エンタープライズ:特集 2003/06/10 15:23:00 更新

rootkitによるハッキングとその防御
第5回 kernel rootkitの概要 (4/4)

ファイル整合性チェックツールなどで確認する

 今回使用しているトロイの木馬は、IPアドレスを隠蔽したときなどの結果を見ても分かるように、実際に利用される可能性は低いだろう。ただし基本的な部分では、これまで紹介してきたApplication rootkitなどと同様の機能をもたらそうとしていることは分かるだろう。では、このモジュールをロードした状態で、これまで紹介してきた検出ツールである「Tripwire」や「chkrootkit」での検出結果を見ていこう。Tripwireは、単純にサンプルポリシーファイルを使用して、コメントアウトを行っただけの状態での検査ではあるが、Application rootkitのようにバイナリが変更されていれば検出されるわけだ。

○chkrootkit-0.40での検出結果
# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not infected
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing 
found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Digest/MD5/.packlist
 /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/File/MMagic/.packlist
 /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/NKF/.packlist /usr/lib
/perl5/site_perl/5.6.0/i386-linux/auto/Text/Kakasi/.packlist /usr/lib
/perl5/5.6.0/i386-linux/.packlist
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for HKRK rootkit ... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is not promisc
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'...nothing deleted

○tripwireでの検出結果
# tripwire -m c
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/localhost.localdomain-20030510-054711.twr
Tripwire(R) 2.3.0 Integrity Check Report
Report generated by:          root
Report created on:            2003年05月10日 05時47分11秒
Database last updated on:     Never
===============================================================================
Report Summary:
===============================================================================
Host name:                    localhost.localdomain
Host IP address:              127.0.0.1
Host ID:                      None
Policy file used:             /etc/tripwire/tw.pol
Configuration file used:      /etc/tripwire/tw.cfg
Database file used:           /var/lib/tripwire/localhost.localdomain.twd
Command line used:            tripwire -m c
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------
  Rule Name                       Severity Level    Added    Removed  Modified
  ---------                       --------------    -----    -------  --------
  Invariant Directories           66                0        0        0
  Temporary directories           33                0        0        0
  Tripwire Data Files             100               0        0        0
  Critical devices                100               0        0        0
  User binaries                   66                0        0        0
  Tripwire Binaries               100               0        0        0
  Libraries                       66                0        0        0
  File System and Disk Administraton Programs
                                  100               0        0        0
  Kernel Administration Programs  100               0        0        0
  Networking Programs             100               0        0        0
  System Administration Programs  100               0        0        0
  Hardware and Device Control Programs
                                  100               0        0        0
  System Information Programs     100               0        0        0
  Application Information Programs
                                  100               0        0        0
  Shell Related Programs          100               0        0        0
  Critical Utility Sym-Links      100               0        0        0
  Critical system boot files      100               0        0        0
  Critical configuration files    100               0        0        0
  System boot changes             100               0        0        0
  OS executables and libraries    100               0        0        0
  Security Control                100               0        0        0
  Login Scripts                   100               0        0        0
  Operating System Utilities      100               0        0        0
  Shell Binaries                  100               0        0        0
  Root config files               100               0        0        0
Total objects scanned:  11744
Total violations found:  0
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
No violations.
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.

 どちらも検出結果をみれば分かるように、なにも検出されていない。しかしこの時点ですでに、前述したようなトロイの木馬機能が備わった状態で、システムは稼働していることになる。

 今回は、LKMのトロイの木馬を使用して、そのインストールやカーネルレベルでの改ざんについて見てきたが、次回は代表的なkernel rootkitであるadoreを取り上げ、その概要と検知について解説する予定だ。

関連記事
▼rootkitによるハッキングとその防御
▼エンタープライズ・セキュリティHow-To
▼エンタープライズ・セキュリティ
▼エンタープライズトップページへ

前のページ | 1 2 3 4 |      

[TTS,ITmedia]



Special

- PR -

Special

- PR -