Hashsum
雜湊值相同:rmmod、modprobe、modinfo、modinfo、lsmod、insmod、depmod
在檢查 rmmod、modprobe、modinfo、modinfo、lsmod、insmod、depmod 的雜湊後,我得到了相同的輸出
root@user:/var/log/apt# md5sum /sbin/modprobe 150aa565f1e37e2fd200523b6b4fcedf /sbin/modprobe root@user:/var/log/apt# md5sum /sbin/modinfo 150aa565f1e37e2fd200523b6b4fcedf /sbin/modinfo root@user:/var/log/apt# md5sum /sbin/lsmod 150aa565f1e37e2fd200523b6b4fcedf /sbin/lsmod root@user:/var/log/apt# md5sum /sbin/insmod 150aa565f1e37e2fd200523b6b4fcedf /sbin/insmod root@user:/var/log/apt# md5sum /sbin/depmod 150aa565f1e37e2fd200523b6b4fcedf /sbin/depmodrkhunter 日誌:
[22:41:02] Warning: The file properties have changed: [22:41:02] File: /bin/lsmod [22:41:02] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 [22:41:03] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 [22:41:03] Current inode: 27304 Stored inode: 72 [22:41:03] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) [22:41:03] Stored file modification time : 1578801885 (12-Jan-2020 05:04:45) [22:41:13] /bin/kmod [ Warning ] [22:41:13] Warning: The file properties have changed: [22:41:14] File: /bin/kmod [22:41:14] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 [22:41:14] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 [22:41:14] Current inode: 11350 Stored inode: 60 [22:41:14] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) [22:41:14] Stored file modification time : 1542059677 (12-Nov-2018 22:54:37) [22:40:48] Warning: The file properties have changed: [22:40:48] File: /sbin/rmmod [22:40:48] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 [22:40:48] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 [22:40:48] Current inode: 27594 Stored inode: 11327 [22:40:48] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) [22:40:48] Stored file modification time : 1578801890 (12-Jan-2020 05:04:50) [22:40:46] /sbin/modprobe [ Warning ] [22:40:46] Warning: The file properties have changed: [22:40:46] File: /sbin/modprobe [22:40:46] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 [22:40:46] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 [22:40:46] Current inode: 27591 Stored inode: 11330 [22:40:46] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) [22:40:46] Stored file modification time : 1578801890 (12-Jan-2020 05:04:50) [22:40:45] /sbin/modinfo [ Warning ] [22:40:45] Warning: The file properties have changed: [22:40:45] File: /sbin/modinfo [22:40:45] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 [22:40:45] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 [22:40:45] Current inode: 27589 Stored inode: 11331 [22:40:45] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) [22:40:45] Stored file modification time : 1578801890 (12-Jan-2020 05:04:50) [22:40:42] Warning: The file properties have changed: [22:40:42] File: /sbin/insmod [22:40:42] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 [22:40:42] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 [22:40:42] Current inode: 27585 Stored inode: 11334 [22:40:42] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) [22:40:42] Stored file modification time : 1578801890 (12-Jan-2020 05:04:50)適當的日誌:
root@user:/var/log/apt# cat /var/log/apt/history.log.1 | grep -n1 2020-03-11 21- 22:Start-Date: 2020-03-11 17:37:43 23-Commandline: apt upgrade -y 24-Upgrade: libsqlite3-0:amd64 (3.22.0-1ubuntu0.2, 3.22.0-1ubuntu0.3) 25:End-Date: 2020-03-11 17:37:43 26-ls -l 輸出:
root@user:~# ls -l /sbin/rmmod /sbin/modprobe /sbin/modinfo /sbin/modinfo /sbin/lsmod /sbin/insmod /sbin/depmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/depmod -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/insmod -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/lsmod -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/modinfo -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/modinfo -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/modprobe -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 11 20:37 /sbin/rmmod -> /bin/kmod我的作業系統:
Distributor ID: Ubuntu Description: Ubuntu 18.04.4 LTS Release: 18.04 Codename: bionickmod 的 rkhunter 日誌
root@user:~# cat /var/log/rkhunter.log | grep -n10 kmod 419:[22:41:13] /bin/kmod [ Warning ] 420-[22:41:13] Warning: The file properties have changed: 421:[22:41:14] File: /bin/kmod 422-[22:41:14] Current hash: fcaa05d1888ba56f72194b80cab50de49b351354116adf1d2a578c6a3c626f44 423-[22:41:14] Stored hash : 31e9e2579309d2c68a812d63710cb8257601970bb73344b5ff454d362bde1695 424-[22:41:14] Current inode: 11350 Stored inode: 60 425-[22:41:14] Current file modification time: 1583955426 (11-Mar-2020 20:37:06) 426-[22:41:14] Stored file modification time : 1542059677 (12-Nov-2018 22:54:37)問題
- 為什麼我會得到這個結果?
- 為什麼命令的雜湊值相同?我問這個是因為這個命令給出不同的輸出。
- 這些結果是否表明我真的被黑了或可能存在 rootkit?
我在我的 Ubuntu 系統上看到了這個:
$ ls -l /sbin/modprobe /sbin/modinfo /sbin/lsmod /sbin/insmod /sbin/depmod lrwxrwxrwx 1 root root 9 Mar 12 09:15 /sbin/depmod -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 12 09:15 /sbin/insmod -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 12 09:15 /sbin/lsmod -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 12 09:15 /sbin/modinfo -> /bin/kmod lrwxrwxrwx 1 root root 9 Mar 12 09:15 /sbin/modprobe -> /bin/kmod $雜湊值都是相同的,因為它們都是指向同一個文件的符號連結。沒有什麼可擔心的;這對這些程序來說是正常的。而且您幾乎可以肯定沒有rootkit。至於為什麼你看不到更新,那是因為你不明白如何
apt-get處理文件修改時間。安裝的文件apt-get從建構包時獲取其修改時間,而不是從您安裝它的時間開始。如果您再次檢查日誌,您幾乎肯定會看到 ; 的更新kmod。它會在你認為它會開啟的那一天之後。