSD Rootkit, Fuck`it Rootkit, GasKit, Heroin LKM, HjC Kit, ignoKit, ImperalsS-FBRK, Irix Rootkit, Kitko, Knark, Li0n Worm, Lockit / LJK2, MRK, Ni0 Rootkit, RootKit for SunOS / NSDAP, Optic Kit (Tux), Oz Rootkit, Portacelo, R3dstorm
Toolkit, RH-Sharpe's rootkit, RSHA's rootkit, Scalper Worm, Shutdown, SHV4, SHV5, Sin Rootkit, Slapper, Sneakin Rootkit, Suckit Rootkit, SunOS Rootkit, Superkit, TBD (Telnet BackDoor), TeLeKiT, T0rnRootkit, Trojanit Kit, Tuxtendo, URK, VcKit, Volc Rootkit, X-Org SunOS Rootkit, zaRwT.KiT Rootkit
[15:10:36] 1 vulnerable applications found


5.定期的にチェックするには九龍を利用
元々、対話形式で実行するため手動で操作するが、以下のようなキープレスをスキップさせたパラメータを使って九龍で自動的に実行させてチェックすると便利だ。
jerry:/usr/local/src/rkhunter# /usr/local/bin/rkhunter -c --createlogfile --skip-keypress

jerry:/usr/local/src/rkhunter# vi crontab
省略
# rkhunter Setting
00 5 * * 7 root
/usr/local/bin/rkhunter --update > /dev/null 2>&1 ; /usr/local/bin/rkhunter -c --createlogfile --skip-keypress > /dev/null 2>&1
省略

一週間に一度実行するように設定している。さらに、俺の場合はlogcheckと連動させている。
jerry:/usr/local/src/rkhunter# vi /etc/logcheck/logcheck.logfiles
# these files will be checked by logcheck
# This has been tuned towards a default syslog install
# /var/log/syslog
/var/log/auth.log
/var/log/security.log
/var/log/rkhunter.log


6.その他
1)rkhunterは頻繁にバージョンアップされるらしい。したがって、オフィシャルサイトをまめにチェックすることをお勧めする。
2)ログは実行する度に上書きされるので、その旨の運用を行って欲しい。

以上

 


 
 
 



Copyright 2009 Kozupon.com.