Rootkitが仕組まれていないかチェックする

Linuxは信頼性があり、安全なOSであると思います。しかし、いくら安全性が高いと言ってもそれはユーザー次第であることは確かです。もちろんドラマ等で良くPCやサーバーに侵入されて遠隔で相手を攻撃したりする踏み台にされたり等は身近な問題ではありませんが、実際悪い人に使われていたりすることは一般ユーザーは知る由もありません。人の定期的な検診と同じく、PCやサーバーも定期的なチェックが必要です。

Rootkit(ルートキット)

とりわけRootkitはMalwareと同じく厄介ですが、それは使用しているオペレーティングシステムの深いところに根付き、自分を隠してしまうからです。

さて、UbuntuでRootkitを探すのに使うソフトウェアはchkrootkit。簡単にインストールでき、簡単に実行してRootkitがインストールされているかを調べることができます。インストールするには以下をターミナルで実行。

sudo apt-get install chkrootkit

chkrootkitをインストールするとこのような画面になります。

Rootkitの有無を診断するにはターミナルで以下を実行する。GUI環境下のターミナルで実行すると見やすくスクロールできます。

sudo chkrootkit

chkrootkitの実行結果

以下はUbuntu Server 16.10をクリーンインストールし、update、upgradeを実行したあとに行った結果です。

CUIのchkrootkitの実行結果。

GUIでのchkrootkitの実行結果

himajin@ubuntu:~$ sudo chkrootkit
[sudo] password for himajin: 
ROOTDIR is `/'
Checking `amd'...                                           not found
Checking `basename'...                                      not infected
Checking `biff'...                                          not found
Checking `chfn'...                                          not infected
Checking `chsh'...                                          not infected
Checking `cron'...                                          not infected
Checking `crontab'...                                       not infected
Checking `date'...                                          not infected
Checking `du'...                                            not infected
Checking `dirname'...                                       not infected
Checking `echo'...                                          not infected
Checking `egrep'...                                         not infected
Checking `env'...                                           not infected
Checking `find'...                                          not infected
Checking `fingerd'...                                       not found
Checking `gpm'...                                           not found
Checking `grep'...                                          not infected
Checking `hdparm'...                                        not infected
Checking `su'...                                            not infected
Checking `ifconfig'...                                      not infected
Checking `inetd'...                                         not infected
Checking `inetdconf'...                                     not found
Checking `identd'...                                        not found
Checking `init'...                                          not infected
Checking `killall'...                                       not infected
Checking `ldsopreload'...                                   not infected
Checking `login'...                                         not infected
Checking `ls'...                                            not infected
Checking `lsof'...                                          not infected
Checking `mail'...                                          not found
Checking `mingetty'...                                      not found
Checking `netstat'...                                       not infected
Checking `named'...                                         not found
Checking `passwd'...                                        not infected
Checking `pidof'...                                         not infected
Checking `pop2'...                                          not found
Checking `pop3'...                                          not found
Checking `ps'...                                            not infected
Checking `pstree'...                                        not infected
Checking `rpcinfo'...                                       not found
Checking `rlogind'...                                       not found
Checking `rshd'...                                          not found
Checking `slogin'...                                        not infected
Checking `sendmail'...                                      not found
Checking `sshd'...                                          not found
Checking `syslogd'...                                       not tested
Checking `tar'...                                           not infected
Checking `tcpd'...                                          INFECTED
Checking `tcpdump'...                                       not infected
Checking `top'...                                           not infected
Checking `telnetd'...                                       not found
Checking `timed'...                                         not found
Checking `traceroute'...                                    not found
Checking `vdir'...                                          not infected
Checking `w'...                                             not infected
Checking `write'...                                         not infected
Checking `aliens'...                                        no suspect files
Searching for sniffer's logs, it may take a while...        nothing found
Searching for rootkit HiDrootkit's default files...         nothing found
Searching for rootkit t0rn's default files...               nothing found
Searching for t0rn's v8 defaults...                         nothing found
Searching for rootkit Lion's default files...               nothing found
Searching for rootkit RSHA's default files...               nothing found
Searching for rootkit RH-Sharpe's default files...          nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:  
/lib/modules/4.8.0-22-generic/vdso/.build-id /lib/modules/4.8.0-46-generic/vdso/.build-id
/lib/modules/4.8.0-22-generic/vdso/.build-id /lib/modules/4.8.0-46-generic/vdso/.build-id
Searching for LPD Worm files and dirs...                    nothing found
Searching for Ramen Worm files and dirs...                  nothing found
Searching for Maniac files and dirs...                      nothing found
Searching for RK17 files and dirs...                        nothing found
Searching for Ducoci rootkit...                             nothing found
Searching for Adore Worm...                                 nothing found
Searching for ShitC Worm...                                 nothing found
Searching for Omega Worm...                                 nothing found
Searching for Sadmind/IIS Worm...                           nothing found
Searching for MonKit...                                     nothing found
Searching for Showtee...                                    nothing found
Searching for OpticKit...                                   nothing found
Searching for T.R.K...                                      nothing found
Searching for Mithra...                                     nothing found
Searching for LOC rootkit...                                nothing found
Searching for Romanian rootkit...                           nothing found
Searching for Suckit rootkit...                             nothing found
Searching for Volc rootkit...                               nothing found
Searching for Gold2 rootkit...                              nothing found
Searching for TC2 Worm default files and dirs...            nothing found
Searching for Anonoying rootkit default files and dirs...   nothing found
Searching for ZK rootkit default files and dirs...          nothing found
Searching for ShKit rootkit default files and dirs...       nothing found
Searching for AjaKit rootkit default files and dirs...      nothing found
Searching for zaRwT rootkit default files and dirs...       nothing found
Searching for Madalin rootkit default files...              nothing found
Searching for Fu rootkit default files...                   nothing found
Searching for ESRK rootkit default files...                 nothing found
Searching for rootedoor...                                  nothing found
Searching for ENYELKM rootkit default files...              nothing found
Searching for common ssh-scanners default files...          nothing found
Searching for Linux/Ebury - Operation Windigo ssh...        Possible Linux/Ebury - Operation Windigo installetd
Searching for 64-bit Linux Rootkit ...                      nothing found
Searching for 64-bit Linux Rootkit modules...               nothing found
Searching for suspect PHP files...                          nothing found
Searching for anomalies in shell history files...           nothing found
Checking `asp'...                                           not infected
Checking `bindshell'...                                     not infected
Checking `lkm'...                                           chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'...                                       not found
Checking `sniffer'...                                       lo: not promisc and no packet sniffer sockets
ens33: PACKET SNIFFER(/sbin/dhclient[902])
Checking `w55808'...                                        not infected
Checking `wted'...                                          chkwtmp: nothing deleted
Checking `scalper'...                                       not infected
Checking `slapper'...                                       not infected
Checking `z2'...                                            chklastlog: nothing deleted
Checking `chkutmp'...                                        The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID          PID TTY    CMD
! gdm          1202 tty1   /usr/lib/xorg/Xorg vt1 -displayfd 3 -auth /run/user/115/gdm/Xauthority -background none -noreset -keeptty -verbose 3
! gdm          1217 tty1   /usr/lib/at-spi2-core/at-spi-bus-launcher
! gdm          1224 tty1   /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
! gdm          1208 tty1   dbus-daemon --print-address 4 --session
! gdm          1222 tty1   /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
! gdm          1200 tty1   /usr/lib/gdm3/gdm-x-session gnome-session --autostart /usr/share/gdm/greeter/autostart
! gdm          1211 tty1   /usr/lib/gnome-session/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart
! gdm          1269 tty1   /usr/lib/gnome-settings-daemon/gnome-settings-daemon
! gdm          1233 tty1   /usr/bin/gnome-shell
! gdm          1252 tty1   ibus-daemon --xim --panel disable
! gdm          1257 tty1   /usr/lib/ibus/ibus-dconf
! gdm          1297 tty1   /usr/lib/ibus/ibus-engine-simple
! gdm          1260 tty1   /usr/lib/ibus/ibus-x11 --kill-daemon
! himajin      2041 pts/0  bash
! root         2054 pts/0  /bin/sh /usr/sbin/chkrootkit
! root         2710 pts/0  ./chkutmp
! root         2712 pts/0  ps axk tty,ruser,args -o tty,pid,ruser,args
! root         2711 pts/0  sh -c ps axk "tty,ruser,args" -o "tty,pid,ruser,args"
! root         2053 pts/0  sudo chkrootkit
chkutmp: nothing deleted
Checking `OSX_RSPLUG'...                                    not infected
himajin@ubuntu:~$

chkrootkitでのfalse positiveの結果

まっさらな状態なのに「tcpd」が「INFECTED」と表示されているのが気になる。

調べた結果、

tcpdの場所を調べ、

sha1sumを確認。

これで何がわかるかというと、他の人とチェックサムが同じかどうかを調べる。

結果的に他の人も同じ結果が出るということがわかる。つまりはfalse positiveであったということがわかる。

あ、気づきましたか?記事が少しでも役に立ったと思ったらシェアでもコメントでもしてみてください^^;
このページの短いURL: https://thejuraku.com/pc/?p=4701
98 queries in 0.763 seconds.