{"id":296,"date":"2014-12-20T23:30:42","date_gmt":"2014-12-20T14:30:42","guid":{"rendered":"http:\/\/yokensaka.com\/centos\/?p=296"},"modified":"2015-12-14T01:48:26","modified_gmt":"2015-12-13T16:48:26","slug":"centos7-rootkit%e6%a4%9c%e7%9f%a5%e3%83%84%e3%83%bc%e3%83%ab%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab","status":"publish","type":"post","link":"http:\/\/yokensaka.com\/centos\/?p=296","title":{"rendered":"CentOS 7 rootkit\u691c\u77e5\u30c4\u30fc\u30eb\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb"},"content":{"rendered":"

\u25a0chkrootkit\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/p>\n

[root@server1 ~]# wget ftp:\/\/ftp.pangeia.com.br\/pub\/seg\/pac\/chkrootkit.tar.gz\u3000\u2190\u3000chkrootkit\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\r\n\r\n[root@server1 ~]# tar zxvf chkrootkit.tar.gz\u3000\u2190\u3000chkrootkit\u5c55\u958b\r\n\r\n[root@server1 ~]# mkdir -p ~\/bin && mv chkrootkit-0.50\/chkrootkit ~\/bin\u3000\u2190\u3000chkrootkit\u3092\u79fb\u52d5\r\n\r\n[root@server1 ~]# rm -rf chkrootkit-0.50\/\u3000\u2190\u3000chkrootkit\u5c55\u958b\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u524a\u9664\r\n\r\n[root@server1 ~]# rm -f chkrootkit.tar.gz\u3000\u2190\u3000\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305fchkrootkit\u3092\u524a\u9664<\/pre>\n
\u25a0chkrootkit\u78ba\u8a8d<\/p>\n
[root@server1 ~]# chkrootkit | grep INFECTED\u3000\u2190\u3000chkrootkit\u5b9f\u884c\r\n\u4e0a\u8a18chkrootkit\u5b9f\u884c\u7d50\u679c\u3068\u3057\u3066\"INFECTED\"\u3068\u3044\u3046\u884c\u304c\u8868\u793a\u3055\u308c\u306a\u3051\u308c\u3070\u554f\u984c\u306a\u3057<\/pre>\n
\u25a0chkrootkit\u5b9a\u671f\u81ea\u52d5\u5b9f\u884c\u8a2d\u5b9a<\/p>\n
[root@server1 ~]# vi \/etc\/cron.daily\/chkrootkit\u3000\u2190\u3000chkrootkit\u5b9f\u884c\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u6bce\u65e5\u81ea\u52d5\u5b9f\u884c\u3055\u308c\u308b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u4f5c\u6210\r\n#!\/bin\/bash\r\n\r\nPATH=\/usr\/bin:\/bin:\/root\/bin\r\n\r\nTMPLOG=`mktemp`\r\n\r\n# chkrootkit\u5b9f\u884c\r\nchkrootkit > $TMPLOG\r\n\r\n# \u30ed\u30b0\u51fa\u529b\r\ncat $TMPLOG | logger -t chkrootkit\r\n\r\n# SMTPS\u306ebindshell\u8aa4\u691c\u77e5\u5bfe\u5fdc\r\nif [ ! -z \"$(grep 465 $TMPLOG)\" ] && \\\r\n   [ -z $(\/usr\/sbin\/lsof -i:465|grep bindshell) ]; then\r\n        sed -i '\/465\/d' $TMPLOG\r\nfi\r\n\r\n# rootkit\u691c\u77e5\u6642\u306e\u307froot\u5b9b\u30e1\u30fc\u30eb\u9001\u4fe1\r\n[ ! -z \"$(grep INFECTED $TMPLOG)\" ] && \\\r\ngrep INFECTED $TMPLOG | mail -s \"chkrootkit report in `hostname`\" root\r\n\r\nrm -f $TMPLOG\r\n\r\n[root@server1 ~]# chmod 700 \/etc\/cron.daily\/chkrootkit\u3000\u2190\u3000chkrootkit\u5b9f\u884c\u30b9\u30af\u30ea\u30d7\u30c8\u3078\u5b9f\u884c\u6a29\u9650\u4ed8\u52a0<\/pre>\n
\u3053\u308c\u3067\u6bce\u65e5\u5b9a\u671f\u7684\u306brootkit\u304c\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u306a\u3044\u304b\u30c1\u30a7\u30c3\u30af\u3055\u308c\u3001\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u305f\u5834\u5408\u306froot\u5b9b\u306b\u30e1\u30fc\u30eb\u304c\u5c4a\u304f\u3088\u3046\u306b\u306a\u308b\u3002\u307e\u305f\u3001chkrootkit\u306e\u5b9f\u884c\u7d50\u679c\u306f\/var\/log\/messages\u306b\u4fdd\u5b58\u3055\u308c\u308b\u3002<\/p>\n
\u25a0chkrootkit\u3067\u4f7f\u7528\u3059\u308b\u5b89\u5168\u306a\u30b3\u30de\u30f3\u30c9\u306e\u78ba\u4fdd
\nchkrootkit\u304c\u4f7f\u7528\u3059\u308b\u30b3\u30de\u30f3\u30c9\u7fa4\u304c\u65e2\u306b\u6539\u7ac4\u3055\u308c\u3066\u3044\u305f\u5834\u5408\u3001rootkit\u3092\u6b63\u5e38\u306b\u691c\u51fa\u3067\u304d\u306a\u304f\u306a\u308b\u306e\u3067\u3001chkrootkit\u304c\u4f7f\u7528\u3059\u308b\u30b3\u30de\u30f3\u30c9\u7fa4\u3092\u30b3\u30d4\u30fc\u3057\u3066\u304a\u304d\u3001\u5fc5\u8981\u306a\u5834\u5408\u306b\u306f\u305d\u306e\u30b3\u30de\u30f3\u30c9\u7fa4\u3092\u4f7f\u7528\u3057\u3066chkrootkit\u3092\u5b9f\u884c\u3059\u308b\u3002<\/p>\n
chkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9\u9000\u907f\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u4f5c\u6210\r\n[root@server1 ~]# mkdir chkrootkitcmd\u3000\r\n\r\nchkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9\u3092\u9000\u907f\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u30b3\u30d4\u30fc\r\n[root@server1 ~]# cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkitcmd\/\r\n\r\n\u9000\u907f\u3057\u305fchkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u3066chkrootkit\u5b9f\u884c\r\n[root@server1 ~]# chkrootkit -p \/root\/chkrootkitcmd|grep INFECTED\r\n\r\nchkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9\u9000\u907f\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u5727\u7e2e\r\n[root@server1 ~]# zip -r chkrootkitcmd.zip chkrootkitcmd\/\r\n\r\nchkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9\u9000\u907f\u5148\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u524a\u9664\r\n[root@server1 ~]# rm -rf chkrootkitcmd\r\n\r\nmail\u30b3\u30de\u30f3\u30c9\u3067zip\u30d5\u30a1\u30a4\u30eb\u6dfb\u4ed8\u30e1\u30fc\u30eb\u3092\u9001\u4fe1\u3059\u308b\u306e\u306b\u5fc5\u8981\u306auuencode\u30b3\u30de\u30f3\u30c9\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\r\n[root@server1 ~]# yum -y install sharutils\r\n\r\nchkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9(\u5727\u7e2e\u7248)\u3092root\u5b9b\u306b\u30e1\u30fc\u30eb\u9001\u4fe1\r\n[root@server1 ~]# uuencode chkrootkitcmd.zip chkrootkitcmd.zip|mail root\r\n\r\nchkrootkit\u4f7f\u7528\u30b3\u30de\u30f3\u30c9(\u5727\u7e2e\u7248)\u524a\u9664\r\n[root@server1 ~]# rm -f chkrootkitcmd.zip<\/pre>\n
\u25a0Suckit\u8aa4\u691c\u77e5\u306e\u4fee\u6b63
\nSuckit \u306b\u3088\u308b \/sbin\/init \u306e\u6539\u3056\u3093\u8aa4\u691c\u77e5\u5bfe\u7b56<\/p>\n
[root@server1 ~]# chkrootkit | grep INFECTED\r\nSearching for Suckit rootkit... Warning: \/sbin\/init INFECTED<\/pre>\n
chkrootkit\u306e\u4fee\u6b63<\/p>\n
[root@server1 ~]# vi \/root\/bin\/chkrootkit\r\n   ### Suckit\r\n   if [ -f ${ROOTDIR}sbin\/init ]; then\r\n      if [ \"${QUIET}\" != \"t\" ];then printn \"Searching for Suckit rootkit... \"; fi\r\n      if [ ${SYSTEM} != \"HP-UX\" ] && ( ${strings} ${ROOTDIR}sbin\/init | ${egrep} 'HOME='   || \\\r\n              cat ${ROOTDIR}\/proc\/1\/maps | ${egrep} \"init.\" ) >\/dev\/null 2>&1\r\n        then\r\n      if [ \"`md5sum ${ROOTDIR}sbin\/init | cut -d ' ' -f 1`\" = \"`grep 'sbin\/init$' \/sbin\/init | cut -d ' ' -f 1`\" ]\r\n      then<\/span>\r\n        echo \"Warning: ${ROOTDIR}sbin\/init INFECTED\"\r\n      fi<\/span>\r\n      else\r\n         if [ -d ${ROOTDIR}\/dev\/.golf ]; then\r\n            echo \"Warning: Suspect directory ${ROOTDIR}dev\/.golf\"\r\n         else\r\n            if [ \"${QUIET}\" != \"t\" ]; then echo \"nothing found\"; fi\r\n         fi\r\n      fi\r\n   fi<\/pre>\n
chkrootkit\u78ba\u8a8d<\/p>\n
[root@server1 ~]# chkrootkit | grep INFECTED\r\n\u3000\"INFECTED\"\u3068\u3044\u3046\u884c\u304c\u8868\u793a\u3055\u308c\u306a\u304f\u306a\u3063\u305f<\/pre>\n","protected":false},"excerpt":{"rendered":"
\u25a0chkrootkit\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb [root@server1 ~]# wget … \u7d9a\u304d\u3092\u8aad\u3080 →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-296","post","type-post","status-publish","format-standard","hentry","category-rootkitchkrootkit"],"_links":{"self":[{"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=\/wp\/v2\/posts\/296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=296"}],"version-history":[{"count":2,"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=\/wp\/v2\/posts\/296\/revisions"}],"predecessor-version":[{"id":447,"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=\/wp\/v2\/posts\/296\/revisions\/447"}],"wp:attachment":[{"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=296"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/yokensaka.com\/centos\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}