rkhunter(Rootkit Hunter)
루트킷 : 허가되지 않은 사용자가 권한이 없는 시스템에 무단으로 접근하도록 하는 도구. 권한 상승 도구.
rkhunter : 현제 시스템에 존재하는 Rootkit을 탐지하는 도구
수동 검사 예시 :
Racecondition의 경우 SetUID/SetGID가 필요
--> find -perm -4000 -o -perm -2000
이경우 백도어/루트킷의 경우 찾아낼 수 있지만 웹 쉘 등 특수권한을 사용하지 않는 경우 탐색 불가
--> 자체적인 DB를 갖추고 AV(Anti virus)와 같은 방식으로 시그니처 탐지 등으로 파일을 검증하는 프로그램이 필요
rkhunter는 DB를 통해 AV와 같은 방식으로 파일을 검증.
Install / Setting
Install
Epel Repo가 있어야함.
dnf --enablerepo=epel -y install rkhunter
Setting
config 파일 설정
vim /etc/sysconfig/rkhunter
# System configuration file for Rootkit Hunter which
# stores RPM system specifics for cron run, etc.
#
# MAILTO= <email address to send scan report>
# DIAG_SCAN= no - perform normal report scan
# yes - perform detailed report scan
# (includes application check)
MAILTO=root@localhost
DIAG_SCAN=no
실행 결과 메일 전송 및 상세 검색 활성화 설정 가능.
DB Update
rkhunter --update
[root@rocky-9 sysconfig]# rkhunter --update
[ Rootkit Hunter version 1.4.6 ]
Checking rkhunter data files...
Checking file mirrors.dat [ Updated ]
Checking file programs_bad.dat [ Updated ]
Checking file backdoorports.dat [ Updated ]
Checking file suspscan.dat [ Updated ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ Updated ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ Updated ]
Checking file i18n/tr.utf8 [ Updated ]
Checking file i18n/zh [ Updated ]
Checking file i18n/zh.utf8 [ Updated ]
Checking file i18n/ja [ Updated ]
Propupds Update
현제 시스템의 파일 상태 저장.
전체 파일이 아닌 특정 파일이 대상.
rkhunter --propupd[root@rocky-9 sysconfig]# rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File created: searched for 176 files, found 135
Useage
Usage: rkhunter {--check | --unlock | --update | --versioncheck |
--propupd [{filename | directory | package name},...] |
--list [{tests | {lang | languages} | rootkits | perl | propfiles}] |
--config-check | --version | --help} [options]
Current options are:
--append-log Append to the logfile, do not overwrite
--bindir <directory>... Use the specified command directories
-c, --check Check the local system
-C, --config-check Check the configuration file(s), then exit
--cs2, --color-set2 Use the second color set for output
--configfile <file> Use the specified configuration file
--cronjob Run as a cron job
(implies -c, --sk and --nocolors options)
--dbdir <directory> Use the specified database directory
--debug Debug mode
(Do not use unless asked to do so)
--disable <test>[,<test>...] Disable specific tests
(Default is to disable no tests)
--display-logfile Display the logfile at the end
--enable <test>[,<test>...] Enable specific tests
(Default is to enable all tests)
--hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
NONE | <command>} Use the specified file hash function
(Default is SHA256)
-h, --help Display this help menu, then exit
--lang, --language <language> Specify the language to use
(Default is English)
--list [tests | languages | List the available test names, languages,
rootkits | perl | rootkit names, perl module status
propfiles] or file properties database, then exit
-l, --logfile [file] Write to a logfile
(Default is /var/log/rkhunter.log)
--noappend-log Do not append to the logfile, overwrite it
--nocf Do not use the configuration file entries
for disabled tests (only valid with --disable)
--nocolors Use black and white output
--nolog Do not write to a logfile
--nomow, --no-mail-on-warning Do not send a message if warnings occur
--ns, --nosummary Do not show the summary of check results
--novl, --no-verbose-logging No verbose logging
--pkgmgr {RPM | DPKG | BSD | Use the specified package manager to obtain
BSDng | SOLARIS | or verify file property values.
NONE} (Default is NONE)
--propupd [file | directory | Update the entire file properties database,
package]... or just for the specified entries
-q, --quiet Quiet mode (no output at all)
--rwo, --report-warnings-only Show only warning messages
--sk, --skip-keypress Don't wait for a keypress after each test
--summary Show the summary of system check results
(This is the default)
--syslog [facility.priority] Log the check start and finish times to syslog
(Default level is authpriv.notice)
--tmpdir <directory> Use the specified temporary directory
--unlock Unlock (remove) the lock file
--update Check for updates to database files
--vl, --verbose-logging Use verbose logging (on by default)
-V, --version Display the version number, then exit
--versioncheck Check for latest version of program
-x, --autox Automatically detect if X is in use
-X, --no-autox Do not automatically detect if X is in use
실행 결과
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
Checking for prerequisites [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
(중략)
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
(중략)
Performing additional rootkit checks
Suckit Rootkit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for hidden processes [ Skipped ]
Checking for login backdoors [ None found ]
Checking for sniffer log files [ None found ]
Checking for suspicious directories [ None found ]
Checking for Apache backdoor [ Not found ]
Performing Linux specific checks
Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]
Checking the network...
Performing checks on the network ports
Checking for backdoor ports [ None found ]
Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]
Checking the local host...
Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]
Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]
Performing system configuration file checks
Checking for an SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Not set ]
Checking for other suspicious configuration settings [ None found ]
Checking for a running system logging daemon [ Found ]
Checking for a system logging configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks
Checking /dev for suspicious file types [ None found ]
Checking for hidden files and directories [ Warning ]
System checks summary
=====================
File properties checks...
Files checked: 135
Suspect files: 0
Rootkit checks...
Rootkits checked : 495
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 2 minutes and 21 seconds
All results have been written to the log file: /var/log/rkhunter/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)
검사 파일을 보면 /usr/sbin, /usr/bin 등 명령어로 위장 가능성 있는 파일 등을 찾는 것을 확인 가능.
이외 유명한 루트킷 검사, 시스템 및 프로그램 설정 검사 등의 역할을 수행하며 그 결과를 출력한것을 볼 수 있음.
'모의해킹 및 보안' 카테고리의 다른 글
| fail2ban (0) | 2024.11.21 |
|---|---|
| Portsentry (0) | 2024.11.21 |
| Infromation Gattering Tool - SMTP Analysis (0) | 2024.11.15 |
| Nessus 설치 (0) | 2024.10.31 |
| Metasploitable Vulnerability 스캔 결과 분석 및 Exploit (0) | 2024.10.31 |
