rmmod, modprobe, modinfo, modinfo, lsmod, insmod, depmod의 해시를 확인한 후 동일한 출력을 얻습니다.
root@user:/var/log/apt# md5sum /sbin/modprobe
150aa565f1e37e2fd200523b6b4fcedf /sbin/modprobe
root@user:/var/log/apt# md5sum /sbin/modinfo
150aa565f1e37e2fd200523b6b4fcedf /sbin/modinfo
root@user:/var/log/apt# md5sum /sbin/lsmod
150aa565f1e37e2fd200523b6b4fcedf /sbin/lsmod
root@user:/var/log/apt# md5sum /sbin/insmod
150aa565f1e37e2fd200523b6b4fcedf /sbin/insmod
root@user:/var/log/apt# md5sum /sbin/depmod
150aa565f1e37e2fd200523b6b4fcedf /sbin/depmod
헤드헌터의 일기:
[22:41:02] Warning: The file properties have changed:
[22:41:02] File: /bin/lsmod
[22:41:02] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44
[22:41:03] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695
[22:41:03] Current inode: 27304 Stored inode: 72
[22:41:03] Current file modification time: 1583955426 (11-Mar-2020 20:37:06)
[22:41:03] Stored file modification time : 1578801885 (12-Jan-2020 05:04:45)
[22:41:13] /bin/kmod [ Warning ]
[22:41:13] Warning: The file properties have changed:
[22:41:14] File: /bin/kmod
[22:41:14] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44
[22:41:14] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695
[22:41:14] Current inode: 11350 Stored inode: 60
[22:41:14] Current file modification time: 1583955426 (11-Mar-2020 20:37:06)
[22:41:14] Stored file modification time : 1542059677 (12-Nov-2018 22:54:37)
[22:40:48] Warning: The file properties have changed:
[22:40:48] File: /sbin/rmmod
[22:40:48] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44
[22:40:48] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695
[22:40:48] Current inode: 27594 Stored inode: 11327
[22:40:48] Current file modification time: 1583955426 (11-Mar-2020 20:37:06)
[22:40:48] Stored file modification time : 1578801890 (12-Jan-2020 05:04:50)
[22:40:46] /sbin/modprobe [ Warning ]
[22:40:46] Warning: The file properties have changed:
[22:40:46] File: /sbin/modprobe
[22:40:46] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44
[22:40:46] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695
[22:40:46] Current inode: 27591 Stored inode: 11330
[22:40:46] Current file modification time: 1583955426 (11-Mar-2020 20:37:06)
[22:40:46] Stored file modification time : 1578801890 (12-Jan-2020 05:04:50)
[22:40:45] /sbin/modinfo [ Warning ]
[22:40:45] Warning: The file properties have changed:
[22:40:45] File: /sbin/modinfo
[22:40:45] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44
[22:40:45] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695
[22:40:45] Current inode: 27589 Stored inode: 11331
[22:40:45] Current file modification time: 1583955426 (11-Mar-2020 20:37:06)
[22:40:45] Stored file modification time : 1578801890 (12-Jan-2020 05:04:50)
[22:40:42] Warning: The file properties have changed:
[22:40:42] File: /sbin/insmod
[22:40:42] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44
[22:40:42] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695
[22:40:42] Current inode: 27585 Stored inode: 11334
[22:40:42] Current file modification time: 1583955426 (11-Mar-2020 20:37:06)
[22:40:42] Stored file modification time : 1578801890 (12-Jan-2020 05:04:50)
적절한 로그:
root@user:/var/log/apt# cat /var/log/apt/history.log.1 | grep -n1 2020-03-11
21-
22:Start-Date: 2020-03-11 17:37:43
23-Commandline: apt upgrade -y
24-Upgrade: libsqlite3-0:amd64 (3.22.0-1ubuntu0.2, 3.22.0-1ubuntu0.3)
25:End-Date: 2020-03-11 17:37:43
26-
ls -l 출력:
root@user:~# ls -l /sbin/rmmod /sbin/modprobe /sbin/modinfo /sbin/modinfo /sbin/lsmod /sbin/insmod /sbin/depmod
lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/depmod -> /bin/kmod
lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/insmod -> /bin/kmod
lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/lsmod -> /bin/kmod
lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/modinfo -> /bin/kmod
lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/modinfo -> /bin/kmod
lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/modprobe -> /bin/kmod
lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/rmmod -> /bin/kmod
내 운영체제:
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
kmod의 rkhunter 로그
root@user:~# cat /var/log/rkhunter.log | grep -n10 kmod
419:[22:41:13] /bin/kmod [ Warning ]
420-[22:41:13] Warning: The file properties have changed:
421:[22:41:14] File: /bin/kmod
422-[22:41:14] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44
423-[22:41:14] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695
424-[22:41:14] Current inode: 11350 Stored inode: 60
425-[22:41:14] Current file modification time: 1583955426 (11-Mar-2020 20:37:06)
426-[22:41:14] Stored file modification time : 1542059677 (12-Nov-2018 22:54:37)
질문
- 왜 이런 결과가 나오나요?
- 명령에 동일한 해시가 있는 이유는 무엇입니까? 이 명령은 다른 출력을 제공하기 때문에 이것을 묻는 것입니다.
- 이러한 결과는 실제로 해킹을 당했거나 루트킷이 존재할 수 있음을 나타냅니까?
답변1
내 Ubuntu 시스템에서 다음을 볼 수 있습니다.
$ ls -l /sbin/modprobe /sbin/modinfo /sbin/lsmod /sbin/insmod /sbin/depmod
lrwxrwxrwx 1 root root 9 Mar 12 09:15 /sbin/depmod -> /bin/kmod
lrwxrwxrwx 1 root root 9 Mar 12 09:15 /sbin/insmod -> /bin/kmod
lrwxrwxrwx 1 root root 9 Mar 12 09:15 /sbin/lsmod -> /bin/kmod
lrwxrwxrwx 1 root root 9 Mar 12 09:15 /sbin/modinfo -> /bin/kmod
lrwxrwxrwx 1 root root 9 Mar 12 09:15 /sbin/modprobe -> /bin/kmod
$
해시는 모두 동일한 파일에 대한 심볼릭 링크이므로 모두 동일합니다. 걱정할 필요가 없습니다. 이는 이러한 절차에서는 정상적인 현상입니다. 그리고 거의 확실하게 루트킷이 없습니다. 업데이트를 볼 수 없는 이유는 apt-get파일 수정 시간을 처리하는 방법을 이해하지 못하기 때문입니다. 설치된 파일은 apt-get패키지가 설치된 시점이 아니라 패키지가 빌드된 시점부터 수정 시간을 가져옵니다. 로그를 다시 확인하면 kmod다음 업데이트가 거의 확실하게 표시됩니다. 당신이 그런 일이 일어날 것이라고 생각했던 바로 그 날 이후.