We confirmed what will be done about rkhunter, which is famous as a rootkit countermeasure.
--Confirmed installation and operation on Ubuntu20.04LTS. Seems to be the same for other distributions
――Since it was introduced and operated properly, I wrote it instead of a memo. It should be more helpful than just I put it in.
--rkhunter can also check for suspicious things other than rootkits. --The introduction cost is minimal, and the operating cost is considered to be minimal because the mechanism is simple. --The target is "modification after intrusion" such as rootkit. It is considered good to create an environment where you can be aware of intrusion while making efforts to prevent intrusion.
If you look at rkhunter's project page, you should see the installation tutorial. Since there is, proceed with reference to it.
When I thought about it, there was a package.
# apt-get install rkhunter
Unfortunately, the default settings are (intentionally?) Incorrect and do not work.
――It seems that you can check without updating the database, but that doesn't make much sense.
# rkhunter --update
Invalid WEB_CMD configuration option: Relative pathname: "/bin/false"
#
Adjust /etc/rkhunter.conf.
Since the purpose is to visually check the operation, the display is switched to Japanese.
--Language settings
--Settings related to commands used in --update
--Inspection settings
The default config doesn't work properly. Please note that there are few articles that mention this.
--When you look at UPDATE_MIRRORS, MIRRORS_MODE, WEB_CMD, it seems that you don't want to show the ubuntu mirror or you should mirror it yourself (if you make it available immediately, a lot of access will occur).
--The language setting was set to ja to indicate that "it can be set", but en is better for operation. I don't want to use Japanese like grep" warning "/ var / log / rkhunter.
--It seems necessary to set PKGMGR.
This is used when updating the file properties file ('rkhunter.dat'), and when running the file properties check.
--"This is used when updating the file properties file ('rkhunter.dat') and when performing file property checks."The package managers obtain each file hash value using a hash function.
--"The package manager uses a hash function to get the hash value of each file."After the change, use --config-check (short form: -C) to check, and then use --update to update the database.
[Rootkit Hunter version 1.4.6 ]
Check the rkhunter data file...
File mirrors.Check dat[No update]
File programs_bad.Check dat[No update]
File backdoorports.Check dat[No update]
File suspscan.Check dat[No update]
File i18n/Check cn[No update]
File i18n/Check de[No update]
File i18n/Check en[No update]
File i18n/Check tr[No update]
File i18n/tr.Check utf8[No update]
File i18n/Check zh[No update]
File i18n/zh.Check utf8[No update]
File i18n/Check ja[No update]
root@tooltest:~#
--"Updated" or "No update" is displayed for the first time (the above has been updated many times, so there is no update)
--If "Skipped" is Checking file i18n / de etc., a specific language is specified by ʻUPDATE_LANG`.
See the wiki first scan for the scan.
The scan results are long, so I put them in the appendix at the end. Only summaries are handled here.
----check can be shortened with -c, but it may be mistaken for -C of --config-check.
---- skip-keypress can be shortened with -sk.
--Generally, it seems to scan with -c -sk
# rkhunter --check --skip-keypress
(snip)
System check overview
=====================
File property check...
File check: 143
Suspicious file: 0
Rootkit check...
Rootkit checked: 477
Potential rootkit: 0
Application check...
All checks have been skipped.
System check tool: 1 minute and 38 seconds
All results have been written to the log file: /var/log/rkhunter.log
No warnings were found during the system check.
# vi /etc/rkhunter.conf
It is described in detail in /var/log/rkhunter.log.
--By default, it will be overwritten, so you should change it according to the operation method. It may be a record of when it changed. ――It seems that you are checking various things besides the backdoor and rootkit. An overview is given below --Check for files with suspicious content --Check for the existence of sniffer log files --Check tripwire --Check for suspicious shared memory segments --Check the loaded kernel module and kernel module name --Check backdoor port and hidden port --Check the promiscuous interface --Check packet capture application --Check passwordless account --Check SSH and syslog settings --Check the version of the application (exim, gpg, httpd, named, openssl, php, procmail, proftpd, sshd)
As a recent trend, it is important to be able to quickly notice that it is impossible / intruded to prevent all intrusions. It is thought that safer operation can be achieved by using it in combination with other tools while considering the scope of application of rkhunter.
--Easy to install, but it is necessary to adjust the settings according to the operation
--When updating the OS, it is necessary to consider when to --popupd to create a reference value.
――It is necessary to assume what kind of response flow will be
-Do not mistake the scope of measures
--Not intruded: WAF, secure program, vulnerability management, antivirus software, etc.
--Be aware even if intruded: SIEM, SOAR, tampering detection, etc. (rkhunter corresponds here)
--It is necessary to take measures such as rootkit in that you may be the perpetrator.
--As a zombie, used as an attack minion. It becomes the first host visible to the victim.
Appendix
A warning has been issued because lwp-request was updated after rkhunter --propupd.
If you can confirm that there is no problem, do --propupd and it will be recognized as the current one, and no warning will be issued from the next time.
# rkhunter -c -sk
[Rootkit Hunter version 1.4.6 ]
Check system commands...
Perform a "strings" command check
Check the "strings" command[ OK ]
Perform a "shared library" check
Check preload variables[No discovery]
Check the preload library[No discovery]
「LD_LIBRARY_Check the "PATH" variable[Undiscovered]
Perform a file property check
Check prerequisites[ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/depmod [ OK ]
/usr/sbin/fsck [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/ifconfig [ OK ]
/usr/sbin/init [ OK ]
/usr/sbin/insmod [ OK ]
/usr/sbin/ip [ OK ]
/usr/sbin/lsmod [ OK ]
/usr/sbin/modinfo [ OK ]
/usr/sbin/modprobe [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/rmmod [ OK ]
/usr/sbin/route [ OK ]
/usr/sbin/rsyslogd [ OK ]
/usr/sbin/runlevel [ OK ]
/usr/sbin/sulogin [ OK ]
/usr/sbin/sysctl [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/unhide [ OK ]
/usr/sbin/unhide-linux [ OK ]
/usr/sbin/unhide-posix [ OK ]
/usr/sbin/unhide-tcp [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/bash [ OK ]
/usr/bin/cat [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/chmod [ OK ]
/usr/bin/chown [ OK ]
/usr/bin/cp [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/date [ OK ]
/usr/bin/df [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dmesg [ OK ]
/usr/bin/dpkg [ OK ]
/usr/bin/dpkg-query [ OK ]
/usr/bin/du [ OK ]
/usr/bin/echo [ OK ]
/usr/bin/ed [ OK ]
/usr/bin/egrep [ OK ]
/usr/bin/env [ OK ]
/usr/bin/fgrep [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/fuser [ OK ]
/usr/bin/GET [ OK ]
/usr/bin/grep [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/ip [ OK ]
/usr/bin/ipcs [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/login [ OK ]
/usr/bin/ls [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsmod [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/mktemp [ OK ]
/usr/bin/more [ OK ]
/usr/bin/mount [ OK ]
/usr/bin/mv [ OK ]
/usr/bin/netstat [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/ping [ OK ]
/usr/bin/pkill [ OK ]
/usr/bin/ps [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/pwd [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sed [ OK ]
/usr/bin/sh [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]
/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/ssh [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/su [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/telnet [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uname [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/numfmt [ OK ]
/usr/bin/kmod [ OK ]
/usr/bin/systemd [ OK ]
/usr/bin/systemctl [ OK ]
/usr/bin/mawk [ OK ]
/usr/bin/lwp-request [warning]
/usr/bin/bsd-mailx [ OK ]
/usr/bin/dash [ OK ]
/usr/bin/x86_64-linux-gnu-size [ OK ]
/usr/bin/x86_64-linux-gnu-strings [ OK ]
/usr/bin/telnet.netkit [ OK ]
/usr/bin/w.procps [ OK ]
/usr/lib/systemd/systemd [ OK ]
Check rootkits...
Perform a check for known rootkit files and directories
55808 Trojan - Variant A [Undiscovered]
ADM Worm [Undiscovered]
AjaKit Rootkit [Undiscovered]
Adore Rootkit [Undiscovered]
aPa Kit [Undiscovered]
Apache Worm [Undiscovered]
Ambient (ark) Rootkit [Undiscovered]
Balaur Rootkit [Undiscovered]
BeastKit Rootkit [Undiscovered]
beX2 Rootkit [Undiscovered]
BOBKit Rootkit [Undiscovered]
cb Rootkit [Undiscovered]
CiNIK Worm (Slapper.B variant) [Undiscovered]
Danny-Boy's Abuse Kit [Undiscovered]
Devil RootKit [Undiscovered]
Diamorphine LKM [Undiscovered]
Dica-Kit Rootkit [Undiscovered]
Dreams Rootkit [Undiscovered]
Duarawkz Rootkit [Undiscovered]
Ebury backdoor [Undiscovered]
Enye LKM [Undiscovered]
Flea Linux Rootkit [Undiscovered]
Fu Rootkit [Undiscovered]
Fuck`it Rootkit [Undiscovered]
GasKit Rootkit [Undiscovered]
Heroin LKM [Undiscovered]
HjC Kit [Undiscovered]
ignoKit Rootkit [Undiscovered]
IntoXonia-NG Rootkit [Undiscovered]
Irix Rootkit [Undiscovered]
Jynx Rootkit [Undiscovered]
Jynx2 Rootkit [Undiscovered]
KBeast Rootkit [Undiscovered]
Kitko Rootkit [Undiscovered]
Knark Rootkit [Undiscovered]
ld-linuxv.so Rootkit [Undiscovered]
Li0n Worm [Undiscovered]
Lockit / LJK2 Rootkit [Undiscovered]
Mokes backdoor [Undiscovered]
Mood-NT Rootkit [Undiscovered]
MRK Rootkit [Undiscovered]
Ni0 Rootkit [Undiscovered]
Ohhara Rootkit [Undiscovered]
Optic Kit (Tux) Worm [Undiscovered]
Oz Rootkit [Undiscovered]
Phalanx Rootkit [Undiscovered]
Phalanx2 Rootkit [Undiscovered]
Phalanx2 Rootkit (extended tests) [Undiscovered]
Portacelo Rootkit [Undiscovered]
R3dstorm Toolkit [Undiscovered]
RH-Sharpe's Rootkit [Undiscovered]
RSHA's Rootkit [Undiscovered]
Scalper Worm [Undiscovered]
Sebek LKM [Undiscovered]
Shutdown Rootkit [Undiscovered]
SHV4 Rootkit [Undiscovered]
SHV5 Rootkit [Undiscovered]
Sin Rootkit [Undiscovered]
Slapper Worm [Undiscovered]
Sneakin Rootkit [Undiscovered]
'Spanish' Rootkit [Undiscovered]
Suckit Rootkit [Undiscovered]
Superkit Rootkit [Undiscovered]
TBD (Telnet BackDoor) [Undiscovered]
TeLeKiT Rootkit [Undiscovered]
T0rn Rootkit [Undiscovered]
trNkit Rootkit [Undiscovered]
Trojanit Kit [Undiscovered]
Tuxtendo Rootkit [Undiscovered]
URK Rootkit [Undiscovered]
Vampire Rootkit [Undiscovered]
VcKit Rootkit [Undiscovered]
Volc Rootkit [Undiscovered]
Xzibit Rootkit [Undiscovered]
zaRwT.KiT Rootkit [Undiscovered]
ZK Rootkit [Undiscovered]
Perform additional rootkit checks
Suckit Rootkit additional check[ OK ]
Check for possible rootkit files and directories[No discovery]
Check for possible rootkit strings[No discovery]
Perform malware check
Check process execution for suspicious files[No discovery]
Check login backdoor[No discovery]
Check the sniffer log file[No discovery]
Check for suspicious directories[No discovery]
Suspicious shared memory segment[No discovery]
Check Apache backdoor[Undiscovered]
Perform Linux-specific checks
Check for loaded kernel modules[ OK ]
Check kernel module name[ OK ]
Network check...
Perform a network port check
Check the backdoor port[No discovery]
Perform a network interface check
Check the promiscuous interface[No discovery]
Check localhost...
Perform a system boot check
Check the local host name[Discovery]
Check system startup files[Discovery]
Check for malware system startup files[No discovery]
Perform group and account checks
Check password file[Discovery]
root equivalent(UID 0)Check your account[No discovery]
Check for passwordless accounts[No discovery]
Check for password file changes[No discovery]
Group file change check[No discovery]
Check the shell history file for the root account[ OK ]
Perform a system configuration file check
Check the SSH config file[Undiscovered]
Check the running system logging daemon[Discovery]
Check the system logging configuration file[Discovery]
Syslog Check if remote logging is allowed[Disallowed]
Perform a file system check
「/Check for suspicious file types in dev[No discovery]
Check hidden files and directories[No discovery]
System check overview
=====================
File property check...
File check: 143
Suspicious file: 1
Rootkit check...
Rootkit checked: 477
Potential rootkit: 0
Application check...
All checks have been skipped.
System check tool: 1 minute and 25 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings were found during the system check.
logfile(/var/log/rkhunter.log)Please check.
#
Recommended Posts