Debian 11이 설치된 오래된 Asus 노트북이 있습니다. OS를 실행하는 경우, 특히 네트워크 케이블이 연결되어 있는 경우 성능 문제가 발생합니다. Memtest86+로 고급 메모리 테스트를 수행했는데 오류가 없었습니다.
그런 다음 상태 확인을 수행하기 위해 kali-linux 라이브 USB를 만들었습니다. 내가 달리면
┌──(kali㉿kali)-[~]
└─$ sudo rkhunter -c
또는:
sudo mkdir /mnt/temp
sudo mount /dev/sda1 /mnt/temp
┌──(kali㉿kali)-[/mnt/temp]
└─$ sudo rkhunter -c
요약을 얻었습니다.
System checks summary
=====================
File properties checks...
Files checked: 145
Suspect files: 117
Rootkit checks...
Rootkits checked : 497
Possible rootkits: 6
Applications checks...
All checks skipped
The system checks took: 11 minutes and 43 seconds
All results have been written to the log file: /var/log/rkhunter.log
One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)
이것이 거짓 긍정 스캔입니까? 같은 결과를 얻었습니다 sudo rkhunter --propupd
. 결과는 kali에만 속하며 /dev/sda에서 적절한 확인을 수행하는 방법은 무엇입니까?
┌──(kali㉿kali)-[/mnt/temp]
└─$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 3.3G 1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs
/run/live/rootfs/filesystem.squashfs
sda 8:0 0 149.1G 0 disk
├─sda1 8:1 0 500M 0 part /mnt/temp
├─sda2 8:2 0 53.7G 0 part
├─sda3 8:3 0 2.1G 0 part
└─sda4 8:4 0 19.8M 0 part
sdb 8:16 1 14.5G 0 disk
├─sdb1 8:17 1 3.9G 0 part /usr/lib/live/mount/medium
│ /run/live/medium
└─sdb2 8:18 1 896K 0 part
sr0 11:0 1 1024M 0 rom
/var/log/rkhunter.log:
...
[09:34:48] Performing file properties checks
[09:34:48] Checking for prerequisites [ OK ]
[09:35:05] /usr/sbin/adduser [ Warning ]
[09:35:06] Warning: File '/usr/sbin/adduser' has the immutable-bit set.
[09:35:06] Info: Found file '/usr/sbin/adduser': it is whitelisted for the 'script replacement' check.
[09:35:06] /usr/sbin/chroot [ Warning ]
[09:35:07] Warning: File '/usr/sbin/chroot' has the immutable-bit set.
[09:35:07] /usr/sbin/cron [ Warning ]
[09:35:07] Warning: File '/usr/sbin/cron' has the immutable-bit set.
[09:35:08] /usr/sbin/depmod [ OK ]
[09:35:09] /usr/sbin/fsck [ Warning ]
[09:35:09] Warning: File '/usr/sbin/fsck' has the immutable-bit set.
[09:35:10] /usr/sbin/groupadd [ Warning ]
[09:35:10] Warning: File '/usr/sbin/groupadd' has the immutable-bit set.
[09:35:10] /usr/sbin/groupdel [ Warning ]
...
[09:43:45] Checking for login backdoors [ None found ]
[09:43:45]
[09:43:45] Info: Starting test name 'sniffer_logs'
[09:43:46] Checking for file '/usr/lib/libice.log' [ Not found ]
[09:43:46] Checking for file '/dev/prom/sn.l' [ Not found ]
[09:43:46] Checking for file '/dev/fd/.88/zxsniff.log' [ Not found ]
[09:43:46] Checking for sniffer log files [ None found ]
[09:43:46]
[09:43:46] Info: Starting test name 'tripwire'
[09:43:46] Checking for software intrusions [ Skipped ]
[09:43:46] Info: Check skipped - tripwire not installed
[09:43:46]
[09:43:46] Info: Starting test name 'susp_dirs'
[09:43:46] Checking for directory '/usr/X11R6/bin/.,/copy' [ Not found ]
[09:43:46] Checking for directory '/dev/rd/cdb' [ Not found ]
[09:43:47] Checking for suspicious directories [ None found ]
[09:43:47]
[09:43:47] Info: Starting test name 'ipc_shared_mem'
[09:43:47] Info: The minimum shared memory segment size to be checked (in bytes): 1048576 (1.0MB)
[09:43:48] Checking for suspicious (large) shared memory segments [ Warning ]
[09:43:48] Warning: The following suspicious (large) shared memory segments have been found:
[09:43:48] Process: /usr/bin/xfce4-taskmanager PID: 2826 Owner: kali Size: 2.0MB (configured size allowed: 1.0MB)
[09:43:48] Process: /usr/bin/xfdesktop PID: 1839 Owner: kali Size: 2.0MB (configured size allowed: 1.0MB)
[09:43:49] Process: /usr/lib/firefox-esr/firefox-esr PID: 2276 Owner: kali Size: 4.2MB (configured size allowed: 1.0MB)
[09:43:49] Process: /usr/lib/firefox-esr/firefox-esr PID: 2276 Owner: kali Size: 4.2MB (configured size allowed: 1.0MB)
[09:43:49] Process: /usr/bin/thunar PID: 1834 Owner: kali Size: 16MB (configured size allowed: 1.0MB)
[09:43:49] Process: /usr/bin/xfwm4 PID: 1777 Owner: kali Size: 2.0MB (configured size allowed: 1.0MB)
[09:43:49]
[09:43:49] Info: Starting test name 'trojans'
[09:43:49] Performing trojan specific checks
[09:43:49] Checking for enabled inetd services [ Skipped ]
[09:43:49] Info: Check skipped - file '/etc/inetd.conf' does not exist.
[09:43:49] Checking for enabled xinetd services [ Skipped ]
[09:43:49] Info: Check skipped - file '/etc/xinetd.conf' does not exist.
[09:43:50] Checking for Apache backdoor [ Not found ]
[09:43:50]
...
답변1
실행 중인 Kali 인스턴스에는 의심스러운(큰) 공유 메모리 세그먼트가 있는 프로세스가 있습니다. 그것이 거짓 긍정인지 아닌지는 데비안 11 설치에 대해 아무 것도 알려주지 않습니다. 공유 메모리는 항상 런타임, 즉 실행 중인 인스턴스입니다. Debian에서 이 테스트를 수행하려면 Debian을 실행해야 합니다.
실제로, Kali에서 가능한 한 멀리까지 데비안 루트킷을 검색했습니다. 성능 문제가 일부 루트킷에서 발생한다고 생각되면 rkhunter
해당 루트킷을 Debian에 설치해야 합니다.
솔직히 성능 문제가 발생하면 , vmstat
, 과 iostat
같은 도구를 살펴보겠습니다 top
. 실제로 네트워크가 생성된 경우 이름 확인을 살펴보세요. /etc/resolv.conv
등. 완벽하게 실행되던 시스템이 DNS 구성 오류로 인해 속도가 느려지는 것을 본 적이 있습니다.