システムにrootkitが組み込まれていないかを検査してくれるツール「chkrootkit.i386 0:0.46a-2.fc5」をFC-5にインストールしました。
[root@server ~]# yum -y install chkrootkit
Repository atrpms is listed more than once in the configuration
Repository dries is listed more than once in the configuration
Repository livna is listed more than once in the configuration
Repository updates-released is listed more than once in the configuration
Repository atrpms-testing is listed more than once in the configuration
Repository flash is listed more than once in the configuration
Repository atrpms-bleeding is listed more than once in the configuration
Repository dag is listed more than once in the configuration
Repository jpackage-fedora is listed more than once in the configuration
Repository freshrpms is listed more than once in the configuration
Repository livna-testing is listed more than once in the configuration
Repository jpackage-generic is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository newrpms is listed more than once in the configuration
Setting up Install Process
Setting up repositories
livna-stable [1/8]
livna [2/8]
updates-released [3/8]
core [4/8]
base [5/8]
livna-testing [6/8]
extras [7/8]
livna-unstable [8/8]
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package chkrootkit.i386 0:0.46a-2.fc5 set to be updated
--> Running transaction check
Dependencies Resolved
===========================================================
Package Arch Version Repository Size
===========================================================
Installing:
chkrootkit i386 0.46a-2.fc5 extras 264 k
Transaction Summary
===========================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 264 k
Downloading Packages:
(1/1): chkrootkit-0.46a-2 100% |=====================| 264 kB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: chkrootkit ######################### [1/1]
Installed: chkrootkit.i386 0:0.46a-2.fc5
Complete!
chkrootkitの実行
chkrootkitディレクトリへ移動します
[root@server ~]# cd /usr/lib/chkrootkit-0.46a
chkrootkitを実行します
[root@server chkrootkit-0.46a]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
・
・
・
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
実行結果中に”INFECTED”という行がなければ問題ありません
chkrootkitの実行(エラーのみ表示)
[root@server chkrootkit-0.46a]# ./chkrootkit -q
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/auto/Time-modules/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/auto/NKF/.packlist
chkrootkitの定期自動実行設定
chkrootkitの実行スクリプトを作成します
[root@server chkrootkit-0.46a]# vi /root/chkrootkit.sh
cd /usr/lib/chkrootkit-0.46a/
./chkrootkit > /var/log/chkrootkit.log
chmod 600 /var/log/chkrootkit.log
grep INFECTED /var/log/chkrootkit.log
chkrootkitの実行スクリプトに実行権限を与えます
[root@server chkrootkit-0.46a]# chmod 700 /root/chkrootkit.sh
cronを編集します
[root@server chkrootkit-0.46a]# crontab -e
00 02 * * * /root/chkrootkit.sh
毎日2:00にchkrootkitの実行スクリプトを実行します