| エンタープライズ:特集 | 2003/06/10 15:23:00 更新 |
rootkitによるハッキングとその防御
第5回 kernel rootkitの概要 (4/4)
ファイル整合性チェックツールなどで確認する
今回使用しているトロイの木馬は、IPアドレスを隠蔽したときなどの結果を見ても分かるように、実際に利用される可能性は低いだろう。ただし基本的な部分では、これまで紹介してきたApplication rootkitなどと同様の機能をもたらそうとしていることは分かるだろう。では、このモジュールをロードした状態で、これまで紹介してきた検出ツールである「Tripwire」や「chkrootkit」での検出結果を見ていこう。Tripwireは、単純にサンプルポリシーファイルを使用して、コメントアウトを行っただけの状態での検査ではあるが、Application rootkitのようにバイナリが変更されていれば検出されるわけだ。
○chkrootkit-0.40での検出結果# ./chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not infected Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not infected Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not found Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not infected Checking `rshd'... not infected Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not found Checking `traceroute'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Digest/MD5/.packlist /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/File/MMagic/.packlist /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/NKF/.packlist /usr/lib /perl5/site_perl/5.6.0/i386-linux/auto/Text/Kakasi/.packlist /usr/lib /perl5/5.6.0/i386-linux/.packlist Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit ... nothing found Searching for Romanian rootkit ... nothing found Searching for HKRK rootkit ... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0 is not promisc Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'...nothing deleted |
○tripwireでの検出結果
# tripwire -m c
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/localhost.localdomain-20030510-054711.twr
Tripwire(R) 2.3.0 Integrity Check Report
Report generated by: root
Report created on: 2003年05月10日 05時47分11秒
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: localhost.localdomain
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/localhost.localdomain.twd
Command line used: tripwire -m c
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Tripwire Data Files 100 0 0 0
Critical devices 100 0 0 0
User binaries 66 0 0 0
Tripwire Binaries 100 0 0 0
Libraries 66 0 0 0
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Critical system boot files 100 0 0 0
Critical configuration files 100 0 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Operating System Utilities 100 0 0 0
Shell Binaries 100 0 0 0
Root config files 100 0 0 0
Total objects scanned: 11744
Total violations found: 0
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
No violations.
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
|
どちらも検出結果をみれば分かるように、なにも検出されていない。しかしこの時点ですでに、前述したようなトロイの木馬機能が備わった状態で、システムは稼働していることになる。
今回は、LKMのトロイの木馬を使用して、そのインストールやカーネルレベルでの改ざんについて見てきたが、次回は代表的なkernel rootkitであるadoreを取り上げ、その概要と検知について解説する予定だ。
関連記事
rootkitによるハッキングとその防御エンタープライズ・セキュリティHow-Toエンタープライズ・セキュリティエンタープライズトップページへ[TTS,ITmedia]
