viernes, julio 30, 2010

Linux Detectar RootKits.

Tomado de: Blog de Redes Privadas

Una vez presentadas las características de los rootkits y la herramienta que tenemos en Linux para combatirlos, vamos a pasar a instalar Rkhunter 1.3.6 en una máquina CentOS 5.4 de 64 bits.

Rkhunter puede instalarse de forma permanente en el sistema:

[root@centos ~]# tar zxf rkhunter-1.3.6.tar.gz

[root@centos ~]# cd rkhunter-1.3.6

[root@centos rkhunter-1.3.6]# ./installer.sh --install

O de forma temporal:

[root@centos ~]# mkdir /tmp/rkh

[root@centos ~]# cd /tmp/rkh

[root@centos rkh]# tar zxf rkhunter-1.3.6.tar.gz

[root@centos rkh/rkhunter-]# cd rkhunter-1.3.6

[root@centos rkhunter-1.3.6]# ./installer.sh --layout custom . --install

[root@centos rkhunter-1.3.6]# cd files

Para el caso del presente artículo emplearemos la forma temporal. Lo primero que haremos será actualizar las bases de datos con la información del malware actualizada por los desarrolladores de Rkhunter, y a continuación, crearemos una base de datos inicial (rkhunter.dat) con la información (MD5, permisos, etc.) de los principales binarios del sistema.

[root@centos files]# ./rkhunter --update
[ Rootkit Hunter version 1.3.6 ]

Checking rkhunter data files...
Checking file mirrors.dat                                  [ No update ]
Checking file programs_bad.dat                             [ No update ]
...

[root@centos files]# ./rkhunter --propupd
[ Rootkit Hunter version 1.3.6 ]
File created: searched for 159 files, found 134, missing hashes 35

Si en algún momento alguno de los binarios sufre algún tipo de modificación, tendremos que volver a ejecutar la opción propupd.

Para realizar un escaneo ejecutaremos el siguiente comando (se ha obviado parte de la salida del comando):

[root@centos files]# ./rkhunter --check --sk
[ Rootkit Hunter version 1.3.6 ]          

Checking system commands...

Performing 'strings' command checks
 Checking 'strings' command                               [ OK ]

Performing 'shared libraries' checks
 Checking for preloading variables                        [ None found ]
 Checking for preloaded libraries                         [ None found ]
 Checking LD_LIBRARY_PATH variable                        [ Not found ]

Performing file properties checks
 Checking for prerequisites                               [ Warning ]
 /bin/awk                                                 [ OK ]  
 /bin/basename                                            [ OK ]
...
Checking for rootkits...

Performing check of known rootkit files and directories
 55808 Trojan - Variant A                                 [ Not found ]
 ADM Worm                                                 [ Not found ]
...
Performing additional rootkit checks
 Suckit Rookit additional checks                          [ OK ]
...
Performing malware checks
 Checking running processes for suspicious files          [ None found ]
...
Performing Linux specific checks
 Checking loaded kernel modules                           [ OK ]
...
Checking the network...

Performing check for backdoor ports
 Checking for TCP port 1524                               [ Not found ]
 Checking for TCP port 1984                               [ Not found ]
...
Performing checks on the network interfaces
 Checking for promiscuous interfaces                      [ None found ]

Checking the local host...

Performing system boot checks
 Checking for local host name                             [ Found ]
...
Performing group and account checks
 Checking for passwd file                                 [ Found ]
...
Performing system configuration file checks
 Checking for SSH configuration file                      [ Found ]
...
Performing filesystem checks
 Checking /dev for suspicious file types                  [ None found ]
 Checking for hidden files and directories                [ Warning ]

Checking application versions...

 Checking version of GnuPG                                [ OK ]
...
System checks summary
=====================

File properties checks...
 Required commands check failed
 Files checked: 134         
 Suspect files: 5           

Rootkit checks...
 Rootkits checked : 253
 Possible rootkits: 0

Applications checks...
 Applications checked: 4
 Suspect applications: 2

Dentro del log (rkhunter.log) podremos encontrar información más detallada sobre los warnings y errores encontrados.

Rkhunter dispone de un fichero de configuración donde podremos definir distintas opciones del escaneo (por ejemplo si está permitido el acceso por SSH para root).

[root@centos files]# cat rkhunter.conf
...
ALLOW_SSH_ROOT_USER=yes

No hay comentarios: