IMPORTANT: Per accedir als fitxer de subversion: http://acacha.org/svn (sense password). Poc a poc s'aniran migrant els enllaços. Encara però funciona el subversion de la farga però no se sap fins quan... (usuari: prova i la paraula de pas 123456)

Alert.png Aquesta wiki forma part dels materials d'un curs
Curs: SeguretatXarxesInformàtiques
Fitxers: EinesHacking.pdf (EinesHacking.odp)
Repositori SVN: https://anonymous@svn.projectes.lafarga.cat/svn/iceupc/SeguretatXarxesInformàtiques
Usuari: anonymous
Paraula de pas: sense paraula de pas
Autors: Sergi Tur Badenas

Detecció de rootkits

Instal·lació

$ sudo apt-get install rkhunter 
$ sudo apt-get install chkrootkik

Execució

rkhunter:

$ sudo rkhunter -c
Rootkit Hunter 1.2.9 is running
 
Determining OS... Ready

Checking binaries
* Selftests
     Strings (command)                                        [ OK ]

* System tools
  Performing 'known bad' check...
   /bin/cat                                                   [ OK ]
   /bin/chmod                                                 [ OK ]
   /bin/chown                                                 [ OK ]
   /bin/date                                                  [ OK ]
   /bin/df                                                    [ OK ]
   /bin/dmesg                                                 [ OK ]
   /bin/echo                                                  [ OK ]
   /bin/ed                                                    [ OK ]
........................
Info: Check skipped - no hashes available

[Press <ENTER> to continue] 

Check rootkits
* Default files and directories
   Rootkit '55808 Trojan - Variant A'...                      [ OK ]
   ADM Worm...                                                [ OK ]
   Rootkit 'AjaKit'...                                        [ OK ]
   Rootkit 'aPa Kit'...                                       [ OK ]
   Rootkit 'Apache Worm'...                                   [ OK ]
   Rootkit 'Ambient (ark) Rootkit'...                         [ OK ]
   Rootkit 'Balaur Rootkit'...                                [ OK ]
   .................


* Suspicious files and malware
   Scanning for known rootkit strings                         [ OK ]
   Scanning for known rootkit files                           [ OK ]
   Testing running processes...                               [ OK ]
   Miscellaneous Login backdoors                              [ OK ]
   Miscellaneous directories                                  [ OK ]
   Software related files                                     [ OK ]
   Sniffer logs                                               [ OK ]

[Press <ENTER> to continue] 
 

* Trojan specific characteristics
   shv4
     Checking /etc/rc.d/rc.sysinit                            [ Not found ]
     Checking /etc/inetd.conf                                 [ Clean ]
     Checking /etc/xinetd.conf                                [ Skipped ]  

 * Suspicious file properties
    chmod properties
      Checking /bin/ps                                         [ Clean ]
      Checking /bin/ls                                         [ Clean ]
      Checking /usr/bin/w                                      [ Clean ]
      Checking /usr/bin/who                                    [ Clean ]
      Checking /bin/netstat                                    [ Clean ]
      Checking /bin/login                                      [ Clean ]
    Script replacements
      Checking /bin/ps                                         [ Clean ]
      Checking /bin/ls                                         [ Clean ]
      Checking /usr/bin/w                                      [ Clean ]
      Checking /usr/bin/who                                    [ Clean ]
      Checking /bin/netstat                                    [ Clean ]
      Checking /bin/login                                      [ Clean ] 
* OS dependant tests  

   Linux
     Checking loaded kernel modules...                        [ OK ]
     Checking file attributes                                 [ OK ]
     Checking LKM module path                                 [ OK ]  


Networking
* Check: frequently used backdoors
  Port 2001: Scalper Rootkit                                  [ OK ]
  Port 2006: CB Rootkit                                       [ OK ]
  Port 2128: MRK                                              [ OK ]
  Port 14856: Optic Kit (Tux)                                 [ OK ]
  Port 47107: T0rn Rootkit                                    [ OK ]
  Port 60922: zaRwT.KiT                                       [ OK ] 

* Interfaces
     Scanning for promiscuous interfaces...                   [ OK ]
[Press <ENTER> to continue]

System checks
* Allround tests
   Checking hostname... Found. Hostname is moodle
   Checking for passwordless user accounts... OK
   Checking for differences in user accounts...                    [ NA ]
   Checking for differences in user groups... Creating file It seems this is your first time.
   Checking boot.local/rc.local file... 
     - /etc/rc.local                                          [ OK ]
     - /etc/rc.d/rc.local                                     [ Not found ]
     - /usr/local/etc/rc.local                                [ Not found ]
     - /usr/local/etc/rc.d/rc.local                           [ Not found ]
     - /etc/conf.d/local.start                                [ Not found ]
     - /etc/init.d/boot.local                                 [ Not found ]
   Checking rc.d files...                                     [ Not found ]
   Checking history files
     Bourne Shell                                             [ OK ]   

* Filesystem checks
   Checking /dev for suspicious files...                      [ OK ]
   Scanning for hidden files...                               [ Warning! ]
---------------
/etc/.pwd.lock
/etc/.java /dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools 
---------------
Please inspect:  /etc/.java (directory)  /dev/.static (directory)  /dev/.udev (directory)  /dev/.initramfs (directory)   

[Press <ENTER> to continue]
  


Application advisories
* Application scan
   Checking Apache2 modules ...                               [ OK ]
   Checking Apache configuration ...                          [ OK ] 

* Application version scan
   - GnuPG 1.4.6                                              [ Unknown ]
   - Bind DNS 9.3.4                                           [ Unknown ]
   - OpenSSL 0.9.8c                                           [ Unknown ]
   - PHP 5.2.1                                                [ Unknown ]
   - OpenSSH 4.3p2                                            [ Unknown ] 

Your system contains some unknown version numbers. Please run Rootkit Hunter
with the --update parameter or contact us through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net. 


Security advisories
* Check: Groups and Accounts
   Searching for /etc/passwd...                               [ Found ]
   Checking users with UID '0' (root)...                      [ OK ]  

* Check: SSH
   Searching for sshd_config... 
   Found /etc/ssh/sshd_config
   Checking for allowed root login... Watch out Root login possible. Possible risk!
    info: "PermitRootLogin yes" found in file /etc/ssh/sshd_config
    Hint: See logfile for more information about this issue
   Checking for allowed protocols...                          [ OK (Only SSH2 allowed) ] 

* Check: Events and Logging
   Search for syslog configuration...                         [ OK ]
   Checking for running syslog slave...                       [ OK ]
   Checking for logging to remote system...                   [ OK (no remote logging) ]  

[Press <ENTER> to continue]
---------------------------- Scan results ----------------------------

MD5 scan
Scanned files: 0
Incorrect MD5 checksums: 0 

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 0

Scanning took 396 seconds

-----------------------------------------------------------------------

Do you have some problems, undetected rootkits, false positives, ideas
or suggestions? Please e-mail us through the Rootkit Hunter mailinglist
at rkhunter-users@lists.sourceforge.net.
-----------------------------------------------------------------------  

chkrootkit:

 $sudo chkrootkit
$ sudo chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files  
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... 
/usr/lib/jvm/.java-1.5.0-sun.jinfo
/usr/lib/jvm/java-1.5.0-sun-1.5.0.11/.systemPrefs
/usr/lib/jvm/.java-gcj.jinfo  
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... /usr/lib/security
/usr/lib/security/classpath.security
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: not promisc and no packet sniffer sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted

Altres eines. Comprovació i manteniment de la integritat del sistema

Paquet debsums

Eina que permet validar la integritat dels paquets.

Instal·lació:

$ sudo apt-get install debsums

Un cop instal·lat, podem intentar comprovar la integritat d'un paquet:

$ sudo debsums ssh
debsums: no md5sums for ssh

Com podem veure la majoria de paquets no tenen les sumes md5 guardades.Molta de la informació dels paquets instal·lats es esborrada de tant en tant o al executar:

$ sudo apt-get clean

Comprovem que passa amb un paquet acabat d'instal·lar:

$ sudo apt-get install fortunes
$ sudo debsums fortunes 
/usr/share/games/fortunes/art                                                 OK
/usr/share/games/fortunes/art.dat                                             OK
/usr/share/games/fortunes/ascii-art                                           OK
/usr/share/games/fortunes/ascii-art.dat                                       OK
/usr/share/games/fortunes/computers                                           OK
/usr/share/games/fortunes/computers.dat                                       OK
/usr/share/games/fortunes/cookie                                              OK
/usr/share/games/fortunes/cookie.dat                                          OK
/usr/share/games/fortunes/definitions                                         OK
/usr/share/games/fortunes/definitions.dat                                     OK
/usr/share/games/fortunes/drugs                                               OK
....

Podem obtenir una llista dels paquets que no tenen sumes md5 amb la comanda:

$ sudo debsums -l

Podem recuperar les sumes md5 dels paquets que no tenen executant:

$ sudo -i
# cd /var/cache/apt/archives
# apt-get --download-only --reinstall install `debsums -l`
# debsums --generate=keep,nocheck *.deb
# exit

Podem comprovar la integritat del sistema amb:

$ sudo debsums -c

El paràmetre -c ens mostrarà aquells paquets on hi han hagut canvis en els seus fitxers. Cal tenir en compte que els fitxers de configuració s'ignoren (el més normal es que es modifiquen desprès d'una instal·lació). Si volem verificar també canvis en fitxers de configuració podem utilitzar el paràmetre -a:

$ sudo debsums -ac

De fet a vegades només volem localitzar quins fitxers de configuració hem modificat d'una paquet en concret

$ sudo debsums -ce bind9
/etc/bind/named.conf.options
/etc/bind/named.conf.local

Mes informació amb:

$ debsums --help 

i

$ man debsums

Per a sistemes que utilitzen paquets RPM es pot utilitzar la comanda:

 #rpm -Va

Tripwire

El fitxer de configuració és:

/etc/tripwire/twpol.txt

Els valors per defecte són prou vàlids. Un cop tenim la configuració OK hem d'inicialitzar la base de dades de tripwire:

$ sudo tripwire -m i

I ara podem verificar el sistema amb:

$ sudo tripwire -m c

NOTA: Si per algun motiu els fitxers monitoritzats són modificats (una actualització del sistema), aleshores em de tornar a crear la base de dades per mantenir la coherència.

Si no volem monitoritzar alguns arxius ho podem indicar al fitxer: de polítiques (twpol.txt).

Segons la web: http://www.tu-chemnitz.de/docs/lindocs/RH9/RH-DOCS/rhl-rg-es-9/ch-tripwire.html , el procés de manteniment de Tripwire és el següent:

Tripwire.png

Podem utilitzar cron per automatitzar l'execució de Tripwire:

Per exemple cada dia afegint la línia:

/usr/sbin/tripwire -m c | mail root@localhost

Al fitxer /etc/cron.daily/tripwire que ens hem d'assegurar que és executable:

$ sudo chmod 755 /etc/cron.daily/tripwire

Recursos:

Integrit

$ sudo apt-get install integrit

El principal fitxer de configuració és:

/etc/integrit/integrit.conf

A l'inici estan totes les línies comentades i cal editar-lo:

$ sudo joe /etc/integrit/integrit.conf

Per generar la base de dadades:

$ sudo integrit -C /etc/integrit/integrit.conf -u  

Fem un backup:

$ sudo mv /var/lib/integrit/known.cdb  /var/lib/integrit/known.cdb_`date +%Y%m%d%H%M`  

Fem que la base de dades actual sigui la base de dades coneguda:

 mv /var/lib/integrit/current.cdb /var/lib/integrit/known.cdb  

Integrit s'executa diariament gràcies a les entrades de cron:

/etc/cron.daily/integrit

Configuració:

/etc/integrit/integrit.debian.conf:

Recursos:

aide

$ sudo apt-get install aide

samhain

$ sudo apt-get install samhain

Vegeu també

Recursos