IRLP RootkitHunter導入

Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like (公式サイトから抜粋)

ランニング・テストによって、rootkits、どこでもドア、 バックドアとローカル功績のためにスキャンしてくれるツールです。

RootkitHunterの公式サイトはこちら → http://www.rootkit.nl/

最新版、rkhunter-1.2.8.tar.gz を /usr/local/src/ 配下にDL (*^^)v
# wget http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
–08:09:44– http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
=> rkhunter-1.2.8.tar.gz'
Resolving downloads.rootkit.nl... 62.177.200.5
Connecting to downloads.rootkit.nl|62.177.200.5|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 126,314 (123K) [application/x-tar]

100%[====================================>] 126,314 26.41K/s ETA 00:00

08:09:50 (26.37 KB/s) - rkhunter-1.2.8.tar.gz’ saved [126314/126314]

展開しましょう(*^^)v
# tar zxvf rkhunter-1.2.8.tar.gz
./rkhunter/files/
./rkhunter/files/CHANGELOG
./rkhunter/files/LICENSE
./rkhunter/files/README
./rkhunter/files/WISHLIST
./rkhunter/files/backdoorports.dat
./rkhunter/files/check_modules.pl
./rkhunter/files/check_port.pl
./rkhunter/files/defaulthashes.dat
./rkhunter/files/filehashmd5.pl
./rkhunter/files/filehashsha1.pl
./rkhunter/files/mirrors.dat
./rkhunter/files/os.dat
./rkhunter/files/rkhunter
./rkhunter/files/rkhunter.conf
./rkhunter/files/rkhunter.spec
./rkhunter/files/showfiles.pl
./rkhunter/files/md5blacklist.dat
./rkhunter/files/tools/
./rkhunter/files/tools/update_server.sh
./rkhunter/files/tools/update_client.sh
./rkhunter/files/tools/README
./rkhunter/files/check_update.sh
./rkhunter/files/programs_bad.dat
./rkhunter/files/contrib/
./rkhunter/files/contrib/run_rkhunter.sh
./rkhunter/files/contrib/README.txt
./rkhunter/files/testing/
./rkhunter/files/testing/stringscanner.sh
./rkhunter/files/testing/rootkitinfo.txt
./rkhunter/files/testing/rkhunter.conf
./rkhunter/files/development/
./rkhunter/files/development/createfilehashes.pl
./rkhunter/files/development/createhashes.sh
./rkhunter/files/development/rpmhashes.sh
./rkhunter/files/development/rpmprelinkhashes.sh
./rkhunter/files/development/osinformation.sh
./rkhunter/files/development/rkhunter.8
./rkhunter/files/development/createhashesall.sh
./rkhunter/files/development/search_dead_sysmlinks.sh
./rkhunter/files/programs_good.dat
./rkhunter/installer.sh

ディレクトリを移動して・・・
# cd rkhunter

スクリプト実行!!
# ./installer.sh
Rootkit Hunter installer 1.2.4 (Copyright 2003-2005, Michael Boelen)
—————
Starting installation/update

Checking /usr/local… OK
Checking file retrieval tools… /usr/bin/wget
Checking installation directories…
– Checking /usr/local/rkhunter…Created
– Checking /usr/local/rkhunter/etc…Created
– Checking /usr/local/rkhunter/bin…Created
– Checking /usr/local/rkhunter/lib/rkhunter/db…Created
– Checking /usr/local/rkhunter/lib/rkhunter/docs…Created
– Checking /usr/local/rkhunter/lib/rkhunter/scripts…Created
– Checking /usr/local/rkhunter/lib/rkhunter/tmp…Created
– Checking /usr/local/etc…Exists
– Checking /usr/local/bin…Exists
Checking system settings…
– Perl… OK
Installing files…
Installing Perl module checker… OK
Installing Database updater… OK
Installing Portscanner… OK
Installing MD5 Digest generator… OK
Installing SHA1 Digest generator… OK
Installing Directory viewer… OK

————-省略————————–

ップデート確認してみるぅ( ̄ー ̄)
# /usr/local/bin/rkhunter –update
Running updater…

Mirrorfile /usr/local/rkhunter/lib/rkhunter/db/mirrors.dat rotated
Using mirror http://www.rootkit.nl/rkhunter
[DB] Mirror file : Update available
Action: Database updated (current version: 2005050700, new version 2006041300)
[DB] MD5 hashes system binaries : Update available
Action: Database updated (current version: 2006021400, new version 2006022800)
[DB] Operating System information : Update available
Action: Database updated (current version: 2005102800, new version 2006051200)
[DB] MD5 blacklisted tools/binaries : Up to date
[DB] Known good program versions : Update available
Action: Database updated (current version: 2006021400, new version 2006031400)
[DB] Known bad program versions : Update available
Action: Database updated (current version: 2006021400, new version 2006031400)

Ready.

動かしてみます。キープレスを飛ばした状態でチェック( ̄∇ ̄)
# rkhunter -c –createlogfile –skip-keypress

Rootkit Hunter 1.2.8 is running

Determining OS… Ready

Checking binaries
* Selftests
Strings (command) [ OK ]

* System tools
Performing ‘known bad’ check…
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
——————省略————————

げっ!Warning出てる(;一_一)
・・・SSHのバージョン???
何が悪いんだろ・・・バージョンUPしたら、IRLP動かなくなると困るなぁ。

私は、定期実行するために、crontab -e で一週間に一回、下記を実行するように設定しました。
# /usr/local/bin/rkhunter –update
# /usr/local/bin/rkhunter -c –createlogfile –skip-keypress