2003³â 4¿ù 3ÀÏ
1.
°³¿ä
chkrootkitÀ̶õ ½Ã½ºÅÛ¿¡ ·çƮŶ(rootkit)ÀÌ ¼³Ä¡µÇ¾ú´ÂÁö ¿©ºÎ¸¦ ¼Õ½±°Ô üũÇÒ ¼ö ÀÖ´Â
ÇÁ·Î±×·¥À¸·Î chkrootkitÀº ÀϹÝÀûÀÎ ·çƮŶ»Ó ¾Æ´Ï¶ó, Ä¿³Î±â¹ÝÀÇ ·çƮŶ, worm±îÁöµµ ŽÁö°¡ °¡´ÉÇÏ´Ù.
¡á chkrootkit¿¡¼ ŽÁö °¡´ÉÇÑ ·çƮŶ ¹× worm¸ñ·Ï
Solaris rootkit, FreeBSD rootkit, lrk3, lrk4, lrk5, lrk6, t0rn
(t0rn v8), Ambient's Rootkit for Linux (ARK), Ramen Worm, rh[67]-shaper,
RSHA, Romanian rootkit, RK17, Lion Worm, Adore Worm, LPD Worm,
kenny-rk, Adore LKM, ShitC Worm, Omega Worm, Wormkit Worm, dsc-rootkit,
RST.b, duarawkz, knark LKM, Monkit, Hidrootkit, Bobkit, Pizdakit,
Showtee, Optickit, T.R.K, MithRa's Rootkit, George, SucKIT, Scalper
Worm, Slapper Worm, OpenBSD rk v1, Illogic, SK rootkit, sebek
LKM, Romanian rootkit, LOC rootkit.
|
¡á ·çƮŶ(rootkit)À̶õ
°ø°ÝÀÚ°¡ ÇØÅ·¿¡ ¼º°øÇÑ ÈÄ ´ÙÀ½¹ø ħÀÔÀ» ½±°Ô Çϱâ À§ÇØ ¹éµµ¾î ¹× Æ®·ÎÀÌÀÜ ÇÁ·Î±×·¥À» ¼³Ä¡Çϴµ¥ ÀÌ·± ÇÁ·Î±×·¥µéÀ»
·çƮŶÀ̶ó°í ÇÑ´Ù.
·çƮŶ¿¡ Æ÷ÇԵǴ ÇÁ·Î±×·¥À¸·Î´Â ps, ls, netstat, loginµîÀÇ ½Ã½ºÅÛ ÇÁ·Î±×·¥µéÀÌ Àִµ¥, ÀÌ·±
·çƮŶÀº ½Ã½ºÅÛ¿¡ ¿ø·¡ ÀÖ¾ú´ø ÇÁ·Î±×·¥µé°ú ¹Ù²ãÄ¡±â µÇ¼ °ü¸®ÀÚ°¡ ½Ã½ºÅÛÀ» Á¡°ËÇصµ ÀÌ»ó ¾ø°Ô º¸À̵µ·Ï ÇÏ°í °ø°ÝÀÚÀÇ
ÇൿÀ» ¼û±â±âµµ ÇÑ´Ù.
¿¹¸¦ µé¾î ps, ls¸¦ ¹Ù²ãÄ¡±âÇؼ °ø°ÝÀÚ°¡½ÇÇàÇÑ ÇÁ·Î¼¼½º³ª ¼³Ä¡ÇÑ ÆÄÀϵéÀ» È®ÀÎÇÒ¼ö ¾øµµ·Ï ÇÏ´Â °ÍÀÌ´Ù.
¿äÁòÀº ÀÌ·± ÀϹÝÀûÀÎ ·çƮŶµéÀÌ °ü¸®Àڵ鿡 ÀÇÇØ ½±°Ô ŽÁöµÇÀÚ ÀÚ½ÅÀÇ ÈçÀûÀ» º¸´Ù ¿Ïº®ÇÏ°Ô °¨Ãß±â À§ÇØ Ä¿³Î±â¹ÝÀÇ
·çƮŶÀ» ¼³Ä¡Çϴµ¥, Ä¿³Î±â¹ÝÀÇ ·çƮŶÀº ÇöÀç ½ÇÇàµÇ°í ÀÖ´Â Ä¿³Î¿¡ °ø°ÝÀÚ°¡ ¸¸µç Ä¿³Î¸ðµâÀ» ÀûÀçÇؼ ½Ã½ºÅÛ ÇÔ¼öÀÇ
Á¤»óÀûÀÎ ½ÇÇàÀ» ¹Ù²Ù´Â ¹æ¹ýÀÌ´Ù. Ä¿³Î·çƮŶ¿¡ ´ëÇÑ ÀÚ·á´Â ¾Æ·¡¸¦ Âü°íÇϱ⠹ٶõ´Ù.
Ä¿³Î±â¹Ý
·çƮŶ ºÐ¼® º¸°í¼
|
¡á Áö¿ø ½Ã½ºÅÛ
Linux 2.0.x, 2.2.x, 2.4.x
FreeBSD 2.2.x, 3.x, 4.x
OpenBSD 2.x and 3.x
NetBSD 1.5.2
Solaris 2.5.1, 2.6 , Solaris 8
|
2. Chkrootkit ¼³Ä¡
¡á Chkrootkit ´Ù¿î¹Þ±â
http://www.chkrootkit.org¿¡¼
freeware·Î ´Ù¿î¹ÞÀ»¼ö ÀÖ´Ù.
(¿©±â¼´Â 2003³â 4¿ù ÇöÀç °¡ÀåÃֽŹöÀüÀÎ chkrootkit-0.39aÀ» Linux 7.2ȯ°æ¿¡¼ ¼³Ä¡ÇÏ´Â °ÍÀ¸·Î ÇÑ´Ù.
)
¡á ¾ÐÃàÇ®±â
´Ù¿î·Îµå¹ÞÀº ¾ÐÃà ÆÄÀÏÀ» Ǭ´Ù.
# tar -xzvf chkrootkit.tar.gz
chkrootkit-0.39a/
chkrootkit-0.39a/COPYRIGHT
chkrootkit-0.39a/Makefile
chkrootkit-0.39a/README
chkrootkit-0.39a/README.chklastlog
chkrootkit-0.39a/README.chkwtmp
chkrootkit-0.39a/check_wtmpx.c
chkrootkit-0.39a/chkdirs.c
chkrootkit-0.39a/chklastlog.c
chkrootkit-0.39a/chkproc.c
chkrootkit-0.39a/chkrootkit
chkrootkit-0.39a/chkrootkit.lsm
chkrootkit-0.39a/chkwtmp.c
chkrootkit-0.39a/ifpromisc.c
chkrootkit-0.39a/strings.c
chkrootkit-0.39a/ACKNOWLEDGMENTS
|
¾ÐÃàÀ» Ç®¸é chkrootkit-0.39a µð·ºÅ丮°¡ »ý¼ºµÈ´Ù.
# ls -alct|more
total 152
drwxr-xr-x 2 1000 1000 4096 Apr 2 19:28 .
drwx------ 3 jys jys 4096 Apr 2 19:28 ..
-r--r--r-- 1 1000 1000 2985 Apr 2 19:28 ACKNOWLEDGMENTS
-r--r--r-- 1 1000 1000 7191 Apr 2 19:28 check_wtmpx.c
-r--r--r-- 1 1000 1000 6680 Apr 2 19:28 chkdirs.c
-r--r--r-- 1 1000 1000 7746 Apr 2 19:28 chklastlog.c
-r--r--r-- 1 1000 1000 4976 Apr 2 19:28 chkproc.c
-rwxr-xr-x 1 1000 1000 59470 Apr 2 19:28 chkrootkit
-r--r--r-- 1 1000 1000 553 Apr 2 19:28 chkrootkit.lsm
-r--r--r-- 1 1000 1000 1945 Apr 2 19:28 chkwtmp.c
-r--r--r-- 1 1000 1000 1343 Apr 2 19:28 COPYRIGHT
-r--r--r-- 1 1000 1000 3358 Apr 2 19:28 ifpromisc.c
-r--r--r-- 1 1000 1000 1421 Apr 2 19:28 Makefile
-r--r--r-- 1 1000 1000 11279 Apr 2 19:28 README
-r--r--r-- 1 1000 1000 1323 Apr 2 19:28 README.chklastlog
-r--r--r-- 1 1000 1000 1292 Apr 2 19:28 README.chkwtmp
-r--r--r-- 1 1000 1000 2437 Apr 2 19:28 strings.c
-r--r--r-- 1 1000 1000 11279 Apr 2 19:28 README
|
¡á ÄÄÆÄÀÏ Çϱâ
¼³Ä¡´Â make sense ¸í·É¾î¸¦ Ä¡¸é ¾Æ·¡¿Í °°ÀÌ ÄÄÆÄÀÏ °úÁ¤À» °ÅÄ¡´Â °ÍÀ¸·Î ½±°Ô ¿Ï¼ºÇÒ ¼ö ÀÖ´Ù.
# make sense
gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c
gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c
gcc -DHAVE_LASTLOG_H -o ifpromisc ifpromisc.c
gcc -o chkproc chkproc.c
gcc -o chkdirs chkdirs.c
gcc -o check_wtmpx check_wtmpx.c
gcc -static -o strings strings.
|
¡á Chkrootkit »ç¿ëÇϱâ
ChkrootkitÀº ·çÅ©±ÇÇÑ¿¡¼ »ç¿ëÇÏ¿©¾ß¸¸ Çϸç, chkrootkit-0.39a µð·ºÅ丮¿¡¼ ./chkrootkit ¸¸À¸·Î ½ÇÇàÇÒ
¼ö ÀÖ´Ù.
½ÇÇàÇÏ¸é ¾Æ·¡¿Í °°ÀÌ Á¡°ËÇؼ °á°ú¸¦ ¾Ë·ÁÁØ´Ù.
# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
...(»ý·«)
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
...
|
¡á ¿É¼Ç
Àüü¸¦ ´Ù Á¡°ËÇÏÁö ¾Ê°í ÀϺκи¸À» ÇÏ°í ½ÍÀº °æ¿ì ¿É¼ÇÀ» »ç¿ëÇÒ ¼ö Àִµ¥, ¾Æ·¡ÀÇ ¸®½ºÆ®Áß ¸î °³¸¦ Á¤ÇØ ÇÒ ¼öµµ ÀÖ´Ù.
aliens asp bindshell lkm rexedcs sniffer wted scalper slapper
z2 amd basename
biff chfn chsh cron date du dirname echo egrep env find fingerd
gpm grep
hdparm su ifconfig inetd inetdconf identd killall ldsopreload
login ls lsof mail
mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo
rlogind
rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd
timed traceroute
w write
|
¿É¼ÇÀÇ ¿¹¸¦ µé¾î º¸¸é ps, ls ¹ÙÀ̳ʸ® ÆÄÀϸ¸ÀÌ Æ®·ÎÀÌÀÜÀ¸·Î ¹Ù²î¾ú´ÂÁö È®ÀÎÇÏ°í ½ÍÀ¸¸é ¾Æ·¡¿Í °°ÀÌ ÇÏ¸é µÈ´Ù.
# ./chkrootkit ps ls
ROOTDIR is `/'
Checking `ps'... not infected
Checking `ls'... not infected
|
¶ÇÇÑ ÇØÅ·´çÇÑ ½Ã½ºÅÛÀÇ disk¸¦ ¶¼¾î´Ù°¡ ´Ù¸¥ ½Ã½ºÅÛ¿¡¼ Á¡°ËÇÒ ¼öµµ Àִµ¥ À̶§´Â -r¿É¼ÇÀ» ¾²¸é
µÈ´Ù.
¡á ¸Þ½ÃÁö Çؼ®
chkrootkitÀ¸·Î Á¡°ËÇßÀ» ¶§ ³ª¿À´Â ¸Þ½ÃÁö´Â ¾Æ·¡¿Í °°´Ù.
infected
|
·çƮŶÀ¸·Î º¯ÇüµÇ¾úÀ½À» ¸»ÇÏ´Â °ÍÀÌ´Ù. |
not infected
|
¾î¶² ·çƮŶÀÇ ÁõÈĸ¦ ¹ß°ßÇÏÁö ¸øÇß´Ù. |
not tested
|
Á¡°ËÀÌ ¼öÇàµÇÁö ¸øÇß´Ù. |
not found
|
Á¡°ËÇÑ command°¡ ¾øÀ» ¶§ |
¡á Æ®·ÎÀÌÀÜÀ¸·Î º¯°æµÇ¾úÀ» ¶§ Á¶Ä¡ ¹æ¹ý
½Ã½ºÅÛÀÌ ÇØÅ·À» ´çÇØ °ø°ÝÀÚ°¡ ·çÆ®±ÇÇÑÀ» ȹµæÇÏ¿´À» °¡´É¼ºÀÌ ³ôÀ¸¹Ç·Î Æ®·ÎÀÌÀÜÀ¸·Î º¯°æµÈ ¸í·É¾îµéÀ»
ã¾Æ ¿ø·¡ °ÍÀ¸·Î ¹Ù²ã ÁÙ ¼ö ÀÖÀ¸³ª °¡Àå ¾ÈÀüÇÑ ¹æ¹ýÀ¸·Î´Â ½Ã½ºÅÛÀ» À缳ġÇÏ°í °ü·Ã Ãë¾àÁ¡µîÀ» ÆÐÄ¡ÇÏ°í, ºÒÇÊ¿äÇÑ ¼ºñ½ºµîÀ»
ÁßÁöÇÏ´Â µîÀÇ Á¶Ä¡¸¦ ÃëÇØ ½Ã½ºÅÛÀ» ¾ÈÀüÇÏ°Ô ÇÑ ÈÄ »ç¿ë ÇÏ´Â °ÍÀÌ ¹Ù¶÷Á÷ÇÏ´Ù.
ÇØÅ·´çÇÑ ½Ã½ºÅÛ¿¡¼ °ø°ÝÅøÀ̳ª ¹éµµ¾îµî º¸´Ù ÀÚ¼¼ÇÑ ºÐ¼®À» À§Çؼ´Â ´ÙÀ½ÀÇ ¹®¼¸¦ Âü°íÇϱ⠹ٶõ´Ù.
|