chkrootkit 을 사용해서 rootkit 검사하기

1. http://www.chkrootkit.org 에서 chkrootkit-0.43.tar.gz 을 다운로드 받는다.

2. 압축을 푼다.
[root@localhost src]# tar xvfzp chkrootkit-0.43.tar.gz
chkrootkit-0.43/
chkrootkit-0.43/ACKNOWLEDGMENTS
chkrootkit-0.43/chkproc.c
chkrootkit-0.43/README
chkrootkit-0.43/chklastlog.c
chkrootkit-0.43/README.chkwtmp
chkrootkit-0.43/COPYRIGHT
chkrootkit-0.43/Makefile
chkrootkit-0.43/check_wtmpx.c
chkrootkit-0.43/strings.c
chkrootkit-0.43/ifpromisc.c
chkrootkit-0.43/chkdirs.c
chkrootkit-0.43/chkrootkit.lsm
chkrootkit-0.43/chkwtmp.c
chkrootkit-0.43/chkrootkit
chkrootkit-0.43/README.chklastlog

3. make 명령으로 chkrootkit 설치.
[root@localhost chkrootkit-0.43]# make
*** stopping make sense ***
make[1]: Entering directory `/usr/local/src/chkrootkit-0.43′
gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c
gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c
gcc -DHAVE_LASTLOG_H -o ifpromisc ifpromisc.c
gcc -o chkproc chkproc.c
gcc -o chkdirs chkdirs.c
gcc -o check_wtmpx check_wtmpx.c
gcc -static -o strings-static strings.c
make[1]: Leaving directory `/usr/local/src/chkrootkit-0.4

[root@localhost chkrootkit-0.43]# ll
total 604
-r–r–r– 1 1000 1000 3966 Dec 27 03:02 ACKNOWLEDGMENTS
-rwxr-xr-x 1 root root 2704 Jun 3 13:21 check_wtmpx
-r–r–r– 1 1000 wheel 7195 Dec 27 03:26 check_wtmpx.c
-rwxr-xr-x 1 root root 6052 Jun 3 13:21 chkdirs
-r–r–r– 1 1000 wheel 6781 Dec 27 03:27 chkdirs.c
-rwxr-xr-x 1 root root 6640 Jun 3 13:21 chklastlog
-r–r–r– 1 1000 wheel 7729 Dec 27 03:30 chklastlog.c
-rwxr-xr-x 1 root root 6488 Jun 3 13:21 chkproc
-r–r–r– 1 1000 wheel 6676 Dec 27 03:35 chkproc.c
-rwxr-xr-x 1 1000 1000 67736 Dec 29 01:48 chkrootkit
-r–r–r– 1 1000 1000 565 Dec 27 21:35 chkrootkit.lsm
-rwxr-xr-x 1 root root 3936 Jun 3 13:21 chkwtmp
-r–r–r– 1 1000 1000 1945 Dec 25 02:37 chkwtmp.c
-r–r–r– 1 1000 1000 1343 Dec 25 02:37 COPYRIGHT
-rwxr-xr-x 1 root root 6836 Jun 3 13:21 ifpromisc
-r–r–r– 1 1000 1000 8771 Dec 27 09:09 ifpromisc.c
-r–r–r– 1 1000 1000 1448 Dec 27 06:34 Makefile
-r–r–r– 1 1000 1000 12387 Dec 27 21:40 README
-r–r–r– 1 1000 1000 1323 Dec 25 02:37 README.chklastlog
-r–r–r– 1 1000 1000 1292 Dec 25 02:37 README.chkwtmp
-r–r–r– 1 1000 1000 2437 Dec 25 02:38 strings.c
-rwxr-xr-x 1 root root 402496 Jun 3 13:21 strings-static
You have new mail in /var/spool/mail/root

4. chkrootlit 명령으로 루트킷 체크

[root@localhost chkrootkit-0.43]# ./chkrootkit
ROOTDIR is `/’
Checking `amd’… not found
Checking `basename’… not infected
Checking `biff’… not found
Checking `chfn’… not infected
Checking `chsh’… not infected
Checking `cron’… not infected
Checking `date’… not infected
Checking `du’… not infected
Checking `dirname’… not infected
Checking `echo’… not infected
Checking `egrep’… not infected
Checking `env’… not infected
Checking `find’… not infected
Checking `fingerd’… not infected
Checking `gpm’… not infected
Checking `grep’… not infected
Checking `hdparm’… not infected
Checking `su’… not infected
Checking `ifconfig’… not infected
Checking `inetd’… not tested
Checking `inetdconf’… not found
Checking `identd’… not found
Checking `init’… not infected
Checking `killall’… not infected
Checking `ldsopreload’… not infected
Checking `login’… not infected
.
.

5. 특정 파일검사.
[root@localhost chkrootkit-0.43]# ./chkrootkit ps ls netstat
ROOTDIR is `/’
Checking `ps’… not infected
Checking `ls’… not infected
Checking `netstat’… not infected