ルートキットとは悪意の第三者がサーバに侵入後、ログ・コマンドの改ざんを行いサーバ管理者の目を誤魔化したり、再侵入のための経路の確保をするためのプログラム群
検知したら、直ちに対処。
chkrootkitインストール
[root@falcon21 ~]# yum -y install chkrootkit
chkrootkit確認
[root@falcon21 ~]# chkrootkit | grep INFECTED
chkrootkit定期自動実行設定
[root@falcon21 ~]# vi /etc/cron.daily/chkrootkit
#!/bin/bash
PATH=/usr/bin:/bin:/root/bin
TMPLOG=`mktemp`
# chkrootkit実行
chkrootkit > $TMPLOG
# ログ出力
cat $TMPLOG | logger -t chkrootkit
# SMTPSのbindshell誤検知対応
if [ ! -z "$(grep 465 $TMPLOG)" ] && \
[ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then
sed -i '/465/d' $TMPLOG
fi
# upstartパッケージ更新時のSuckit誤検知対応
if [ ! -z "$(grep Suckit $TMPLOG)" ] && \
[ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then
sed -i '/Suckit/d' $TMPLOG
fi
# rootkit検知時のみroot宛メール送信
[ ! -z "$(grep INFECTED $TMPLOG)" ] && \
grep INFECTED $TMPLOG | mail -s "chkrootkit report in `hostname`" root
rm -f $TMPLOG
------------------
[root@falcon21 ~]# chmod 700 /etc/cron.daily/chkrootkit
chkrootkitの実行結果は/var/log/messagesに保存
[root@falcon21 ~]# tail -30 /var/log/messages
May 5 22:26:42 falcon21 chkrootkit: ! root 3483 tty1 /usr/bin/Xorg :0 -br -verb ose -audit 4 -auth /var/run/gdm/auth-for-gdm-VDOe7p/database -nolisten tcp vt1
May 5 22:26:42 falcon21 chkrootkit: chkutmp: nothing deleted
May 5 22:26:42 falcon21 chkrootkit: Checking `OSX_RSPLUG'... not infected
May 5 22:27:08 falcon21 xinetd[2833]: START: telnet pid=14411 from=::ffff:58.38.109.217
May 5 22:27:42 falcon21 telnetd[14411]: ttloop: peer died: EOF
May 5 22:27:42 falcon21 xinetd[2833]: EXIT: telnet status=1 pid=14411 duration=34(sec)
May 5 22:27:44 falcon21 xinetd[2833]: START: telnet pid=14413 from=::ffff:58.38.109.217
May 5 22:28:16 falcon21 telnetd[14413]: ttloop: peer died: EOF
May 5 22:28:16 falcon21 xinetd[2833]: EXIT: telnet status=1 pid=14413 duration=32(sec)
May 5 22:28:16 falcon21 xinetd[2833]: START: telnet pid=14442 from=::ffff:58.38.109.217
May 5 22:28:47 falcon21 telnetd[14442]: ttloop: peer died: EOF
May 5 22:28:47 falcon21 xinetd[2833]: EXIT: telnet status=1 pid=14442 duration=31(sec)
May 5 22:28:47 falcon21 xinetd[2833]: START: telnet pid=14445 from=::ffff:58.38.109.217
May 5 22:29:18 falcon21 telnetd[14445]: ttloop: peer died: EOF
May 5 22:29:18 falcon21 xinetd[2833]: EXIT: telnet status=1 pid=14445 duration=31(sec)
May 5 22:29:21 falcon21 xinetd[2833]: START: telnet pid=14473 from=::ffff:58.38.109.217
May 5 22:30:08 falcon21 clamd[2869]: SelfCheck: Database status OK.
May 5 22:30:09 falcon21 telnetd[14473]: ttloop: peer died: EOF
May 5 22:30:09 falcon21 xinetd[2833]: EXIT: telnet status=1 pid=14473 duration=48(sec)
May 5 22:30:09 falcon21 xinetd[2833]: START: telnet pid=14507 from=::ffff:58.38.109.217
May 5 22:30:39 falcon21 clamd[3107]: SelfCheck: Database status OK.
May 5 22:30:47 falcon21 telnetd[14507]: ttloop: peer died: EOF
May 5 22:30:47 falcon21 xinetd[2833]: EXIT: telnet status=1 pid=14507 duration=38(sec)
May 5 22:30:47 falcon21 xinetd[2833]: START: telnet pid=14510 from=::ffff:58.38.109.217
May 5 22:31:19 falcon21 telnetd[14510]: ttloop: peer died: EOF
May 5 22:31:19 falcon21 xinetd[2833]: EXIT: telnet status=1 pid=14510 duration=32(sec)
May 5 22:31:20 falcon21 xinetd[2833]: START: telnet pid=14542 from=::ffff:58.38.109.217
May 5 22:31:52 falcon21 telnetd[14542]: ttloop: peer died: EOF
May 5 22:31:52 falcon21 xinetd[2833]: EXIT: telnet status=1 pid=14542 duration=32(sec)
May 5 22:31:52 falcon21 xinetd[2833]: START: telnet pid=14546 from=::ffff:58.38.109.217
[root@falcon21 ~]#
-----------------------
chkrootkitで使用する安全なコマンドの確保
[root@falcon21 ~]# mkdir chkrootkitcmd
[root@falcon21 ~]# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkitcmd/
[root@falcon21 ~]# chkrootkit -p /root/chkrootkitcmd|grep INFECTED
[root@falcon21 ~]# zip -r chkrootkitcmd.zip chkrootkitcmd/
[root@falcon21 ~]# rm -rf chkrootkitcmd
[root@falcon21 ~]# yum -y install sharutils
[root@falcon21 ~]# uuencode chkrootkitcmd.zip chkrootkitcmd.zip|mail root
[root@falcon21 ~]# rm -f chkrootkitcmd.zip