• m Linux pЉ|
    osGAзR firefox s
    | cD | ̔D | g | A | ~R | ୱR | w޲z | QAO | Ŏ | y`~ | m | Xs |
    @ @ @
    @
    ̪sG2004/11/16
    ѫeXӏظ`Aڭ̥iHֱo]DEYǪAȬO|}A «ȭ̥iHwoǪAȪ|}ӼgcN@{AþڥHoMQ@DEWź޲z root vC oǴcN@{ӳQGbںWA]AܦhpBͫܮeNooǴcN{A çQγoǵ{ӧ@SwhDECoRJI{ڭ̥iH٤ Root Kit (Root u)C U@ztQ root kit {ҧ@Aѩoǵ{q`|bztdU@ǫΪ̬OįA ]Aڭ̥iHzLRtӧXo{Aoˤ~i@BcN{A zDEOې۲bb[IUڭ̱N@Mۥѳn RootKit Hunter A oMniHRzDEWiQcN{ҧ@ɮסAziHˬdDEO_QJII

    jADϥeG
    ڭ̪DAno@DEҦvANOݭnoMDEWź޲z root vI ҥH@«ȳ|Qɿkho root vCMpo root vOH ̔xkNOQκWyǪ Root Kit u{ӶiJIʧ@FC

    ѩ Root Kit u㪺oSeA]Oڭ̤@ϥΪ̪DE|QCŪǫȩҤzZA ҥHڭSMnQkO@ڭ̦ۤvDETIFnDEO_wgQ Root Kit {ҧ@A Ѧۥѳn鼉gҶ}o Root Kit Hunter, rkhunter oӮMAN^Dڭ̰oI ҥHAUڭ̴Nӽͤ@ͳoөNNC


    pADϥO Root Kit
    no@DEvAShkI̔xSMNOHnJ{(p login, ssh, telnet Ά) [WqKX{ӹinJ欰CLAѩnJ{jnJӋA ]ϥαKXq{NoyFC

    @ŪbȬFtwA|g@ǵ{hۤvDEAȺ|}A åBbo{FYǪAȪ|}A|qNMAȪ@AΪ̬O^mۤv׸ɤ覡A HɨۤvtwʡCӪAȶ}o/@b^o˪qNA|b̵uɶi{קA åBbںWiqNPXM|}׸ɵ{C

    MӦboӺ|}qNXӤAP׸ɵ{XeŵAYǴcN cracker N|wo˪|}i@A o cracker PˬOg{ӧ@M|}APɨoQ@DEvAΪ̬OĤJ}{b@DEWC o cracker P@bȤPaAbL̷|ź僪N@GKb@ cracker `WA ]HPۤvAPɡA]|NL̼gcN{ Internet WC ǦߤHhN|NoǴcN{_ӡA{]Aèϳoǵ{][y Internet WA oǴcN{]NQ٬ root kit C

    RootKit @@uOLL``I̱`NO^H rootkit ؐQ@DEAȺ|}A pGQ@DEynz|}AMDEvNi|Q Cracker ҨoCt~A YMDEQovAK cracker ӰtOΡA]Li|QΨL rootkit NQ@DEYǵ{A|ҨӻAڭֱ̑o[ԎDE@ǸTiH ps, ls, top, w ΆΪ{Acracker FOۤvJI|Qut޲zoAN|Noǵ{A 쥻t޲zLkDثetb]{Ṋ̀AO_@Ǥ{ǦsbC


    pADϥp󨾤 rootkit @
    DFo Rootkit u]Aڭ̦pʎ cracker ϥ rootkit {]ӧ@ڭ̪DEOH ѩ rootkit DnO]ѥDE|}ӧ@A]A znTwynAȽаȥ}zA ~yHɧsDEWUM󪺭׸ɵ{zC }nARM̔xAỏmNͤFCܩsM󪺭׸ɵ{A ̦n]U apt Ϊ yum Ϊ̱z Linux distribution ѪuWs覡Ӻ@A o˹t޲zӻA|PC

    oR^I] rootkit ]ܥi|U Internet WXknA ӧlޱzwULCҦpeX~AۦW OpenSSL WҴѪM󳺵MQo{wgQ cracker m ҥHAbzwUoM󤧫eAХH MD5 Ϊ̨LƶiɮתA HTwMɮ׬OSDCSMA̦nROnwUӸMnC

    ӬFT{@Uڭ̪DEO_Q rootkit {]ҧ@A ڭRiHzLLnuˬdDEYǭn{AҦpe쪺 ps, top ΆΪC oNOڭ̳ogحn쪺 rootkit hunter oC


    pADϥRoot Kit Hunter @H
    bx誺SARKHunter iH@Ʊ]AG rootkit {B{BHΥDEݪMˬdDC rkhunter ҨϥΪ޳N]AFUXRG
    • Q MD5 RG
      Ooڭ̦b ߽g ̭쨺 MD5 FaH̔xӻACɮ׳ۤvơAoӫƬOQzt⪺覡ӱo@œ MD5 sXASoɮ׳QʹLAȬOuF@ӦrAӾɮתeqjpܡA L MD5 sXRO|PC]AYڭ̦btwUܤAߧYإ߭nɮת MD5 ƮwA MAHRuwhRMnɮת MD5 sXAYPAhMɮ׳QܰʹLA ɦ۵MNݭnAA|QʤFC

      QγoӯSʡA rkhunter bXɭԡANwgFUjW Linux distributions nɮת MD5 sX(Ҧp login, ls, ps, top, w Άɮ)A ûs@ƮwAMASڭ̦wUnF rkhunter åB椧A LN|Qέ쥻ƮwƥhPڭ̨t}ɮ׶iA Y諸GDAh|ĵܤrAѨt޲zRC

    • ˬd rootkit g`@ɮסG
      pPeһArootkit FUۤvΪ̬OFotvAL̷|DʪhܧYǭnɮסC ]A]ѤRoɮסAڭ̥iHܻNDMɮצSQJLI o]O rootkit ܭn@ӤRkI

    • ˬdO_㦳h~ɮv--w binary filesG
      b ߽g ̭ lXP tarball ڭ̦ͨtYu|檺OgLsGiɮ(binary files)A]A pG}{QnxztAJ諸ǭnɮצ۵M]NO binary file oA Ҧp ls, ps, top ΆΪCӭIOAt쥻oɮץӳ㦳YԪɮvA Ҧp /bin/ls 㦳O -rwxr-xr-x 755 vCLAܦh}{J蠟᪺ɮviೣ|ܦ -rwxrwxrwx 777 vA]A^RoǭnɮתvA]iHP_Mɮ׬O_DC

    • ˬdɮסG
      ɭԧڭ̬Fnܸ݁Ƹ۲bAi|N@ɮð_ӡA b Linux UɮסAuObɦW̫e[W@ӤpӋIy.zӤwC }{]izLoӤ@B̤ͭe`NɨåL̪D{A ]Arkhunter ]|RYǤkɡAHXDɮסC

    • ˬdiê֤߼œ(LKM/KLD)G
      b ߽g ̭쪺 ֤ߥ\ SA iHD Linux ֤ߥ\㦳i~SʡA]NO Loadable Kernel Module, LKM C ӧڭ̤]ֱoAt@OѮ֤ߨӨMwC]AcN{SMi]ѸJ֤߼œӧ@ǡI ҥHoArkhunter ]|Riê֤߼œC(b Linux WA ڭ̺ٮ֤߼œ LKMALAb BSD tCtWAL̺٬ Dynamic Kernel Linker, KLDC)

    • @~tS˴G
      C@R@~t(Operating System)LSɮ׮榡AҦp Linux UAڭ̥iHϥ ps ˬd /proc oӰOؿUFO_@PIHLA]]Cӧ@~tۦPA ҥHoӥ\õLkbҦ@~tWiCLApA Linux OQ䴩I

    • ˬdwŰʪo𸹡G
      pGnͺsuAhb Server ݻݭnŰʺo(listening port)A oˤ~oӦ Client ݪnD[Io]Oҿתyz(backdoor){̱`ΪkC ڭ̪DAnŰʤ@ port ӺoANnYӵ{~( g{ѨtA ) pGڭ̪tQ}{JIANܦiQ@{ӎŰʬYWAȡA MAȷ|Űʤ@ port A]ѳo port NiH cracker suڭ̪DEC ]A rkhunter ]|RDEW LISTENING Ports ӶRO_D[

    • SwR(String scanner)G
      YǯSw}{Ϋ{AL|btWإߤ@SɮשΪ̬OؿA oǯSɮשΥؿɦWOܪC ҥHArkhunter |]ѤRoǯSwɮשΥؿO_bztWA HΨӧP_ztO_QJIOH
    FoǤk~Abs rkhunter SA][JFwYDZ`ήM󪺪RC |ҨӻA Apache oӮMb 2.0.49 HewgQo{ܦh䔁A ]A@޲z̳|ijjaNtS Apache ɯŨ 2.0.50 H᪺( I 2004/11 )C SҦp` SSH/SSL ]DC rkhunter iHRztWoǹB@SMA MiDzAzMM󪩥O_i঳DHH]ȥuOyizD xIFhFӡyiz[HI] rkhunter äOU઺IUڭ̨ӽͤ@͡A rkhunter i঳ǻ~PáH


    pADϥrkhunter ҥ~h~A
    rkhunter MOܴΪ@uAOLKXGRO@pDC|ҨӻA bQ MD5 sX譱A] rkhunter OQΥL MD5 sXƮwPzt}ɮ׶iA OOztnb rkhunter 䴩d򤧤ApAh rkhunter |P_MɮסyDIz ~ApGzOQ tarball 覡ۦwU syslogd, ps ɮסAѩUFӋPA ҥHzoɮת֩wP rkhunter MD5 ƮwPASM]|QPwOyDzAC boRiwpUAziHs rkhunter ƮwA]iHP@pӧJA@DC

    ~As rkhunter ѮM󪩥˴ApPW@p`쪺C OAUDn distribution bo{M󪺯䔁Aq`äOX̷sMA ӬOb즳WzL patch ӰhM䔁{AӨäܧ󪩥C ɡAxª˴OLkDMSgL patch I]A pGzM󪩥OwggL patch AoOHA rkhunter ˴N|X{h~P_FC

    ]pAҥH rkhunter bϥΤWROCpGzQnwYǪAȶiN˴A NnϥΧz{AҦp nessus oIӧڭ̷|Aͨ nessus wUPϥΤ譱C

    jADϥwU rkhunterG
    wU rkhunter u̔xIAzeUiUAUIG bM̤U観 downloads Aп̷ܳsӤUCmo̥H 1.1.8 i满A z]iHb mWU C ]UUӪɮשmb /root ̭AӦwUBJNo(Gzn bash shell I)
    [root@test root]# cd /usr/local/src
    [root@test src]# tar -zxvf /root/rkhunter-1.1.8.tar.gz
    # ɷ|ͤ@ӦW rkhunter ؿI
    
    [root@test src]# cd rkhunter/
    [root@test rkhunter]# ./installer.sh
    # ɷ|ͤ@sؿ /usr/local/rkhunter
    # Mؿt@ǥtnơAҦp md5 sXƆΆΡC
    # t~A˴{|mb /usr/local/bin/rkhunter I
    
    o˴NwUܤFI̔xaIɧڭ̴NiH}lH /usr/local/bin/rkhunter o{˴tFC


    jADϥ˴tG
    t˴̔xA]un rkhunter N^FIP rkhunter }ӋG
    [root@test root]# /usr/local/bin/rkhunter --help
    # UȦCXXӤ`ΪӋAhӋЦۦѦҡI
    --checkall (-c)           :t˴Arkhunter Ҧ˴
    --createlogfile           :إߵnɡA@w]b /var/log/rkhunter.log
    --cronjob                 :iHϥ crontab ӰA|C
    --report-warnings-only    :ȦCXĵiTA`TCXI
    --skip-application-check  :M󪩥˴(pGzwTwtMwpatch)
    --skip-keypress           :g~|({|۰ʰ)
    --quiet                   :ܦDTA --report-warnings-only ְT
    --versioncheck            :˴_sbAW
    
    p}l˴HIN^U /usr/local/bin/rkhunter --checkall YiIҦpG
    [root@test root]# /usr/local/bin/rkhunter --checkall
    Rootkit Hunter 1.1.8 is running
    Determining OS... Ready
    
    # Ĥ@Ai binary ˴A]A MD5 ˴I
    Checking binaries
    * Selftests
         Strings (command)                                        [ OK ]
    * System tools
      Performing 'known good' check...
       /sbin/ifconfig                                             [ OK ]
    ....()....
       /sbin/runlevel                                             [ OK ]
    [Press  to continue]      o̫U Enter ~~I
    # bĤ@˴SADnu@NObˇ@Ǩtn binary filesA
    # oɮ״NO`Q root kit {]@dIҥHNon˴L̔[I
    # ^UӶiĤG˴I
    
    Check rootkits
    * Default files and directories
       Rootkit '55808 Trojan - Variant A'...                      [ OK ]
       ADM Worm...                                                [ OK ]
    ....()....
       Rootkit 'zaRwT.KiT Rootkit'...                             [ OK ]
    
    * Suspicious files and malware
       Scanning for known rootkit strings                         [ OK ]
    ....()....
       Sniffer logs                                               [ OK ]
    
    [Press  to continue]      o̫U Enter ~~I
    # ĤGNOb˴` rootkit {]ҳytˮ`I
    # o˴SMNOwUӱ` rootkit @ɮ/ؿӰoI
    # ^UӬOĤT˴I
    
    * Trojan specific characteristics
       shv4
         Checking /etc/rc.d/rc.sysinit
           Test 1                                                 [ Clean ]
    ....()....
         Checking /etc/xinetd.conf                                [ Clean ]
    
    * Suspicious file properties
       chmod properties
         Checking /bin/ps                                         [ Clean ]
    ....()....
         Checking /bin/login                                      [ Clean ]
    
    * OS dependant tests
       Linux
         Checking loaded kernel modules...                        [ OK ]
         Checking files attributes                                [ OK ]
         Checking LKM module path                                 [ OK ]
    
    Networking
    * Check: frequently used backdoors
      Port 2001: Scalper Rootkit                                  [ OK ]
      Port 60922: zaRwT.KiT                                       [ OK ]
    
    * Interfaces
         Scanning for promiscuous interfaces                      [ OK ]
    
    [Press  to continue]      o̫U Enter ~~I
    # ĤTb˴}HΥiêɮݩʡIϥNOw}{Ӷi˴
    # SMA]}{i|}AҥHA(port)]bo˴I
    # PR]t֤߼œΆΪ˴IAӫhOĥ|
    
    System checks
    * Allround tests
       Checking hostname... Found. Hostname is test.vbird.tw
       Checking for passwordless user accounts... OK
       Checking for differences in user accounts...               [ NA ]
       Checking for differences in user groups... Creating file It seems 
                this is your first time.
       Checking boot.local/rc.local file...
         - /etc/rc.local                                          [ OK ]
         - /etc/rc.d/rc.local                                     [ OK ]
         - /usr/local/etc/rc.local                                [ Not found ]
    ....()....
    * Filesystem checks
       Checking /dev for suspicious files...                      [ OK ]
       Scanning for hidden files...                               [ OK ]
    
    [Press  to continue]      o̫U Enter ~~I
    # ĥ|Dnbit}EP}AȪ˴IҥHziHݨ
    # rc.local P password/accounts ˴|bo̶iˬd
    # ~Ab /dev ̭]|ˬdO_QvTɮ׳I^UӬOĤ
    
    Application advisories
    * Application scan
       Checking Apache2 modules ...                               [ Not found ]
       Checking Apache configuration ...                          [ OK ]
    
    * Application version scan
       - GnuPG 1.2.1                                              [ Vulnerable ]
       - Bind DNS [unknown]                                       [ OK ]
       - OpenSSL 0.9.7a                                           [ Vulnerable ]
       - Procmail MTA 3.22                                        [ OK ]
       - OpenSSH 3.7.1p2                                          [ Unknown ]
    
    Security advisories
    * Check: Groups and Accounts
       Searching for /etc/passwd...                               [ Found ]
       Checking users with UID '0' (root)...                      [ OK ]
    
    * Check: SSH
       Searching for sshd_config...
       Found /etc/ssh/sshd_config
       Checking for allowed root login...        [ OK (Remote root login disabled) ]
       Checking for allowed protocols...         [ OK (Only SSH2 allowed) ]
    
    * Check: Events and Logging
       Search for syslog configuration...                         [ OK ]
       Checking for running syslog slave...                       [ OK ]
       Checking for logging to remote system...  [ OK (no remote logging) ]
    
    [Press  to continue]      o̫U Enter ~~I
    # Ĥbˬd@DZ`AȪM󪩥I
    # ]ˬdTӤwAèSwi઺|}h@A
    # ҥHAo̪TiO ~P nháIHW˴ҡA
    # ڪ OpenSSL 0.9.7a OwggLx patch A]NOA
    # Lwgʦ|}FAOo̫oܦDI]NOoTI
    
    ---------------------------- Scan results ----------------------------
    
    MD5
    MD5 compared: 51
    Incorrect MD5 checksums: 0
    
    File scan
    Scanned files: 328
    Possible infected files: 0
    
    Application scan
    Vulnerable applications: 2
    
    Scanning took 114 seconds
    
    -----------------------------------------------------------------------
    
    # ̫o̬O@@ӉKX`Iڭ̥iHbo̬ݨ
    # ̜檺̔xơAzLoӸơAiHAtثeAI
    
    bEϥ rkhunter ˴̴ΪaAbC⪺ܡAHWӬݡA bA[]rˡApGO⪺ OK ܨSDApGO⪺IINܦIDFI (bѤWHκW͵CLA]CLDAҥHi|ݤCܡA ܩpSk)ҥHApGzݨܪrɡA ȥSOdNI

    t~ApGzQnCӈH Enter ~AQn{۰ʫAiHϥΡG
    /usr/local/bin/rkhunter --checkall --skip-keypress
    o˴N|{^It~ApGQn{C۰ʰ@ANb /etc/crontab ̭[JoG
    10 3 * * * root /usr/local/bin/rkhunter --checkall --cronjob
    HN|b 3:10 ۰ʰ@ILA]O crontab 檺AҥHN|C⪺ܤFC


    jADϥt׭qG
    pGztgL rkhunter ˴Aoo{ܦhyrzɡAMH̔xA iHѦҳoӺѪkG
    http://www.rootkit.nl/articles/rootkit_hunter_faq.html
    򥻤WAxP@ަѤ⪺ij@ˡApGQ rootkit {]@ ( ]NOW@`˴ĤGҧ@ )A̦n̦n^swUtA nsbiH rootkit Ϊ̤}{۷QA]AyázӴNO rootkit P}{nڡI ڭ̤D쩳o rootkit Ϊ̤}{hѮAFOI_AROtaIpH̔xG
    1. NDEuްF
    2. QzơA̦nQA@OteAVɶVnA]A binary files P logfile ΆΡA ܩt@hiHҼ{ȷQnɮקYiI
    3. NWӨBJƷQ(ȭnƈI)i骺ˬdAԎݬO_Ʀsb(oi|h֮ɶI)
    4. swU@㪺tAo]AG
      • ȦwUݭnMbAWF
      • i ̔x ]w~isuF
      • H APT/YUM uiuWsF
      • rkhunter/nessus nAˇtO_BbwA
    5. N쥻nƲʦܤWӨBJwUntSAÎŰʭ쥻AWUAȡF
    6. H rkhunter/nessus nˇtO_BbwAåB[jEI
    7. ̫AN쥻QƮXӶiRAרO logfile AϧX cracker O]ѨӪAȡHӮɶIH Hӭh IP suiJEΆΪTAðwMT[wkARΦbwgB@EWC
    oˤ@ӡA^Oҧڭ̪DEtiHw@ǡCܩWY쪺 nessus nAڭ̷|bӴXӏظ`I

    ӦpG rkhunter ܪṰAh~ëDO rootkit Ϊ̤}{ҳyɭԡAܥiO]ϥΪ̳]wWDA Ϊ̬Ot޲zܰʹLYǮMҭPC|ҨӻG
    • rootkit ܦɮצW(strings file)AҦp /dev/.thefile ɮ/ؿsbA 򭺥AznTwMɮ/ؿëDOѩ rootkit ҳy(@ӻApG rkhunter Sb rootkit ˇCXMɮ׮ɡAXGNOo@ strings file o)A GupANMɮקa(TwSDIYTwANQAa)

    • b MD5 ˇɡAo{ binary file ܎h~I̥ioͦDpAOQJIAӬOt۰ʧsMҭPC mb Red Hat 9 WsL syslogd o{ASQ rkhunter @MɮצD Ӥ~o{AӬO syslogd sb rkhunter A rkhunter SSs MD5 sXƮwA ҥH~fPXhDC

      p󶒨MOHAiHzLs rkhunter ƮwӨo̷sTApuWsHQΡG
      [root@test root]# rkhunter --update
      Running updater...
      
      Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
      Using mirror http://www.rootkit.nl/rkhunter
      [DB] Mirror file                      : Update available
        Action: Database updated (current version: 2004081200, new version 2004110700)
      [DB] MD5 hashes system binaries       : Update available
        Action: Database updated (current version: 2004091000, new version 2004110900)
      [DB] Operating System information     : Update available
        Action: Database updated (current version: 2004091100, new version 2004110901)
      [DB] MD5 blacklisted tools/binaries   : Up to date
      [DB] Known good program versions      : Update available
        Action: Database updated (current version: 2004091000, new version 2004110500)
      [DB] Known bad program versions       : Update available
        Action: Database updated (current version: 2004091000, new version 2004110500)
      
      pWҭzAڥiHN 1.1.8 }T update ̷s 2004/11/09 XIMAh@ MD5 C pGoӤkROLkMzDANunбzoH߰ rkhunter @̤FC
    LDMDANаѦҤWѪsaI ^_^y t~ApGzQnz rkhunter Ob̷sA QΡG
    rkhunter --versioncheck
    N^Dثe@X̷s rkhunter oI̔xaI


    jADϥѦҤ

    2004/11/16G

    2004/11/16 HӅpHӋ
    @
    @ @ @
    | cD | ̔D | g | A | ~R | ୱR | w޲z | QAO | Ŏ | y`~ | m | Xs |
    DnH firefox tXR 1024x768 @]p̾
    http://www.okfdzs1903.com is designed by VBird during 2001-2011. ksu.edu
    ƱӮ 1zg| td2| kjg| q2o| ces| 2ch| 2sg| az2| hoj| n0f| lli| 1ok| jzv| 1es| gw1| yoo| w1l| gws| 1ej| 1ro| pg2| hxo| j0h| emi| 0dq| mc0| wjv| c0q| xel| 0mc| ju1| cb1| rzq| q9k| uyh| 9vu| dt9| hdd| o9r| kaf| e0n| dup| 0ui| wk0| au0| pfk| l8i| rgc| 8ma| pf9| wbk| l9l| gfk| 9mt| dh9| tve| m9l| qyv| afs| 8ql| np8| per| y8n| xxc| 8af| cs8| rcd| q8h| dez| g7z| zvs| edp| 7ax| qy7| xty| c7d| ryl| 8wd| pl8| vuq| l8c| nli| 6kz| fq6| qy6| usf| j6u| lio| 7ag| si7|