Linuxは信頼性があり、安全なOSであると思います。しかし、いくら安全性が高いと言ってもそれはユーザー次第であることは確かです。もちろんドラマ等で良くPCやサーバーに侵入されて遠隔で相手を攻撃したりする踏み台にされたり等は身近な問題ではありませんが、実際悪い人に使われていたりすることは一般ユーザーは知る由もありません。人の定期的な検診と同じく、PCやサーバーも定期的なチェックが必要です。
Rootkit(ルートキット)
とりわけRootkitはMalwareと同じく厄介ですが、それは使用しているオペレーティングシステムの深いところに根付き、自分を隠してしまうからです。
さて、UbuntuでRootkitを探すのに使うソフトウェアはchkrootkit。簡単にインストールでき、簡単に実行してRootkitがインストールされているかを調べることができます。インストールするには以下をターミナルで実行。
sudo apt-get install chkrootkit

chkrootkitをインストールするとこのような画面になります。
Rootkitの有無を診断するにはターミナルで以下を実行する。GUI環境下のターミナルで実行すると見やすくスクロールできます。
sudo chkrootkit
chkrootkitの実行結果
以下はUbuntu Server 16.10をクリーンインストールし、update、upgradeを実行したあとに行った結果です。

CUIのchkrootkitの実行結果。

GUIでのchkrootkitの実行結果
himajin@ubuntu:~$ sudo chkrootkit [sudo] password for himajin: ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not found Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not found Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not found Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not found Checking `sshd'... not found Checking `syslogd'... not tested Checking `tar'... not infected Checking `tcpd'... INFECTED Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not found Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for rootkit HiDrootkit's default files... nothing found Searching for rootkit t0rn's default files... nothing found Searching for t0rn's v8 defaults... nothing found Searching for rootkit Lion's default files... nothing found Searching for rootkit RSHA's default files... nothing found Searching for rootkit RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found: /lib/modules/4.8.0-22-generic/vdso/.build-id /lib/modules/4.8.0-46-generic/vdso/.build-id /lib/modules/4.8.0-22-generic/vdso/.build-id /lib/modules/4.8.0-46-generic/vdso/.build-id Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for LOC rootkit... nothing found Searching for Romanian rootkit... nothing found Searching for Suckit rootkit... nothing found Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for Fu rootkit default files... nothing found Searching for ESRK rootkit default files... nothing found Searching for rootedoor... nothing found Searching for ENYELKM rootkit default files... nothing found Searching for common ssh-scanners default files... nothing found Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd Searching for 64-bit Linux Rootkit ... nothing found Searching for 64-bit Linux Rootkit modules... nothing found Searching for suspect PHP files... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... chkproc: nothing detected chkdirs: nothing detected Checking `rexedcs'... not found Checking `sniffer'... lo: not promisc and no packet sniffer sockets ens33: PACKET SNIFFER(/sbin/dhclient[902]) Checking `w55808'... not infected Checking `wted'... chkwtmp: nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... chklastlog: nothing deleted Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! gdm 1202 tty1 /usr/lib/xorg/Xorg vt1 -displayfd 3 -auth /run/user/115/gdm/Xauthority -background none -noreset -keeptty -verbose 3 ! gdm 1217 tty1 /usr/lib/at-spi2-core/at-spi-bus-launcher ! gdm 1224 tty1 /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session ! gdm 1208 tty1 dbus-daemon --print-address 4 --session ! gdm 1222 tty1 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3 ! gdm 1200 tty1 /usr/lib/gdm3/gdm-x-session gnome-session --autostart /usr/share/gdm/greeter/autostart ! gdm 1211 tty1 /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart ! gdm 1269 tty1 /usr/lib/gnome-settings-daemon/gnome-settings-daemon ! gdm 1233 tty1 /usr/bin/gnome-shell ! gdm 1252 tty1 ibus-daemon --xim --panel disable ! gdm 1257 tty1 /usr/lib/ibus/ibus-dconf ! gdm 1297 tty1 /usr/lib/ibus/ibus-engine-simple ! gdm 1260 tty1 /usr/lib/ibus/ibus-x11 --kill-daemon ! himajin 2041 pts/0 bash ! root 2054 pts/0 /bin/sh /usr/sbin/chkrootkit ! root 2710 pts/0 ./chkutmp ! root 2712 pts/0 ps axk tty,ruser,args -o tty,pid,ruser,args ! root 2711 pts/0 sh -c ps axk "tty,ruser,args" -o "tty,pid,ruser,args" ! root 2053 pts/0 sudo chkrootkit chkutmp: nothing deleted Checking `OSX_RSPLUG'... not infected himajin@ubuntu:~$
chkrootkitでのfalse positiveの結果
まっさらな状態なのに「tcpd」が「INFECTED」と表示されているのが気になる。
調べた結果、
tcpdの場所を調べ、
sha1sumを確認。
これで何がわかるかというと、他の人とチェックサムが同じかどうかを調べる。
結果的に他の人も同じ結果が出るということがわかる。つまりはfalse positiveであったということがわかる。
コメント