LinuCレベル3 303試験の例題と解説

326.2ホストの侵入検知

LinuCレベル3 303試験の出題範囲から「326.2 ホストの侵入検知」についての例題を解いてみます。
このテーマにはシステムへの侵入などを検知するツールへの理解が問われます。重要度も高いので、各ツールの設定や使用方法をしっかりと把握しておきましょう。

Linucレベル3 303試験 出題範囲


例題

chkrootkitをエキスパートモードで実行するためのオプションはどれか、選択せよ。

  1. -d
  2. -x
  3. -l
  4. -V

※この例題は実際の試験問題とは異なります。


解答と解説

正解は、「2.-x」です。

ルートキットとは、コンピュータシステムへの不正アクセスを隠したり、攻撃者がそこへ継続的にリモートアクセスするバックドアとして動作するソフトウェアです。

chkrootkitは、ルートキット・ワーム・トロイの木馬などを検出する検出ツールです。

コマンド実行時には、以下などのオプションを指定することが出来ます。

-x詳細出力(エキスパートモード)
-dデバックモード
-l利用可能な検査一覧
-Vバージョン表示
-rルートディレクトリ指定

以下、chkrootkitの実行例です。
※"INFECTED"と表示された場合、検出されたことを意味します。

[root@bf1467feca77 ~]# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not found
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... 
/usr/lib/debug/usr/.dwz

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for Linux/Ebury - Operation Windigo ssh... Possible Linux/Ebury - Operation Windigo installetd
Searching for 64-bit Linux Rootkit ... nothing found
Searching for 64-bit Linux Rootkit modules... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/usr/sbin/dhclient)
docker0: not promisc and no PF_PACKET sockets
virbr0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected

[root@bf1467feca77 ~]# chkrootkit -l
/usr/lib64/chkrootkit-0.50/chkrootkit: tests: aliens asp bindshell lkm rexedcs 
sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG amd basename biff chfn
chsh cron crontab date du dirname echo egrep env find fingerd gpm grep hdparm su 
ifconfig inetd inetdconf identd init killall  ldsopreload login ls lsof mail mingetty 
netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail 
sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write

なお、chkrootkiに関する詳細は、以下のリンクで確認することができます。
http://www.chkrootkit.org/
https://www.commandlinux.com/man-page/man1/chkrootkit.1.html


例題作成者

鯨井 貴博
(LinuCエヴァンジェリスト/登録インストラクター、LPI-Japanアカデミック認定校 Zeus IT Camp)

ページトップへ