이 노트북의 웹캠에 액세스하는 프로세스는 무엇입니까? 루트킷인가요?

2024-6-3 • tag-icon

어린이용 Minecraft를 실행하는 오래된 노트북. 웹캠 표시등이 0.5초 동안 무작위로 깜박이는 것을 확인하세요. Minecraft 모드라고 가정하고 모든 것을 끄고 Ubuntu를 다시 설치하십시오.

물론, 새로 설치하면 웹캠 표시등이 무작위로 다시 켜지기 시작했습니다. 가장 기본적인 Ubuntu(LXDE 포함), Minecraft용 Java 및 nvidia 드라이버 외에는 아무것도 없습니다.

ausearch야당은 /dev/video0이렇게 보여주고 있습니다.

----
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.450:4111): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
type=PATH msg=audit(1569395920.450:4111): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395920.450:4111): cwd="/"
type=SYSCALL msg=audit(1569395920.450:4111): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe354c0f20 a2=0 a3=0 items=1 ppid=4586 pid=4594 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="v4l_id" exe="/lib/udev/v4l_id" key=(null)
----
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.454:4112): proctitle="/lib/systemd/systemd-udevd"
type=PATH msg=audit(1569395920.454:4112): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020660 ouid=0 ogid=44 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395920.454:4112): cwd="/"
type=SYSCALL msg=audit(1569395920.454:4112): arch=c000003e syscall=191 success=no exit=-61 a0=5575798fd820 a1=7f6717f12b5f a2=7ffcdd292950 a3=84 items=1 ppid=336 pid=4586 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/lib/systemd/systemd-udevd" key=(null)
----
time->Wed Sep 25 17:18:40 2019
type=CONFIG_CHANGE msg=audit(1569395920.418:4109): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:18:48 2019
type=CONFIG_CHANGE msg=audit(1569395928.358:4115): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:19:15 2019
type=CONFIG_CHANGE msg=audit(1569395955.686:4267): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.738:4269): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
type=PATH msg=audit(1569395955.738:4269): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395955.738:4269): cwd="/"
type=SYSCALL msg=audit(1569395955.738:4269): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffe60335f20 a2=0 a3=0 items=1 ppid=4673 pid=4681 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="v4l_id" exe="/lib/udev/v4l_id" key=(null)
----
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.750:4270): proctitle="/lib/systemd/systemd-udevd"
type=PATH msg=audit(1569395955.750:4270): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020660 ouid=0 ogid=44 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395955.750:4270): cwd="/"
type=SYSCALL msg=audit(1569395955.750:4270): arch=c000003e syscall=191 success=no exit=-61 a0=55757990d960 a1=7f6717f12b5f a2=7ffcdd292950 a3=84 items=1 ppid=336 pid=4673 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/lib/systemd/systemd-udevd" key=(null)
----
time->Wed Sep 25 17:19:18 2019
type=CONFIG_CHANGE msg=audit(1569395958.534:4273): auid=4294967295 ses=4294967295op=updated_rules path="/dev/video0" key=(null) list=4 res=1
----
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.278:4344): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
type=PATH msg=audit(1569395966.278:4344): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020600 ouid=0 ogid=0 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395966.278:4344): cwd="/"
type=SYSCALL msg=audit(1569395966.278:4344): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffedb72bf20 a2=0 a3=0 items=1 ppid=4712 pid=4721 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="v4l_id" exe="/lib/udev/v4l_id" key=(null)
----
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.298:4345): proctitle="/lib/systemd/systemd-udevd"
type=PATH msg=audit(1569395966.298:4345): item=0 name="/dev/video0" inode=403 dev=00:06 mode=020660 ouid=0 ogid=44 rdev=51:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
type=CWD msg=audit(1569395966.298:4345): cwd="/"
type=SYSCALL msg=audit(1569395966.298:4345): arch=c000003e syscall=191 success=no exit=-61 a0=557579915450 a1=7f6717f12b5f a2=7ffcdd292950 a3=84 items=1 ppid=336 pid=4712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/lib/systemd/systemd-udevd" key=(null)
----

흥미로운 점 proctitle은2F6C69622F756465762F76346C5F6964002F6465762F766964656F30/lib/systemd/systemd-udevd

다음은 어느 정도의 임의 액세스를 보여주는 추가 타임스탬프입니다.

grep -B1 proctitle /tmp/ausearch-output.txt 
time->Tue Sep 24 07:33:52 2019
type=PROCTITLE msg=audit(1569274432.897:65): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 07:33:52 2019
type=PROCTITLE msg=audit(1569274432.909:66): proctitle="/lib/systemd/systemd-udevd"
--
time->Tue Sep 24 07:34:18 2019
type=PROCTITLE msg=audit(1569274458.676:134): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 07:34:18 2019
type=PROCTITLE msg=audit(1569274458.692:135): proctitle="/lib/systemd/systemd-udevd"
--
time->Tue Sep 24 07:36:07 2019
type=PROCTITLE msg=audit(1569274567.921:190): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 07:36:07 2019
type=PROCTITLE msg=audit(1569274567.937:193): proctitle="/lib/systemd/systemd-udevd"
--
time->Tue Sep 24 09:28:22 2019
type=PROCTITLE msg=audit(1569281302.545:262): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Tue Sep 24 09:28:22 2019
type=PROCTITLE msg=audit(1569281302.549:263): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 12:07:23 2019
type=PROCTITLE msg=audit(1569377243.215:324): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 12:07:23 2019
type=PROCTITLE msg=audit(1569377243.219:325): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 12:07:37 2019
type=PROCTITLE msg=audit(1569377257.219:461): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 12:07:37 2019
type=PROCTITLE msg=audit(1569377257.231:462): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.450:4111): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 17:18:40 2019
type=PROCTITLE msg=audit(1569395920.454:4112): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.738:4269): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 17:19:15 2019
type=PROCTITLE msg=audit(1569395955.750:4270): proctitle="/lib/systemd/systemd-udevd"
--
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.278:4344): proctitle=2F6C69622F756465762F76346C5F6964002F6465762F766964656F30
--
time->Wed Sep 25 17:19:26 2019
type=PROCTITLE msg=audit(1569395966.298:4345): proctitle="/lib/systemd/systemd-udevd"

liveusb에서 오프라인 루트킷 검색을 실행하지 않았지만 온라인 검색에는 아무것도 표시되지 않습니다 chkrootkit.rkhunter

웹캠 표시등이 깜박이는 원인이 무엇인지, 무엇이 /dev/video0에 액세스하려고 하는지 궁금합니다.

어떻게 더 디버깅할 수 있나요? 이것은 우분투에서 새로운 장치를 찾는 것입니까, 아니면 더 사악한 것입니까?

감사해요!

관련 정보