verifier l'existence de rootkit et autres attaques

darksh3ll · Le 19/01/2007, à 16:58

Vérifier l'existence de rootkits et autre attaque

Un rootkit
est un paquetage logiciel qui permet a un utilisateur non-autorisé
d'obtenir les droits root ou administrateur
sur une machine.Les rootkits
parviennent generalement a s'installer en exploitant une faille de securité connue.
Une fois en place,ils parviennent a capturerrer des mots de passe,a surveiller l'etat du systeme,a envoyer des informations d'authentification syteme a d'autres hotes ou meme a executer des programmes a intervalles planifiés.
dark@dark-sh3ll:~/chkrootkit-0.47$

Recuperer,compiler et installer chkrootkit

chkrootkit est un outils open source disponible http://www.chkrootkit.org

Aprés avoir telechargé l'archive tar contenant les sources.

dark@dark-sh3ll:~$ tar zxv chkrootkit.tar.gz
dark@dark-sh3ll:~$ cd ckrootkit-0.47
dark@dark-sh3ll:~/chkrootkit-0.47$ make

Executer chkrookit
dark@dark-sh3ll:~/chkrootkit-0.47$ sudo su
root@dark-sh3ll:/home/dark/chkrootkit-0.47# ./chkrootkit

[color=blue]
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/jvm/.java-gcj.jinfo /usr/lib/jvm/java-1.5.0-sun-1.5.0.06/.systemPrefs /usr/lib/jvm/.java-1.5.0-sun.jinfo /lib/modules/2.6.15-27-686/volatile/.mounted

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing foundSearching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... ath0: PF_PACKET(/sbin/dhclient3, /sbin/wpa_supplicant, /sbin/dhclient3)
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         4682 tty7   /usr/bin/X :0 -br -audit 0 -auth /var/lib/gdm/:0.Xauth -nolisten tcp vt7
chkutmp: nothing 
[/color]

root@dark-sh3ll:/home/dark/chkrootkit-0.47#

Automatiser chkrootkit

Executer chkrootkit de temps en temps .

Ou par exemple de l'executer avec crontab toutes les nuit a 1 heures du matin et denvoyer le resultat par mail.

0 3 * * *(cd/chemin/vers/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit \output"darksh3ll@gmail.com)

A bientot

Dernière modification par michel2652 (Le 20/01/2007, à 02:32)

cep · Le 19/01/2007, à 17:20

Pourquoi ne pas installer le .deb ?

aptitude show chkrootkit |grep Version
Version : 0.47-1

En complément voir aussi des solutions comme Snort et compagnie.

coffee · Le 20/01/2007, à 02:29

le lien foire, il faudrait penser à remplacer le / par un .

michel2652 · Le 20/01/2007, à 02:36

Bonjour,

@ coffee,
Toujours en congés ?

Fait .
-http://www.chkrootkid/org ---> http://www.chkrootkit.org

A+

Ubuntu-fr

Navigation

Liens de recherche

Annonce

#1 Le 19/01/2007, à 16:58

verifier l'existence de rootkit et autres attaques

#2 Le 19/01/2007, à 17:20

Re : verifier l'existence de rootkit et autres attaques

#3 Le 20/01/2007, à 02:29

Re : verifier l'existence de rootkit et autres attaques

#4 Le 20/01/2007, à 02:36

Re : verifier l'existence de rootkit et autres attaques

Pied de page des forums