Rootkit HunterのダウンロードとCent OS 6.8へのインストールと、rkhunterの実行方法 - 文系男子が日和るIT開発～IT知識なしで飛び込んだIT企業

Rootkit Hunterとは
Rootkit Hunterのダウンロード
Rootkit Hunter（rkhunter）のインストール
Rootkit Hunterの初期設定
Rootkit Hunter（rkhunter）の実行
Rootkit Hunterの運用として
最後に

Rootkit Hunterとは

CentOSで使用可能なrootkit検知ツールとして有名なのは、chkrootkitですが、Rootkit Hunterというツールも有名です。

Rootkit Hunterは、ファイルの改竄検知以外にも、主なソフトウェアの脆弱性の検査も行えるツールというのが特徴となっています

Rootkit Hunter Projectの公式サイトはこちら。

The Rootkit Hunter project

最終更新日は、2014年2月24日で、最新Verは1.4.2になります。

Rootkit Hunterのダウンロード

今回ダウロードするRootkit Hunterは

「rkhunter-1.4.2.tar.gz」です。
下記のwgetコマンドで”rkhunter-1.4.2.tar.gz”をダウンロードします。

wget http://sourceforge.net/projects/rkhunter/files/rkhunter-1.4.2.tar.gz

100%[==========================================================================================>] 277,707 1.77K/s in 2m 33s

2017-01-14 04:26:17 (1.77 KB/s) - “rkhunter-1.4.2.tar.gz” saved [277707/277707]

[root@localhost ~]#

ダウンロード後、“rkhunter-1.4.2.tar.gz”が保存されていることを、
lsコマンドなどで、正常にダウンロード先のディレクトリに保存されているかどうかを、確認します。。

ls rkhunter-1.4.2.tar.gz

このダウンロードしてきた“rkhunter-1.4.2.tar.gz”ファイルを展開します。

tar zxvf rkhunter-1.4.2.tar.gz

[root@localhost ~]# tar zxvf rkhunter-1.4.2.tar.gz
rkhunter-1.4.2/
rkhunter-1.4.2/files/
rkhunter-1.4.2/files/LICENSE
rkhunter-1.4.2/files/README
rkhunter-1.4.2/files/ACKNOWLEDGMENTS
rkhunter-1.4.2/files/rkhunter.8
rkhunter-1.4.2/files/suspscan.dat
rkhunter-1.4.2/files/filehashsha.pl
rkhunter-1.4.2/files/programs_bad.dat
rkhunter-1.4.2/files/i18n/
rkhunter-1.4.2/files/i18n/zh
rkhunter-1.4.2/files/i18n/tr
rkhunter-1.4.2/files/i18n/de
rkhunter-1.4.2/files/i18n/cn
rkhunter-1.4.2/files/i18n/zh.utf8
rkhunter-1.4.2/files/i18n/en
rkhunter-1.4.2/files/i18n/tr.utf8
rkhunter-1.4.2/files/rkhunter.conf
rkhunter-1.4.2/files/signatures/
rkhunter-1.4.2/files/signatures/RKH_dso.ldb
rkhunter-1.4.2/files/signatures/RKH_Glubteba.ldb
rkhunter-1.4.2/files/signatures/RKH_sniffer.ldb
rkhunter-1.4.2/files/signatures/RKH_shv.ldb
rkhunter-1.4.2/files/signatures/RKH_libkeyutils1.ldb
rkhunter-1.4.2/files/signatures/RKH_libkeyutils.ldb
rkhunter-1.4.2/files/signatures/RKH_sshd.ldb
rkhunter-1.4.2/files/signatures/RKH_xsyslog.ldb
rkhunter-1.4.2/files/signatures/RKH_turtle.ldb
rkhunter-1.4.2/files/signatures/RKH_kbeast.ldb
rkhunter-1.4.2/files/signatures/RKH_libncom.ldb
rkhunter-1.4.2/files/signatures/RKH_pamunixtrojan.ldb
rkhunter-1.4.2/files/signatures/RKH_jynx.ldb
rkhunter-1.4.2/files/backdoorports.dat
rkhunter-1.4.2/files/FAQ
rkhunter-1.4.2/files/mirrors.dat
rkhunter-1.4.2/files/rkhunter.spec
rkhunter-1.4.2/files/contrib/
rkhunter-1.4.2/files/contrib/rkhunter_remote_howto.txt
rkhunter-1.4.2/files/contrib/run_rkhunter.sh
rkhunter-1.4.2/files/contrib/README.txt
rkhunter-1.4.2/files/rkhunter
rkhunter-1.4.2/files/CHANGELOG
rkhunter-1.4.2/files/stat.pl
rkhunter-1.4.2/files/check_modules.pl
rkhunter-1.4.2/files/readlink.sh
rkhunter-1.4.2/installer.sh
[root@localhost ~]#

Rootkit Hunter（rkhunter）のインストール

“rkhunter-1.4.2.tar.gz”ファイルを展開後、
「rkhunter-1.4.2」ディレクトリが作成されていることを確認し、
そのディレクトリに移動します。

そうすると、"installer.sh"ファイルが展開されていることが確認できると思いますが、
存在していれば、インストールを実行します。

./installer.sh --install

[root@localhost rkhunter-1.4.2]# ls -la
total 48
drwxr-xr-x 3 root root 4096 Mar 12 2014 .
dr-xr-x---. 5 root root 4096 Jan 14 04:29 ..
drwxr-xr-x 5 root root 4096 Mar 12 2014 files
-rwxr-xr-x 1 root root 33751 Feb 23 2014 installer.sh
[root@localhost rkhunter-1.4.2]#
[root@localhost rkhunter-1.4.2]# ./installer.sh --install

Checking system for:
Rootkit Hunter installer files: found
A web file download command: wget found
Starting installation:
Checking installation directory "/usr/local": it exists and is writable.
Checking installation directories:
Directory /usr/local/share/doc/rkhunter-1.4.2: creating: OK
Directory /usr/local/share/man/man8: exists and is writable.
Directory /etc: exists and is writable.
Directory /usr/local/bin: exists and is writable.
Directory /usr/local/lib: exists and is writable.
Directory /var/lib: exists and is writable.
Directory /usr/local/lib/rkhunter/scripts: creating: OK
Directory /var/lib/rkhunter/db: creating: OK
Directory /var/lib/rkhunter/tmp: creating: OK
Directory /var/lib/rkhunter/db/i18n: creating: OK
Directory /var/lib/rkhunter/db/signatures: creating: OK
Installing check_modules.pl: OK
Installing filehashsha.pl: OK
Installing stat.pl: OK
Installing readlink.sh: OK
Installing backdoorports.dat: OK
Installing mirrors.dat: OK
Installing programs_bad.dat: OK
Installing suspscan.dat: OK
Installing rkhunter.8: OK
Installing ACKNOWLEDGMENTS: OK
Installing CHANGELOG: OK
Installing FAQ: OK
Installing LICENSE: OK
Installing README: OK
Installing language support files: OK
Installing ClamAV signatures: OK
Installing rkhunter: OK
Installing rkhunter.conf: OK
Installation complete
[root@localhost rkhunter-1.4.2]#

ちなみに「rkhunter」は「/usr/local/bin/rkhunter」にインストールされています。

[root@localhost files]# which rkhunter
/usr/local/bin/rkhunter

Rootkit Hunterのインストールはここまでです。

Rootkit Hunterの初期設定

引き続き、Rootkit Hunterの初期設定を行いたいと思います。

/usr/local/bin/rkhunter --update

/usr/local/bin/rkhunter --propupd

/usr/local/bin/rkhunter --update　の実行

[root@localhost files]# /usr/local/bin/rkhunter --update

/usr/local/bin/rkhunter --propupd　の実行と、その結果を下記に示しますが、
なんとハッシュ値が合わないとのこと。

[root@localhost files]# /usr/local/bin/rkhunter --propupd
[ Rootkit Hunter version 1.4.2 ]
File created: searched for 171 files, found 140, missing hashes 6

解決方法は下記を参考にさせていただきましたが、
prelinkがリンク済みのバイナリと新しいバイナリではハッシュ値が合わないとのこと。
そのため、解消方法としては、
rkhunter --propupd を実行する前に、prelinkを実行し、
共有ライブラリとプログラムとのリンクを行っておくとよいとのことです。

shobon.hatenablog.com

prelinkコマンドを実行し、再度「rkhunter --propupd」を実行しました。
が、まだ残っていますが、いったん無視します。

[root@localhost files]# /etc/cron.daily/prelink
[root@localhost files]#
[root@localhost files]# /usr/local/bin/rkhunter --propupd
[ Rootkit Hunter version 1.4.2 ]
File updated: searched for 171 files, found 140, missing hashes 1

Rootkit Hunter（rkhunter）の実行

ようやくですが、「rkhunter」を実行してみます。
実行するコマンドと、オプションの例は下記になります。

/usr/local/bin/rkhunter -c --skip-keypress

ワーニングのみレポートが必要な場合は下記のようなオプションがよさそうです。

/usr/local/bin/rkhunter -c --report-warnings-only

共通するオプションは「-c」（もしくは、--check）ですが、
このオプションでRootKitのスキャンを実行しはじめることになります。

実行した結果はこちらになります。

[root@localhost files]# /usr/local/bin/rkhunter -c --skip-keypress
[ Rootkit Hunter version 1.4.2 ]

Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]

Performing file properties checks
Checking for prerequisites [ OK ]
/usr/local/bin/rkhunter [ OK ]
/sbin/chkconfig [ OK ]
/sbin/depmod [ OK ]
/sbin/fsck [ OK ]
/sbin/fuser [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ Warning ]
/sbin/ifup [ Warning ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/nologin [ OK ]
/sbin/rmmod [ OK ]
/sbin/route [ OK ]
/sbin/rsyslogd [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ Warning ]
/sbin/sysctl [ OK ]
/bin/awk [ OK ]
/bin/basename [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/csh [ OK ]
/bin/cut [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/env [ OK ]
/bin/fgrep [ OK ]
/bin/find [ OK ]
/bin/grep [ OK ]
/bin/kill [ OK ]
/bin/logger [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/mail [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/ping [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/readlink [ OK ]
/bin/rpm [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/sort [ OK ]
/bin/su [ OK ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/gawk [ OK ]
/bin/tcsh [ OK ]
/bin/mailx [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/lsof [ OK ]
/usr/sbin/prelink [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/sestatus [ OK ]
/usr/sbin/sshd [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/curl [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/kill [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ Warning ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pgrep [ OK ]
/usr/bin/pkill [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/readlink [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/sha224sum [ OK ]
/usr/bin/sha256sum [ OK ]
/usr/bin/sha384sum [ OK ]
/usr/bin/sha512sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/ssh [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ Warning ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/gawk [ OK ]
/etc/rkhunter.conf [ OK ]

Checking for rootkits...

Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
Adore Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
cb Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
Fu Rootkit [ Not found ]
Fuck`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
IntoXonia-NG Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Jynx Rootkit [ Not found ]
KBeast Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
ld-linuxv.so Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx2 Rootkit [ Not found ]
Phalanx2 Rootkit (extended tests) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
'Spanish' Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
trNkit Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
Vampire Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
Xzibit Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]
ZK Rootkit [ Not found ]

Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]

Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]
Suspicious Shared Memory segments [ None found ]
Checking for Apache backdoor [ Not found ]

Performing Linux specific checks
Checking loaded kernel modules [ OK ]
Checking kernel module names [ OK ]

Checking the network...

Performing checks on the network ports
Checking for backdoor ports [ None found ]

Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]

Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for system startup files [ Found ]
Checking system startup files for malware [ None found ]

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]

Performing system configuration file checks
Checking for an SSH configuration file [ Found ]
Checking if SSH root access is allowed [ Warning ]
Checking if SSH protocol v1 is allowed [ Not allowed ]
Checking for a running system logging daemon [ Found ]
Checking for a system logging configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]

Checking application versions...

Checking version of GnuPG [ OK ]
Checking version of Apache [ Warning ]
Checking version of OpenSSL [ OK ]
Checking version of PHP [ OK ]
Checking version of OpenSSH [ OK ]

System checks summary
=====================

File properties checks...
Files checked: 140
Suspect files: 5

Rootkit checks...
Rootkits checked : 380
Possible rootkits: 0

Applications checks...
Applications checked: 5
Suspect applications: 1

The system checks took: 11 minutes and 12 seconds

All results have been written to the log file: /var/log/rkhunter.log

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

[root@localhost files]#

実行結果は「rkhunter.log」に出力されるようになっていましたので、
何か大きな問題がないかは、こちらのログを確認してみてください。

[root@localhost files]# find / -type f -name 'rkhunter.log'
/var/log/rkhunter.log
[root@localhost files]#

Rootkit Hunterの運用として

こういった定例的に実行することで、最大限の効果を発揮するツールなどは、
自動化（cronで実行）させて、確認に時間をかけないことが重要ですね。
その際、rkhunterコマンドを実行する部分だけを自動化するのでなく、
定義ファイルの更新等もスケジューリングし、定期的に最新化できるようにしたほうが良いように考えます、