rkhunter 를 이용한 rootkit 검사
사용중인 배포판 : Debian Debian 3.16.39-1 64Bit
1. rkhunter 패키지 찾기
root@freecatz-pe-kr:~# apt-cache search rkhunter
rkhunter - rootkit, backdoor, sniffer and exploit scanner
unhide - Forensic tool to find hidden processes and ports
2. rkhunter 패키지 설치
root@freecatz-pe-kr:~# apt-get install rkhunter
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
tripwire libdigest-whirlpool-perl liburi-perl libwww-perl powermgmt-base
The following NEW packages will be installed:
rkhunter
0 upgraded, 1 newly installed, 0 to remove and 60 not upgraded.
Need to get 0 B/238 kB of archives.
After this operation, 1,052 kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously unselected package rkhunter.
(Reading database ... 44371 files and directories currently installed.)
Preparing to unpack .../rkhunter_1.4.2-0.4+deb8u1_all.deb ...
Unpacking rkhunter (1.4.2-0.4+deb8u1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up rkhunter (1.4.2-0.4+deb8u1) ...
3. rkhunter 버젼 확인
root@freecatz-pe-kr:~# rkhunter --versioncheck
[ Rootkit Hunter version 1.4.2 ]
Checking rkhunter version...
This version : 1.4.2
Latest version: 1.4.6
Update available
※ 현재 사용중인 버젼 1.4.2 이며, 최종 버젼은 1.4.6
4. 패키지 업그레이드
root@freecatz-pe-kr:~# apt-get install --only-upgrade rkhunter
Reading package lists... Done
Building dependency tree
Reading state information... Done
rkhunter is already the newest version.
The following packages were automatically installed and are no longer required:
execstack libelfg0
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 146 not upgraded.
※ 아직 사용중인 배포판에는 1.4.6 이 올라오지 않은듯 하다.
5. rkhunter DB 정보 갱신
root@freecatz-pe-kr:~# rkhunter --update
[ Rootkit Hunter version 1.4.2 ]
Checking rkhunter data files...
Checking file mirrors.dat [ Skipped ]
Checking file programs_bad.dat [ Updated ]
Checking file backdoorports.dat [ No update ]
Checking file suspscan.dat [ No update ]
Checking file i18n/cn [ Skipped ]
Checking file i18n/de [ Skipped ]
Checking file i18n/en [ No update ]
Checking file i18n/tr [ Skipped ]
Checking file i18n/tr.utf8 [ Skipped ]
Checking file i18n/zh [ Skipped ]
Checking file i18n/zh.utf8 [ Skipped ]
6. rkhunter 를 이용한 rootkit 검사 시작
root@freecatz-pe-kr:~# rkhunter --check
Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/lwp-request
7. rkhunter 환경 설정 파일 backup(선택)
root@freecatz-pe-kr:~# cp /etc/rkhunter.conf /etc/rkhunter.conf.ori
8. rkhunter 환경 설정 파일 수정
root@freecatz-pe-kr:~# vi /etc/rkhunter.conf
... 중략 ...
WEB_CMD="" # WEB_CMD 를 /bin/false 에서 "" 로 변경
#SCRIPTWHITELIST=/usr/bin/lwp-request # 주석 처리
... 중략 ...
9. rkhunter 를 이용한 rootkit 검사 시작
root@freecatz-pe-kr:~# rkhunter --check --skip-keypress
[ Rootkit Hunter version 1.4.2 ]
Checking system commands...
Performing 'strings' command checks [ Rootkit Hunter version 1.4.2 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
... 중략 ...
System checks summary
=====================
File properties checks...
Files checked: 140
Suspect files: 1
Rootkit checks...
Rootkits checked : 375
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 4 minutes and 1 second
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
/var/log/rkhunter.log 로그를 보고 [ Warning ] 으로 뜨는 항목들에 대해서 확인 해보도록 한다.