Opensourcetechブログ

OpensourcetechによるNGINX/Zabbix/Neo4j/Linuxなどオープンソース技術に関するブログです。

rkhunter(rootkit hunter)の使い方

こんにちは、LinuCエバンジェリストこと、鯨井貴博@opensourcetechです。

Linusと一緒に写った画像

 

 

今回はLinuC303にも登場する、ルートキット検出ツールであるrkhunterの簡単な使い方の紹介です。

https://linuc.org/linuc3/range/303.html

 

 

ルートキット

ルートキットとは、カスペルスキーのブログにある言葉をお借りすると、「対象の PCに感染する、攻撃者がそのPC へ継続的にリモートアクセスするためのツール一式をインストール可能とする、といった目的を持つマルウェア」とのことです。

https://blog.kaspersky.co.jp/what-is-a-rootkit/607/

 

 

rkhunter

rkhunterは、そんなルートキットの検知をおこなってくれるツールです。

http://rkhunter.sourceforge.net/

 

攻撃者は以下のように 攻撃の準備から情報を盗み出すまで実施しますが、

rkhunterでは③への対策となります。

①ターゲットの調査(OS/解放ポート/利用サービスなど)

②侵入

③マルウェア感染・ルートキットの設置(マルウェアをダウンロードさせるなど)

④機密情報を盗み出し(外部へ送信など)、ダークウェブなどで売却

 ※上記はあくまでも攻撃の一例ですので、「違うぞこのやろー!」と思わずに生暖かく流してもらえると助かりますw

 

 

 rkhunterのインストール

 作業はCentOS7でおこなっています。

yumでのインストールには「epel-release(EPEL Repository)」を使うので、予めインストールしておきます。

[root@localhost ~]# cat /etc/centos-release
CentOS Linux release 7.6.1810 (Core)
[root@localhost ~]# rpm -q epel-release
epel-release-7-11.noarch
[root@localhost ~]# yum install rkhunter
読み込んだプラグイン:fastestmirror
Loading mirror speeds from cached hostfile
* base: ftp.tsukuba.wide.ad.jp
* epel: ftp.yz.yamagata-u.ac.jp
* extras: ftp.tsukuba.wide.ad.jp
* updates: ftp.tsukuba.wide.ad.jp
依存性の解決をしています
--> トランザクションの確認を実行しています。
---> パッケージ rkhunter.noarch 0:1.4.6-1.el7 を インストール
--> 依存性の処理をしています: lsof のパッケージ: rkhunter-1.4.6-1.el7.noarch
--> 依存性の処理をしています: mailx のパッケージ: rkhunter-1.4.6-1.el7.noarch
--> 依存性の処理をしています: wget のパッケージ: rkhunter-1.4.6-1.el7.noarch
--> トランザクションの確認を実行しています。
---> パッケージ lsof.x86_64 0:4.87-6.el7 を インストール
---> パッケージ mailx.x86_64 0:12.5-19.el7 を インストール
---> パッケージ wget.x86_64 0:1.14-18.el7_6.1 を インストール
--> 依存性解決を終了しました。

依存性を解決しました

================================================================================
Package アーキテクチャー
バージョン リポジトリー 容量
================================================================================
インストール中:
rkhunter noarch 1.4.6-1.el7 epel 207 k
依存性関連でのインストールをします:
lsof x86_64 4.87-6.el7 base 331 k
mailx x86_64 12.5-19.el7 base 245 k
wget x86_64 1.14-18.el7_6.1 updates 547 k

トランザクションの要約
================================================================================
インストール 1 パッケージ (+3 個の依存関係のパッケージ)

総ダウンロード容量: 1.3 M
インストール容量: 4.1 M
Is this ok [y/d/N]: y
Downloading packages:
(1/4): lsof-4.87-6.el7.x86_64.rpm | 331 kB 00:00
(2/4): mailx-12.5-19.el7.x86_64.rpm | 245 kB 00:00
(3/4): wget-1.14-18.el7_6.1.x86_64.rpm | 547 kB 00:00
(4/4): rkhunter-1.4.6-1.el7.noarch.rpm | 207 kB 00:00
--------------------------------------------------------------------------------
合計 1.3 MB/s | 1.3 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
インストール中 : lsof-4.87-6.el7.x86_64 1/4
インストール中 : wget-1.14-18.el7_6.1.x86_64 2/4
インストール中 : mailx-12.5-19.el7.x86_64 3/4
インストール中 : rkhunter-1.4.6-1.el7.noarch 4/4
検証中 : mailx-12.5-19.el7.x86_64 1/4
検証中 : rkhunter-1.4.6-1.el7.noarch 2/4
検証中 : wget-1.14-18.el7_6.1.x86_64 3/4
検証中 : lsof-4.87-6.el7.x86_64 4/4

インストール:
rkhunter.noarch 0:1.4.6-1.el7

依存性関連をインストールしました:
lsof.x86_64 0:4.87-6.el7 mailx.x86_64 0:12.5-19.el7
wget.x86_64 0:1.14-18.el7_6.1

完了しました!
[root@localhost ~]# rpm -q rkhunter
rkhunter-1.4.6-1.el7.noarch

 

 

rkhunterの設定

rkhunterの設定ファイルは、rkhunter.confです。

デフォルトのrkhunter.confを以下にアップしてあるので、興味のある方はそちらをご覧ください。

https://github.com/kujiraitakahiro/LinuC/blob/master/rkhunter.conf

 

以下のように説明の後に、設定項目があるというフォーマットです。

rkhunter.confの一部画像

なお、今回は特に設定を変更せずにrkhunterを試しています。

 

 

rkhunterのインストール

 「--propupd」で今のシステム内のファイル情報を取得・更新でき、

「--update」でチェック用のデータファイルを更新します。

[root@localhost ~]# rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File created: searched for 175 files, found 123

[root@localhost ~]# rkhunter --update
[ Rootkit Hunter version 1.4.6 ]

Checking rkhunter data files...
Checking file mirrors.dat [ Updated ]
Checking file programs_bad.dat [ Updated ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ Updated ]
Checking file i18n/cn [ No update ]
Checking file i18n/de [ Updated ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ Updated ]
Checking file i18n/tr.utf8 [ Updated ]
Checking file i18n/zh [ Updated ]
Checking file i18n/zh.utf8 [ Updated ]
Checking file i18n/ja [ Updated ]
[root@localhost ~]# rkhunter --propupd
[ Rootkit Hunter version 1.4.6 ]
File updated: searched for 175 files, found 123

 

 

rkhunterによるチェック

 --checkがチェックの実施、--skはチェック項目毎にEnterを押すように催促されるのですが、それをスキップするものです。

[root@localhost ~]# rkhunter --check --sk
[ Rootkit Hunter version 1.4.6 ]

Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]

Performing file properties checks
Checking for prerequisites [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chkconfig [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/depmod [ OK ]
/usr/sbin/fsck [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/ifdown [ OK ]
/usr/sbin/ifup [ OK ]
/usr/sbin/init [ OK ]
/usr/sbin/insmod [ OK ]
/usr/sbin/ip [ OK ]
/usr/sbin/lsmod [ OK ]
/usr/sbin/lsof [ OK ]
/usr/sbin/modinfo [ OK ]
/usr/sbin/modprobe [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rmmod [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/runlevel [ OK ]
/usr/sbin/sestatus [ OK ]
/usr/sbin/sshd [ OK ]
/usr/sbin/sulogin [ OK ]
/usr/sbin/sysctl [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/bash [ OK ]
/usr/bin/cat [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/chmod [ OK ]
/usr/bin/chown [ OK ]
/usr/bin/cp [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/date [ OK ]
/usr/bin/df [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dmesg [ OK ]
/usr/bin/du [ OK ]
/usr/bin/echo [ OK ]
/usr/bin/egrep [ OK ]
/usr/bin/env [ OK ]
/usr/bin/fgrep [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/grep [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/ipcs [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/login [ OK ]
/usr/bin/ls [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/mktemp [ OK ]
/usr/bin/more [ OK ]
/usr/bin/mount [ OK ]
/usr/bin/mv [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/ping [ OK ]
/usr/bin/pkill [ OK ]
/usr/bin/ps [ OK ]
/usr/bin/pwd [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/rpm [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sed [ OK ]
/usr/bin/sh [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]
/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/ssh [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/su [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uname [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/numfmt [ OK ]
/usr/bin/kmod [ OK ]
/usr/bin/systemctl [ OK ]
/usr/bin/gawk [ OK ]
/usr/bin/mailx [ OK ]
/usr/lib/systemd/systemd [ OK ]

Checking for rootkits...

Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Diamorphine LKM [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Ebury backdoor [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
Fu Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Jynx Rootkit [ Not found ]
Jynx2 Rootkit [ Not found ]
KBeast Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mokes backdoor [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
'Spanish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]

Performing additional rootkit checks
Suckit Rootkit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]

Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for hidden processes [ Skipped ]
Checking for login backdoors [ None found ]
Checking for sniffer log files [ None found ]
Checking for suspicious directories [ None found ]
Checking for Apache backdoor [ Not found ]

Performing Linux specific checks
Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]

Checking the network...

Performing checks on the network ports
Checking for backdoor ports [ None found ]

Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]

Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]

Performing system configuration file checks
Checking for an SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Not set ]
Checking if SSH protocol v1 is allowed [ Not set ]
Checking for other suspicious configuration settings [ None found ]
Checking for a running system logging daemon [ Found ]
Checking for a system logging configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ None found ]


System checks summary
=====================

File properties checks...
Files checked: 123
Suspect files: 0

Rootkit checks...
Rootkits checked : 485
Possible rootkits: 0

Applications checks...
All checks skipped

The system checks took: 3 minutes and 42 seconds

All results have been written to the log file: /var/log/rkhunter/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log)

 

 実施結果は、出力メッセージに書かれているように「/var/log/rkhunter/rkhunter.log」に出力されます。

※全体は、ここにアップしておきます。

[root@localhost ~]# cat /var/log/rkhunter/rkhunter.log


[15:17:36] Running Rootkit Hunter version 1.4.6 on localhost
[15:17:36]
[15:17:36] Info: Start date is 2019年 6月 30日 日曜日 15:17:36 JST
[15:17:36]
[15:17:36] Checking configuration file and command-line options...
[15:17:36] Info: Detected operating system is 'Linux'
[15:17:36] Info: Uname output is 'Linux localhost.localdomain 3.10.0-957.12.1.el7.x86_64 #1 SMP Mon Apr 29 14:59:59 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux'
[15:17:36] Info: Command line is /usr/bin/rkhunter --propupd
[15:17:36] Info: Environment shell is /bin/bash; rkhunter is using bash
[15:17:36] Info: Using configuration file '/etc/rkhunter.conf'
[15:17:36] Info: Installation directory is '/usr'
[15:17:36] Info: Using language 'en'
[15:17:36] Info: Using '/var/lib/rkhunter/db' as the database directory
[15:17:36] Info: Using '/usr/share/rkhunter/scripts' as the support script directory
[15:17:36] Info: Using '/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /bin /sbin /usr/libexec /usr/local/libexec' as the command directories
[15:17:36] Info: Using '/var/lib/rkhunter' as the temporary directory
[15:17:36] Info: X will be automatically detected
[15:17:36] Info: Found the 'basename' command: /usr/bin/basename
[15:17:36] Info: Found the 'diff' command: /usr/bin/diff
[15:17:36] Info: Found the 'dirname' command: /usr/bin/dirname
[15:17:36] Info: Found the 'file' command: /usr/bin/file
[15:17:36] Info: Found the 'find' command: /usr/bin/find
[15:17:36] Info: Unable to find the 'ifconfig' command
[15:17:36] Info: Found the 'ip' command: /usr/sbin/ip
[15:17:36] Info: Found the 'ipcs' command: /usr/bin/ipcs
[15:17:36] Info: Found the 'ldd' command: /usr/bin/ldd
[15:17:36] Info: Found the 'lsattr' command: /usr/bin/lsattr
[15:17:36] Info: Found the 'lsmod' command: /usr/sbin/lsmod
[15:17:36] Info: Found the 'lsof' command: /usr/sbin/lsof
[15:17:36] Info: Found the 'mktemp' command: /usr/bin/mktemp
[15:17:36] Info: Unable to find the 'netstat' command
[15:17:36] Info: Found the 'numfmt' command: /usr/bin/numfmt
[15:17:36] Info: Found the 'perl' command: /usr/bin/perl
[15:17:36] Info: Found the 'pgrep' command: /usr/bin/pgrep
[15:17:36] Info: Found the 'ps' command: /usr/bin/ps
[15:17:36] Info: Found the 'pwd' command: /usr/bin/pwd
[15:17:36] Info: Found the 'readlink' command: /usr/bin/readlink
[15:17:36] Info: Found the 'stat' command: /usr/bin/stat
[15:17:36] Info: Found the 'strings' command: /usr/bin/strings
[15:17:37] Info: System is not using prelinking
[15:17:37] Info: Using the '/usr/bin/sha256sum' command for the file hash checks
[15:17:37] Info: The hash function field index is set to 1
[15:17:37] Info: Using package manager 'RPM' to update the file hash values
[15:17:37] Info: Found the 'rpm' command: /usr/bin/rpm
[15:17:37] Info: Using package manager 'RPM' for file property checks
[15:17:37] Info: Found the 'rpm' command: /usr/bin/rpm
[15:17:37] Info: Current file attributes will be stored
[15:17:37] Info: Logging to log file: /var/log/rkhunter/rkhunter.log
[15:17:37] Info: Current logging will be appended to the log file
[15:17:37] Info: Locking is not being used

.

.

.

長いので省略

 

 

rkhunterのマニュアル(man)

これもアップしておくので、コマンドオプションなど確認したい方はどうぞ。

https://github.com/kujiraitakahiro/LinuC/blob/master/rkhunter.man

 

 

rkhunterの後に

今回は試しに使ってみましょうという内容で実施したのでここまでとなりますが、

実際のセキュリティ対応では検知した内容を削除し、再発防止措置をするなど行います。

 

なお、rkhunterはあくまでもセキュリティ対策のツールの一つに過ぎないので、その他ツールと組み合わせてより安全な環境を保つすべを持っておくことが大事です。

 

 

 

 

アフィリエイトのアクセストレード

 

 

 

 

 

 

www.slideshare.net

github.com

www.facebook.com

twitter.com

www.instagram.com

 

 

にほんブログ村 IT技術ブログ Linuxへ
Linux

にほんブログ村 IT技術ブログ オープンソースへ
オープンソース

 

 

Opensourcetech by Takahiro Kujirai