Detectando RootKits con RkHunter

Vamos a ver primero lo que es un RootKit y Rkhunter.

Un Rootkit es un programa o serie de programas que un intruso utiliza para ocultar su presencia en nuestros sistemas y permitirle el acceso más adelante al sistema en cuestión. Un Rootkit usualmente manipula los datos de nuestros sistemas o altera la ejecución de nuestros sistemas operativos.

Es muy importante conocer los rootkits están diseñados para ser difícil de detectar. Muchos de los rootkits han sido tan bien programados, incluso en un nivel mas avanzado que los virus y malwares, que su presencia puede pasar desapercibida por mucho tiempo. Un Rootkit no es un exploit, es lo que el atacante utiliza después de un exploit para permitirse acceso no detectado al sistema comprometido.

RkHunter (Rootkit Hunter) es una herramienta para escanear por RootKits, Puertas Traseras y posibles exploits existentes en nuestro sistema. Lo hace mediante los siguientes métodos.

Comparando los hashes MD5 de archivos importantes con la firma correcta en una base de datos en línea
Buscando los Directorios por defecto de Rootkits Buscando Permisos Incorrectos y Archivos Ocultos
Buscando Cadenas Sospechosas en los Módulos de Kernel
Revisando puertos de Comunicación
Ejecutando pruebas especiales para Linux y FreeBSD
Escaneo de cadenas específicas en los archivos y comparándolo con un diccionario de RootKits, Troyanos, Sniffers y Puertas Traseras conocidos

Ahora vamos a ver como instalamos RkHunter en nuestro sistema con Linux.

Ejecutamos los siguientes comandos como root

# cd /tmp

# wget http://ncu.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz

Una vez Descargado procedemos con la instalación

# tar -xvf rkhunter-1.4.0.tar.gz

# cd rkhunter-1.4.0

# ./installer.sh --layout default --install

Actualizamos la base de datos de RkHunter

# rkhunter --update

# rkhunter --propupd

Ahora solo es escanear nuestro sistema completo para asegurarnos que nuestro sistema no está comprometido

# rkhunter -c

Una vez Finalizado la Herramienta guardará todos los resultados en un archivo

/var/log/rkhunter/rkhunter.log

Aquí un pequeño Fragmento del archivo.

[07:34:46] Checking for Knark Rootkit...

[07:34:46] Checking for file '/proc/knark/pids' [ Not found ]

[07:34:46] Checking for directory '/proc/knark' [ Not found ]

[07:34:46] Knark Rootkit [ Not found ]

[07:34:46]

[07:34:46] Checking for ld-linuxv.so Rootkit...

[07:34:46] Checking for file '/lib/ld-linuxv.so.1' [ Not found ]

[07:34:46] Checking for directory '/var/opt/_so_cache' [ Not found ]

[07:34:46] Checking for directory '/var/opt/_so_cache/ld' [ Not found ]

[07:34:46] Checking for directory '/var/opt/_so_cache/lc' [ Not found ]

[07:34:46] ld-linuxv.so Rootkit [ Not found ]

[07:34:46]

[07:34:46] Checking for Li0n Worm...

[07:34:47] Checking for file '/bin/in.telnetd' [ Not found ]

[07:34:47] Checking for file '/bin/mjy' [ Not found ]

[07:34:47] Checking for file '/usr/man/man1/man1/lib/.lib/mjy' [ Not found ]

[07:34:47] Checking for file '/usr/man/man1/man1/lib/.lib/in.telnetd' [ Not found ]

[07:34:47] Checking for file '/usr/man/man1/man1/lib/.lib/.x' [ Not found ]

[07:34:47] Checking for file '/dev/.lib/lib/scan/1i0n.sh' [ Not found ]

[07:34:47] Checking for file '/dev/.lib/lib/scan/hack.sh' [ Not found ]

[07:34:47] Checking for file '/dev/.lib/lib/scan/bind' [ Not found ]

[07:34:47] Checking for file '/dev/.lib/lib/scan/randb' [ Not found ]

[07:34:47] Checking for file '/dev/.lib/lib/scan/scan.sh' [ Not found ]

[07:34:47] Checking for file '/dev/.lib/lib/scan/pscan' [ Not found ]

[07:34:47] Checking for file '/dev/.lib/lib/scan/star.sh' [ Not found ]

[07:34:47] Checking for file '/dev/.lib/lib/scan/bindx.sh' [ Not found ]

[07:34:47] Checking for file '/dev/.lib/lib/scan/bindname.log' [ Not found ]

[07:34:48] Checking for file '/dev/.lib/lib/1i0n.sh' [ Not found ]

[07:34:48] Checking for file '/dev/.lib/lib/lib/netstat' [ Not found ]

[07:34:48] Checking for file '/dev/.lib/lib/lib/dev/.1addr' [ Not found ]

[07:34:48] Checking for file '/dev/.lib/lib/lib/dev/.1logz' [ Not found ]

[07:34:48] Checking for file '/dev/.lib/lib/lib/dev/.1proc' [ Not found ]

[07:34:48] Checking for file '/dev/.lib/lib/lib/dev/.1file' [ Not found ]

[07:34:48] Li0n Worm [ Not found ]

[07:34:48]

[07:34:48] Checking for Lockit / LJK2 Rootkit...

[07:34:48] Checking for file '/usr/lib/libmen.oo/.LJK2/ssh_config' [ Not found ]

[07:34:48] Checking for file '/usr/lib/libmen.oo/.LJK2/ssh_host_key' [ Not found ]

[07:34:48] Checking for file '/usr/lib/libmen.oo/.LJK2/ssh_host_key.pub' [ Not found ]

[07:34:48] Checking for file '/usr/lib/libmen.oo/.LJK2/ssh_random_seed*' [ Not found ]

[07:34:48] Checking for file '/usr/lib/libmen.oo/.LJK2/sshd_config' [ Not found ]

[07:34:48] Checking for file '/usr/lib/libmen.oo/.LJK2/backdoor/RK1bd' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/du' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/ifconfig' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/inetd.conf' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/locate' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/login' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/ls' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/netstat' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/ps' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/pstree' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/rc.sysinit' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/syslogd' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/tcpd' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/backup/top' [ Not found ]

[07:34:49] Checking for file '/usr/lib/libmen.oo/.LJK2/clean/RK1sauber' [ Not found ]

[07:34:50] Checking for file '/usr/lib/libmen.oo/.LJK2/clean/RK1wted' [ Not found ]

[07:34:50] Checking for file '/usr/lib/libmen.oo/.LJK2/hack/RK1parse' [ Not found ]

[07:34:50] Checking for file '/usr/lib/libmen.oo/.LJK2/hack/RK1sniff' [ Not found ]

[07:34:50] Checking for file '/usr/lib/libmen.oo/.LJK2/hide/.RK1addr' [ Not found ]

[07:34:50] Checking for file '/usr/lib/libmen.oo/.LJK2/hide/.RK1dir' [ Not found ]

[07:34:50] Checking for file '/usr/lib/libmen.oo/.LJK2/hide/.RK1log' [ Not found ]

[07:34:50] Checking for file '/usr/lib/libmen.oo/.LJK2/hide/.RK1proc' [ Not found ]

[07:34:50] Checking for file '/usr/lib/libmen.oo/.LJK2/hide/RK1phidemod.c' [ Not found ]

[07:34:50] Checking for file '/usr/lib/libmen.oo/.LJK2/modules/README.modules' [ Not found ]

[07:34:50] Checking for file '/usr/lib/libmen.oo/.LJK2/modules/RK1hidem.c' [ Not found ]

[07:34:50] Checking for file '/usr/lib/libmen.oo/.LJK2/modules/RK1phide' [ Not found ]

[07:34:50] Checking for file '/usr/lib/libmen.oo/.LJK2/sshconfig/RK1ssh' [ Not found ]

Buscar este blog

JsiTech

Detectando RootKits con RkHunter

Comentarios

Publicar un comentario

Entradas más populares de este blog

Que es la Seguridad de Información?

Instalando ModSecurity en Linux CentOS y Apache

Instalando Citrix XenServer 6.2, Paso a Paso.