chkrootkit 을 사용해서 rootkit을 검사하기 입니다.
1. http://www.chkrootkit.org 에서 chkrootkit-0.43.tar.gz 을 다운로드 받는다.
2. 압축을 푼다.
[root@localhost src]# tar xvfzp chkrootkit-0.43.tar.gz
chkrootkit-0.43/
chkrootkit-0.43/ACKNOWLEDGMENTS
chkrootkit-0.43/chkproc.c
chkrootkit-0.43/README
chkrootkit-0.43/chklastlog.c
chkrootkit-0.43/README.chkwtmp
chkrootkit-0.43/COPYRIGHT
chkrootkit-0.43/Makefile
chkrootkit-0.43/check_wtmpx.c
chkrootkit-0.43/strings.c
chkrootkit-0.43/ifpromisc.c
chkrootkit-0.43/chkdirs.c
chkrootkit-0.43/chkrootkit.lsm
chkrootkit-0.43/chkwtmp.c
chkrootkit-0.43/chkrootkit
chkrootkit-0.43/README.chklastlog
3. make 명령으로 chkrootkit 설치.
[root@localhost chkrootkit-0.43]# make
*** stopping make sense ***
make[1]: Entering directory `/usr/local/src/chkrootkit-0.43'
gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c
gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c
gcc -DHAVE_LASTLOG_H -o ifpromisc ifpromisc.c
gcc -o chkproc chkproc.c
gcc -o chkdirs chkdirs.c
gcc -o check_wtmpx check_wtmpx.c
gcc -static -o strings-static strings.c
make[1]: Leaving directory `/usr/local/src/chkrootkit-0.4
[root@localhost chkrootkit-0.43]# ll
total 604
-r--r--r-- 1 1000 1000 3966 Dec 27 03:02 ACKNOWLEDGMENTS
-rwxr-xr-x 1 root root 2704 Jun 3 13:21 check_wtmpx
-r--r--r-- 1 1000 wheel 7195 Dec 27 03:26 check_wtmpx.c
-rwxr-xr-x 1 root root 6052 Jun 3 13:21 chkdirs
-r--r--r-- 1 1000 wheel 6781 Dec 27 03:27 chkdirs.c
-rwxr-xr-x 1 root root 6640 Jun 3 13:21 chklastlog
-r--r--r-- 1 1000 wheel 7729 Dec 27 03:30 chklastlog.c
-rwxr-xr-x 1 root root 6488 Jun 3 13:21 chkproc
-r--r--r-- 1 1000 wheel 6676 Dec 27 03:35 chkproc.c
-rwxr-xr-x 1 1000 1000 67736 Dec 29 01:48 chkrootkit
-r--r--r-- 1 1000 1000 565 Dec 27 21:35 chkrootkit.lsm
-rwxr-xr-x 1 root root 3936 Jun 3 13:21 chkwtmp
-r--r--r-- 1 1000 1000 1945 Dec 25 02:37 chkwtmp.c
-r--r--r-- 1 1000 1000 1343 Dec 25 02:37 COPYRIGHT
-rwxr-xr-x 1 root root 6836 Jun 3 13:21 ifpromisc
-r--r--r-- 1 1000 1000 8771 Dec 27 09:09 ifpromisc.c
-r--r--r-- 1 1000 1000 1448 Dec 27 06:34 Makefile
-r--r--r-- 1 1000 1000 12387 Dec 27 21:40 README
-r--r--r-- 1 1000 1000 1323 Dec 25 02:37 README.chklastlog
-r--r--r-- 1 1000 1000 1292 Dec 25 02:37 README.chkwtmp
-r--r--r-- 1 1000 1000 2437 Dec 25 02:38 strings.c
-rwxr-xr-x 1 root root 402496 Jun 3 13:21 strings-static
You have new mail in /var/spool/mail/root
4. chkrootlit 명령으로 루트킷 체크
[root@localhost chkrootkit-0.43]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
.
.
5. 특정 파일검사.
[root@localhost chkrootkit-0.43]# ./chkrootkit ps ls netstat
ROOTDIR is `/'
Checking `ps'... not infected
Checking `ls'... not infected
Checking `netstat'... not infected
Trackback Address :: http://fduser.org/blog/trackback/53
