chkrootkit 를 이용한 rootkit 검사

사용중인 배포판 : Debian Debian 3.16.39-1 64Bit

1. chkrootkit 패키지 찾기

root@freecatz-pe-kr:~# apt-cache search chkrootkit
chkrootkit - rootkit detector
rkhunter - rootkit, backdoor, sniffer and exploit scanner

2. chkrootkit 패키지 설치

root@freecatz-pe-kr:~# apt-get install chkrootkit
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  execstack libelfg0
Use 'apt-get autoremove' to remove them.
The following NEW packages will be installed:
  chkrootkit
0 upgraded, 1 newly installed, 0 to remove and 146 not upgraded.
Need to get 0 B/310 kB of archives.
After this operation, 1,004 kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously unselected package chkrootkit.
(Reading database ... 44412 files and directories currently installed.)
Preparing to unpack .../chkrootkit_0.50-3.2~deb8u1_amd64.deb ...
Unpacking chkrootkit (0.50-3.2~deb8u1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up chkrootkit (0.50-3.2~deb8u1) ...

 

3. chkrootkit 도움말

root@freecatz-pe-kr:~# chkrootkit --help
Usage: /usr/sbin/chkrootkit [options] [test ...]
Options:
        -h                show this help and exit
        -V                show version information and exit
        -l                show available tests and exit
        -d                debug
        -q                quiet mode
        -x                expert mode
        -e                exclude known false positive files/dirs, quoted,
                          space separated, READ WARNING IN README
        -r dir            use dir as the root directory
        -p dir1:dir2:dirN path for the external commands used by chkrootkit
        -n                skip NFS mounted dirs

 

※ NFS 가 mount 되어 있는 경우 검사 시간이 길어질 수 있으므로 -n 옵션을 이용하도록 한다.

 

4. chkrootkit 검사 시작

root@freecatz-pe-kr:~# chkrootkit
ROOTDIR is `/'
Checking `amd'...                                           not found
Checking `basename'...                                      not infected
Checking `biff'...                                          not found
Checking `chfn'...                                          not infected
Checking `chsh'...                                          not infected
Checking `cron'...                                          not infected
Checking `crontab'...                                       not infected
Checking `date'...                                          not infected
Checking `du'...                                            not infected
Checking `dirname'...                                       not infected
Checking `echo'...                                          not infected

... 중략 ...

 

※ infected 항목이 나온다면, rootkit 에 의해 시스템이 변경 되었을 수도 있다고 한다.