Linux/Unix 시스템 침해사고 점검 스크립트…

개인적으로 리눅스/유닉스 계열 침해사고 점검 용도로 사용했던 스크립트입니다. 가끔 필요하여 찾으려고 하면 어디에 두었는지 찾기도 힘들고해서, 블로그에 올렸습니다.

#!/bin/sh
# best view tabstop 4
# written by francesco(kimfrancesco@gmail.com)
# Version 0.7 (20130315)

OS=`uname`
USERID=`id | cut -f 2 -d = | cut -f 1 -d \(`
SYSTEMDIRLIST=”/home /usr /bin /dev /var /etc /tmp /sbin”
VARSUBDIRLIST=”/var/tmp /var/spool /var/uucp /var/preserve /var/news /var/opt /var/snmp /var/lp”
XorgRootKIT=”/usr/lib/libX.a/ /usr/lib/libX.a/bin/ /usr/lib/libx.a/ /usr/lib/libx.a/bin/”
SHV4RootKIT=”/usr/lib/libsh /usr/lib/libsh/shsb /lib/libsh.so”
SKRootKIT=”/usr/share/locale/sk/.sk12 /usr/man/.sman/sk”
LJk2RootKIT=”/usr/lib/libmen.oo/.LJK2″
FUCKITRootKIT=”/dev/proc/fuckit”
BALAURRootKIT=”usr/lib/.kinetic /usr/lib/.egcs /usr/lib/.wormie”
BEASTRootKIT=”/usr/lib/elm/arobia/elm /lib/ldd.so/bktools”
CBRootKIT=”/usr/bin/.zeen /usr/bin/.zeen /usr/bin/.system”
DREAMSRootKIT=”/usr/lib/libshtift”
IGNOKITRootKIT=”/usr/lib/.libigno /usr/lib/defs”
PHALANXRootKIT=”/usr/share/.home.ph1″a
PHALANX2RootKIT=”/etc/khubd.p2 /usr/lib/zupzz.p2 /etc/lolzz.p2″
R55808RootKIT=”/tmp/…/r /tmp/…/a”
SUSPECTLOGIN=”ipt\.aol”
SSHBACKDOOR=”/usr/bin/dsdm /usr/bin/ssh2d”

LINUX_ROOTKIT_LABEL=”SM5|S.5″
SUNOS_ROOTKIT_LABEL=”cksum”
INFECTED=0
NOT_INFECTED=1

if [ “$USERID” != “0” ]; then
echo ” Your are not superuser”
exit 1
fi

if [ $# -gt 0 ]; then
for arg in $*
do
if [ “${arg}” = “local” ]; then
DONOTUSEFTP=”TRUE”
fi
done
fi

case “$OS” in
*Linux*)
OSNAME=”LINUX”
INTEGRITYTOOL=”/bin/rpm”
INTEGRITYTARGET=”/bin/ls /bin/ps /bin/netstat /usr/bin/find /usr/sbin/lsof /sbin/init /bin/login”
INTEGRITYCMD=”/bin/rpm -V -f –nomtime”
NETSTATPATH=”/bin/netstat”
NETSTATCMD=”netstat -anp”
LSOFPATH=`which lsof`
FINDPATH=”/usr/bin/find”
ARPPATH=”/sbin/arp”
LASTPATH=”/usr/bin/last”
IFCONFIGPATH=”/sbin/ifconfig”
WTMPLOGPATH=”/var/log”
HOSTID=`hostid`
;;
*SunOS*)
OSNAME=”SUNOS”
INTEGRITYTOOL=”/usr/sbin/pkgchk”
INTEGRITYTARGET=”/usr/bin/find /usr/bin/ps /usr/bin/ls /usr/bin/netstat /sbin/init /bin/login”
INTEGRITYCMD=”/usr/sbin/pkgchk -p”
NETSTATPATH=”/usr/bin/netstat”
NETSTATCMD=”netstat -an”
FINDPATH=”/usr/bin/find”
ARPPATH=”/usr/sbin/arp”
LASTPATH=”/usr/bin/last”
LSOFPATH=`which lsof`
IFCONFIGPATH=”/sbin/ifconfig”
WTMPLOGPATH=”/var/adm”
HOSTID=`hostid`
;;

*HP-UX*)
OSNAME=”HPUX”
INTEGRITYTOOL=”/usr/sbin/swverify”
INTEGRITYTARGET=”/usr/bin /usr/sbin”
INTEGRITYCMD=”/usr/sbin/swverify -d”
CHKROOTKITCOMPILE=”N”
NETSTATPATH=”/usr/bin/netstat”
NETSTATCMD=”netstat -an”
FINDPATH=”/usr/bin/find”
ARPPATH=”/usr/sbin/arp”
LASTPATH=”/usr/bin/last”
IFCONFIGPATH=”/usr/sbin/ifconfig”
WTMPLOGPATH=”/var/adm”
HOSTID=`uname -a | awk -F’ ‘ ‘{print $6}’`
;;
esac

check_category_num=0;

fn_file_integrity_result() {

case “$OS” in
*Linux*)
if echo ${integrity_result} | egrep ${LINUX_ROOTKIT_LABEL} > /dev/null
then
return ${INFECTED}
fi
;;
*SunOS*)
if echo ${integrity_result} | egrep ${SUNOS_ROOTKIT_LABEL} > /dev/null
then
return ${INFECTED}
fi
;;
esac

return ${NOT_INFECTED}
}

fn_lastlogin_result() {

if echo ${last_result} | egrep ${login_i} > /dev/null
then
return ${INFECTED}
fi

return ${NOT_INFECTED}
}

check_category_num=`expr $check_category_num + 1`
infected=0
case “$OS” in
*HPUX*)
;;
*)
for i in $INTEGRITYTARGET
do
if [ -f ${i} ]; then

integrity_result=`$INTEGRITYCMD $i 2>&1`

fn_file_integrity_result

STATUS=$?

if [ ${STATUS} -eq ${INFECTED} ]; then
echo “[NO_${check_category_num}][FILE INTEGRITY] : INFECTED ($i)”
infected=1
fi
fi
done
;;
esac
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][FILE INTEGRITY] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ -x $LASTPATH ]; then

STATUS=${NOT_INFECTED}

last_result=`$LASTPATH -100`

for login_i in ${SUSPECTLOGIN}
do
fn_lastlogin_result

STATUS=$?

if [ ${STATUS} -eq ${INFECTED} ]; then
echo “[NO_${check_category_num}][SUSPECT LOGIN] : INFECTED (${login_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][SUSPECT LOGIN] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ -x $FINDPATH ]; then

dev_result=`$FINDPATH /dev -type f -a -perm -4100`

if [ “${dev_result}” != “” ]; then
echo “[NO_${check_category_num}][DEV DIR/EXEC FILE] : INFECTED (${dev_result})”
infected=1
fi

fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][DEV DIR/EXEC FILE] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ -x $FINDPATH ]; then

for sysdir_i in $SYSTEMDIRLIST
do
hiddendir_result=`$FINDPATH $sysdir_i -type d -a \( -name ” *” -o -name “..?*” -o -name “. ?*” \)`

if [ “${hiddendir_result}” != “” ]; then
echo “[NO_${check_category_num}][HIDDEN DIR] : INFECTED (${hiddendir_result})”
infected=1
break
fi

done

fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][HIDDEN DIR] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ -x $FINDPATH ]; then

for vardir_i in $VARSUBDIRLIST
do

if [ -d ${vardir_i} ]; then

varsubdir_result=`$FINDPATH $vardir_i -type f -a -perm -4100`

if [ “${varsubdir_result}” != “” ]; then
echo “[NO_${check_category_num}][VAR DIR/EXEC FILE] : INFECTED (${varsubdir_result})”
infected=1
break
fi
fi

done

fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][VAR DIR/EXEC FILE] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then
for xorgdir_i in $XorgRootKIT
do
if [ -d ${xorgdir_i} ]; then

echo “[NO_${check_category_num}][X-org RootKit] : INFECTED (${xorgdir_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][X-org RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then
for shv4rootfile_i in $SHV4RootKIT
do
if [ -f ${shv4rootfile_i} -o -d ${shv4rootfile_i} ]; then
echo “[NO_${check_category_num}][SHV4 RootKit] : INFECTED (${shv4rootfile_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][SHV4 RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then
for skrootfile_i in $SKRootKIT
do
if [ -d ${skrootfile_i} ]; then
echo “[NO_${check_category_num}][SK RootKit] : INFECTED (${skrootfile_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][SK RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then
for fuckitrootfile_i in $FUCKITRootKIT
do
if [ -d ${fuckitrootfile_i} ]; then
echo “[NO_${check_category_num}][FUCKIT RootKit] : INFECTED (${fuckitrootfile_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][FUCKIT RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then
for ljk2rootfile_i in $LJk2RootKIT
do
if [ -d ${ljk2rootfile_i} ]; then
echo “[NO_${check_category_num}][LJK2 RootKit] : INFECTED (${ljk2rootfile_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][LJK2 RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then
for balaurrootfile_i in $BALAURRootKIT
do
if [ -d ${balaurrootfile_i} ]; then
echo “[NO_${check_category_num}][BALAUR RootKit] : INFECTED (${balaurrootfile_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][BALAUR RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then

for beastrootfile_i in $BEASTRootKIT
do
if [ -d ${beastrootfile_i} ]; then
echo “[NO_${check_category_num}][BEASTKIT RootKit] : INFECTED (${beastrootfile_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][BEASTKIT RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then

for cbrootfile_i in $CBRootKIT
do
if [ -d ${cbrootfile_i} ]; then
echo “[NO_${check_category_num}][CB RootKit] : INFECTED (${cbrootfile_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][CB RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then

for dreamsrootfile_i in $DREAMSRootKIT
do
if [ -d ${dreamsrootfile_i} ]; then
echo “[NO_${check_category_num}][DREAMS RootKit] : INFECTED (${dreamsrootfile_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][DREAMS RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then

for ignokitrootfile_i in $IGNOKITRootKIT
do
if [ -d ${ignokitrootfile_i} ]; then
echo “[NO_${check_category_num}][IGNOKIT RootKit] : INFECTED (${ignokitrootfile_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][IGNOKIT RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then

for phalanxrootfile_i in $PHALANXRootKIT
do
if [ -d ${phalanxrootfile_i} ]; then
echo “[NO_${check_category_num}][Phalanx RootKit] : INFECTED (${phalanxrootfile_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][Phalanx RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then

for phalanx2rootfile_i in $PHALANX2RootKIT
do
if [ -d ${phalanx2rootfile_i} ]; then
echo “[NO_${check_category_num}][Phalanx2 RootKit] : INFECTED (${phalanx2rootfile_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][Phalanx2 RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then

for r55808rootfile_i in $R55808RootKIT
do
if [ -f ${r55808rootfile_i} ]; then
echo “[NO_${check_category_num}][55808 RootKit] : INFECTED (${r55808rootfile_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][55808 RootKit] : SAFE”
fi

check_category_num=`expr $check_category_num + 1`
infected=0
if [ “${OS}” = “Linux” -o “${OS}” = “SunOS” ]; then

for sshbackdoor_i in $SSHBACKDOOR
do
if [ -x ${sshbackdoor_i} ]; then
echo “[NO_${check_category_num}][SSH Backdoor] : INFECTED (${sshbackdoor_i})”
infected=1
break
fi
done
fi
if [ ${infected} -eq 0 ]; then
echo “[NO_${check_category_num}][SSH Backdoor] : SAFE”
fi

Advertisements

답글 남기기

아래 항목을 채우거나 오른쪽 아이콘 중 하나를 클릭하여 로그 인 하세요:

WordPress.com 로고

WordPress.com의 계정을 사용하여 댓글을 남깁니다. 로그아웃 /  변경 )

Google+ photo

Google+의 계정을 사용하여 댓글을 남깁니다. 로그아웃 /  변경 )

Twitter 사진

Twitter의 계정을 사용하여 댓글을 남깁니다. 로그아웃 /  변경 )

Facebook 사진

Facebook의 계정을 사용하여 댓글을 남깁니다. 로그아웃 /  변경 )

%s에 연결하는 중

%d 블로거가 이것을 좋아합니다: