Un rootkit es una herramienta que permite un acceso privilegiado permanente a un sistema y mantiene su presencia oculta. El término "rootkit" tiene connotaciones negativas ya que se lo asocia al malware. Se esconde a sí mismo y a otros programas, procesos, archivos, directorios y puertos que permiten al intruso mantener el acceso remoto para comandar acciones o extraer información sensible.
Típicamente, un atacante instala un rootkit en un sistema después de haber obtenido un acceso al nivel raíz, ya sea por haberse aprovechado de una vulnerabilidad conocida o por haber obtenido una contraseña (mediante cracking o ingeniería social). Una vez que el rootkit ha sido instalado, permite que el atacante disfrace la siguiente intrusión y mantenga el acceso privilegiado a la computadora por medio de rodeos a los mecanismos normales de autenticación y autorización. Pese a que los rootktis pueden servir con muchos fines, han ganado notoriedad fundamentalmente como malware, escondiendo programas que se apropian de los recursos de las computadoras o que roban contraseñas sin el conocimiento de los administradores y de los usuarios de los sistemas afectados.
Existen muchas herramientas para buscar y detectar rootkits. Este artículo muestra como instalar y utilizar la herramienta Rootkit Hunter, o rkhunter, para detectar intrusiones a un sistema
rkhunter es un script bash que lleva a cabo varios chequeos en el sistema para tratar de detectar rootkits y malware conocido. Además realiza chequeos para determinar si se han modificado comandos, archivos de inicio del sistema, y varios chequeos en las interfases de red, incluyendo chequeos de aplicaciones escuchando pedidos.
rkhunter funciona en la mayoría de los sistemas UNIX y Linux y se puede descargar desde el siguiente enlace: http://sourceforge.net/projects/rkhunter/.
Instalación de rkhunter
La instalación es muy sencilla, luego de descargar rkhunter se deben seguir los siguientes pasos (probado en Red Hat Enterprise 5.1):
tar xvf rkhunter-1.4.0.tar.gz cd rkhunter-1.4.0 ./installer.sh --install
Una vez instalado es posible determinar qué rootkits conoce utilizando la siguiente instrucción:
rkhunter --list rootkits Rootkits checked for: 55808 Trojan - Variant A, AjaKit, aPa Kit, Adore, Apache Worm, Ambient (ark), Balaur, BeastKit, beX2, BOBKit, Boonana (Koobface.A), cb, CiNIK Worm (Slapper.B variant), CX, Danny-Boy's Abuse Kit, Devil, Dica, Dreams, Duarawkz, Enye LKM, Flea Linux, FreeBSD, Fu, Fuck`it, GasKit, Heroin LKM, HjC Kit, ignoKit, iLLogiC, Inqtana-A, Inqtana-B, Inqtana-C, IntoXonia-NG, Irix, Jynx, KBeast, Kitko, Knark, ld-linuxv.so, Li0n Worm, Lockit/LJK2, Mood-NT, MRK, Ni0, Ohhara, Optic Kit (Tux), OSXRK, Oz, Phalanx, Phalanx2, Portacelo, R3dstorm Toolkit, RH-Sharpe's, RSHA's, Scalper Worm, Shutdown, SHV4, SHV5, Sin, SInAR, Slapper, Sneakin, Solaris Wanuk, Spanish, Suckit, SunOS / NSDAP, SunOS Rootkit, Superkit, TBD (Telnet BackDoor), TeLeKiT, Togroot, T0rn, trNkit, Trojanit Kit, Turtle2, Tuxtendo, URK, Vampire, VcKit, Volc, w00tkit, weaponX, Xzibit, X-Org SunOS, zaRwT.KiT, ZK
Para comenzar el escaneo del sistema se debe ejecutar:
rkhunter -c
El resultado del test se muestra por la salida estándar (stdout
). Si se encuentra algo sospechoso, muestra una advertencia. Además se produce un archivo de log de los test y resultados:
/var/log/rkhunter.log
Cabe destacar que se producen muchos falsos positivos, por lo que es necesario revisar cada warning manualmente.
Para finalizar dejo una corrida de muestra:
# rkhunter -c
[ Rootkit Hunter version 1.4.0 ] Checking system commands... Performing 'strings' command checks Checking 'strings' command [ OK ] Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preloaded libraries [ None found ] Checking LD_LIBRARY_PATH variable [ Not found ] Performing file properties checks Checking for prerequisites [ Warning ] /usr/local/sbin/xinetd [ OK ] /usr/local/bin/rkhunter [ OK ] /sbin/chkconfig [ OK ] /sbin/depmod [ OK ] /sbin/fsck [ OK ] /sbin/fuser [ OK ] /sbin/ifconfig [ OK ] /sbin/ifdown [ Warning ] /sbin/ifup [ Warning ] /sbin/init [ OK ] /sbin/insmod [ OK ] /sbin/ip [ OK ] /sbin/kudzu [ OK ] /sbin/lsmod [ OK ] /sbin/modinfo [ OK ] /sbin/modprobe [ OK ] /sbin/nologin [ OK ] /sbin/rmmod [ OK ] /sbin/route [ OK ] /sbin/runlevel [ OK ] /sbin/sulogin [ OK ] /sbin/sysctl [ OK ] /sbin/syslogd [ OK ] /bin/awk [ OK ] /bin/basename [ OK ] /bin/bash [ OK ] /bin/cat [ OK ] /bin/chmod [ OK ] /bin/chown [ OK ] /bin/cp [ OK ] /bin/csh [ OK ] /bin/cut [ OK ] /bin/date [ OK ] /bin/df [ OK ] /bin/dmesg [ OK ] /bin/echo [ OK ] /bin/ed [ OK ] /bin/egrep [ OK ] /bin/env [ OK ] /bin/fgrep [ OK ] /bin/grep [ OK ] /bin/kill [ OK ] /bin/login [ OK ] /bin/ls [ OK ] /bin/mail [ OK ] /bin/mktemp [ OK ] /bin/more [ OK ] /bin/mount [ OK ] /bin/mv [ OK ] /bin/netstat [ OK ] /bin/ping [ OK ] /bin/ps [ OK ] /bin/pwd [ OK ] /bin/rpm [ OK ] /bin/sed [ OK ] /bin/sh [ OK ] /bin/sort [ OK ] /bin/su [ OK ] /bin/touch [ OK ] /bin/uname [ OK ] /bin/gawk [ OK ] /bin/tcsh [ OK ] /usr/sbin/adduser [ OK ] /usr/sbin/chroot [ OK ] /usr/sbin/groupadd [ OK ] /usr/sbin/groupdel [ OK ] /usr/sbin/groupmod [ OK ] /usr/sbin/grpck [ OK ] /usr/sbin/kudzu [ OK ] /usr/sbin/lsof [ OK ] /usr/sbin/prelink [ OK ] /usr/sbin/pwck [ OK ] /usr/sbin/sestatus [ OK ] /usr/sbin/tcpd [ OK ] /usr/sbin/useradd [ OK ] /usr/sbin/userdel [ OK ] /usr/sbin/usermod [ OK ] /usr/sbin/vipw [ OK ] /usr/bin/awk [ OK ] /usr/bin/chattr [ OK ] /usr/bin/curl [ OK ] /usr/bin/cut [ OK ] /usr/bin/diff [ OK ] /usr/bin/dirname [ OK ] /usr/bin/du [ OK ] /usr/bin/elinks [ OK ] /usr/bin/env [ OK ] /usr/bin/file [ OK ] /usr/bin/find [ OK ] /usr/bin/GET [ Warning ] /usr/bin/groups [ Warning ] /usr/bin/head [ OK ] /usr/bin/id [ OK ] /usr/bin/kill [ OK ] /usr/bin/killall [ OK ] /usr/bin/last [ OK ] /usr/bin/lastlog [ OK ] /usr/bin/ldd [ Warning ] /usr/bin/less [ OK ] /usr/bin/links [ OK ] /usr/bin/locate [ OK ] /usr/bin/logger [ OK ] /usr/bin/lsattr [ OK ] /usr/bin/lynx [ OK ] /usr/bin/md5sum [ OK ] /usr/bin/newgrp [ OK ] /usr/bin/passwd [ OK ] /usr/bin/perl [ OK ] /usr/bin/pgrep [ OK ] /usr/bin/pkill [ OK ] /usr/bin/pstree [ OK ] /usr/bin/readlink [ OK ] /usr/bin/runcon [ OK ] /usr/bin/sha1sum [ OK ] /usr/bin/sha224sum [ OK ] /usr/bin/sha256sum [ OK ] /usr/bin/sha384sum [ OK ] /usr/bin/sha512sum [ OK ] /usr/bin/size [ OK ] /usr/bin/stat [ OK ] /usr/bin/strace [ OK ] /usr/bin/strings [ OK ] /usr/bin/sudo [ OK ] /usr/bin/tail [ OK ] /usr/bin/test [ OK ] /usr/bin/top [ OK ] /usr/bin/tr [ OK ] /usr/bin/uniq [ OK ] /usr/bin/users [ OK ] /usr/bin/vmstat [ OK ] /usr/bin/w [ OK ] /usr/bin/watch [ OK ] /usr/bin/wc [ OK ] /usr/bin/wget [ OK ] /usr/bin/whatis [ Warning ] /usr/bin/whereis [ OK ] /usr/bin/which [ OK ] /usr/bin/who [ OK ] /usr/bin/whoami [ OK ] /usr/bin/gawk [ OK ] /etc/rkhunter.conf [ OK ] [Press <ENTER> to continue] Checking for rootkits... Performing check of known rootkit files and directories 55808 Trojan - Variant A [ Not found ] ADM Worm [ Not found ] AjaKit Rootkit [ Not found ] Adore Rootkit [ Not found ] aPa Kit [ Not found ] Apache Worm [ Not found ] Ambient (ark) Rootkit [ Not found ] Balaur Rootkit [ Not found ] BeastKit Rootkit [ Not found ] beX2 Rootkit [ Not found ] BOBKit Rootkit [ Not found ] cb Rootkit [ Not found ] CiNIK Worm (Slapper.B variant) [ Not found ] Danny-Boy's Abuse Kit [ Not found ] Devil RootKit [ Not found ] Dica-Kit Rootkit [ Not found ] Dreams Rootkit [ Not found ] Duarawkz Rootkit [ Not found ] Enye LKM [ Not found ] Flea Linux Rootkit [ Not found ] Fu Rootkit [ Not found ] Fuck`it Rootkit [ Not found ] GasKit Rootkit [ Not found ] Heroin LKM [ Not found ] HjC Kit [ Not found ] ignoKit Rootkit [ Not found ] IntoXonia-NG Rootkit [ Not found ] Irix Rootkit [ Not found ] Jynx Rootkit [ Not found ] KBeast Rootkit [ Not found ] Kitko Rootkit [ Not found ] Knark Rootkit [ Not found ] ld-linuxv.so Rootkit [ Not found ] Li0n Worm [ Not found ] Lockit / LJK2 Rootkit [ Not found ] Mood-NT Rootkit [ Not found ] MRK Rootkit [ Not found ] Ni0 Rootkit [ Not found ] Ohhara Rootkit [ Not found ] Optic Kit (Tux) Worm [ Not found ] Oz Rootkit [ Not found ] Phalanx Rootkit [ Not found ] Phalanx2 Rootkit [ Not found ] Phalanx2 Rootkit (extended tests) [ Not found ] Portacelo Rootkit [ Not found ] R3dstorm Toolkit [ Not found ] RH-Sharpe's Rootkit [ Not found ] RSHA's Rootkit [ Not found ] Scalper Worm [ Not found ] Sebek LKM [ Not found ] Shutdown Rootkit [ Not found ] SHV4 Rootkit [ Not found ] SHV5 Rootkit [ Warning ] Sin Rootkit [ Not found ] Slapper Worm [ Not found ] Sneakin Rootkit [ Not found ] 'Spanish' Rootkit [ Not found ] Suckit Rootkit [ Not found ] Superkit Rootkit [ Not found ] TBD (Telnet BackDoor) [ Not found ] TeLeKiT Rootkit [ Not found ] T0rn Rootkit [ Not found ] trNkit Rootkit [ Not found ] Trojanit Kit [ Not found ] Tuxtendo Rootkit [ Not found ] URK Rootkit [ Not found ] Vampire Rootkit [ Not found ] VcKit Rootkit [ Not found ] Volc Rootkit [ Not found ] Xzibit Rootkit [ Not found ] zaRwT.KiT Rootkit [ Not found ] ZK Rootkit [ Not found ] [Press <ENTER> to continue] Performing additional rootkit checks Suckit Rookit additional checks [ OK ] Checking for possible rootkit files and directories [ None found ] Checking for possible rootkit strings [ Warning ] Performing malware checks Checking running processes for suspicious files [ None found ] Checking for login backdoors [ None found ] Checking for suspicious directories [ None found ] Checking for sniffer log files [ None found ] Performing trojan specific checks Checking for enabled xinetd services [ Warning ] Performing Linux specific checks Checking loaded kernel modules [ OK ] Checking kernel module names [ OK ] [Press <ENTER> to continue] Checking the local host... Performing system boot checks Checking for local host name [ Found ] Checking for system startup files [ Found ] Checking system startup files for malware [ None found ] Performing group and account checks Checking for passwd file [ Found ] Checking for root equivalent (UID 0) accounts [ None found ] Checking for passwordless accounts [ None found ] Checking for passwd file changes [ None found ] Checking for group file changes [ None found ] Checking root account shell history files [ OK ] Performing system configuration file checks Checking for SSH configuration file [ Found ] Checking if SSH root access is allowed [ Warning ] Checking if SSH protocol v1 is allowed [ Not allowed ] Checking for running syslog daemon [ Found ] Checking for syslog configuration file [ Found ] Checking if syslog remote logging is allowed [ Not allowed ] Performing filesystem checks Checking /dev for suspicious file types [ Warning ] Checking for hidden files and directories [ Warning ] [Press <ENTER> to continue] Checking application versions... Checking version of GnuPG [ OK ] Checking version of OpenSSL [ Warning ] Checking version of Procmail MTA [ OK ] Checking version of OpenSSH [ Warning ] System checks summary ===================== File properties checks... Required commands check failed Files checked: 141 Suspect files: 6 Rootkit checks... Rootkits checked : 319 Possible rootkits: 1 Rootkit names : SHV5 Rootkit Applications checks... Applications checked: 4 Suspect applications: 2 The system checks took: 4 minutes and 5 seconds All results have been written to the log file (/var/log/rkhunter.log) One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log)