昨夜、rkhunterは次の警告でトリガーされました。
[04:10:23] Warning: Network TCP port 32982 is being used by /usr/lib/Apache2/mpm-prefork/Apache2. Possible rootkit: Solaris Wanuk
Use the 'lsof -i' or 'netstat -an' command to check this.
[04:10:23] Checking for TCP port 33369 [ Not found ]
[04:10:23] Checking for TCP port 47107 [ Not found ]
[04:10:23] Checking for TCP port 47018 [ Not found ]
[04:10:24] Checking for TCP port 60922 [ Warning ]
[04:10:24] Warning: Network TCP port 60922 is being used by /usr/lib/Apache2/mpm-prefork/Apache2. Possible rootkit: zaRwT.KiT
Use the 'lsof -i' or 'netstat -an' command to check this.
前日の前のスキャンでも同じ警告はなく、実行している2番目のサーバーもありませんでした。これ以上の警告はありません。
次に何をすべきかを正確に理解する方法がわかりません。 'lsof -i'を実行すると、次の結果が表示されます。
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 570 root 5u IPv4 2440 0t0 UDP *:bootpc
portmap 674 daemon 4u IPv4 2630 0t0 UDP *:sunrpc
portmap 674 daemon 5u IPv4 2634 0t0 TCP *:sunrpc (LISTEN)
rpc.statd 687 statd 4u IPv4 2666 0t0 UDP *:863
rpc.statd 687 statd 6u IPv4 2675 0t0 UDP *:49433
rpc.statd 687 statd 7u IPv4 2678 0t0 TCP *:33135 (LISTEN)
rpc.mount 949 root 7u IPv4 3174 0t0 UDP *:50854
rpc.mount 949 root 8u IPv4 3179 0t0 TCP *:45667 (LISTEN)
named 995 bind 20u IPv6 3297 0t0 TCP *:domain (LISTEN)
named 995 bind 21u IPv4 3302 0t0 TCP localhost:domain (LISTEN)
named 995 bind 22u IPv4 3305 0t0 TCP server.stratoserver.net:domain (LISTEN)
named 995 bind 23u IPv4 3307 0t0 TCP server.local:domain (LISTEN)
named 995 bind 24u IPv4 3342 0t0 TCP localhost:953 (LISTEN)
named 995 bind 25u IPv6 3343 0t0 TCP localhost:953 (LISTEN)
named 995 bind 512u IPv6 3296 0t0 UDP *:domain
named 995 bind 513u IPv4 3301 0t0 UDP localhost:domain
named 995 bind 514u IPv4 3303 0t0 UDP server.stratoserver.net:domain
named 995 bind 515u IPv4 3306 0t0 UDP server.local:domain
rpc.rquot 1042 root 3u IPv4 3551 0t0 UDP *:790
rpc.rquot 1042 root 4u IPv4 3557 0t0 TCP *:791 (LISTEN)
ntpd 1055 ntp 16u IPv4 3601 0t0 UDP *:ntp
ntpd 1055 ntp 17u IPv6 3602 0t0 UDP *:ntp
ntpd 1055 ntp 18u IPv4 3610 0t0 UDP localhost:ntp
ntpd 1055 ntp 19u IPv4 3611 0t0 UDP server.stratoserver.net:ntp
ntpd 1055 ntp 20u IPv4 3612 0t0 UDP server.local:ntp
ntpd 1055 ntp 21u IPv6 3613 0t0 UDP [fe80::21b:c6ff:fe40:4175]:ntp
ntpd 1055 ntp 22u IPv6 3614 0t0 UDP localhost:ntp
ntpd 1055 ntp 23u IPv6 3615 0t0 UDP [fe80::21b:c6ff:fe40:4172]:ntp
sshd 1067 root 3u IPv4 3653 0t0 TCP *:ssh (LISTEN)
sshd 1067 root 4u IPv6 3655 0t0 TCP *:ssh (LISTEN)
mysqld 1197 mysql 10u IPv4 3784 0t0 TCP *:mysql (LISTEN)
mysqld 1197 mysql 13u IPv4 28876535 0t0 TCP server.local:mysql->server.local:41029 (ESTABLISHED)
mysqld 1197 mysql 14u IPv4 35609701 0t0 TCP server.local:mysql->server2.local:36676 (ESTABLISHED)
mysqld 1197 mysql 15u IPv4 36159013 0t0 TCP server.local:mysql->server2.local:38976 (ESTABLISHED)
mysqld 1197 mysql 16u IPv4 36159014 0t0 TCP server.local:mysql->server2.local:38977 (ESTABLISHED)
mysqld 1197 mysql 17u IPv4 28876538 0t0 TCP server.local:mysql->server.local:41030 (ESTABLISHED)
mysqld 1197 mysql 18u IPv4 28876539 0t0 TCP server.local:mysql->server.local:41031 (ESTABLISHED)
mysqld 1197 mysql 21u IPv4 36159015 0t0 TCP server.local:mysql->server2.local:38978 (ESTABLISHED)
mysqld 1197 mysql 22u IPv4 35609702 0t0 TCP server.local:mysql->server2.local:36677 (ESTABLISHED)
mysqld 1197 mysql 27u IPv4 36159028 0t0 TCP server.local:mysql->server2.local:38979 (ESTABLISHED)
mysqld 1197 mysql 28u IPv4 35609703 0t0 TCP server.local:mysql->server2.local:36678 (ESTABLISHED)
mysqld 1197 mysql 29u IPv4 35610784 0t0 TCP server.local:mysql->server2.local:36690 (ESTABLISHED)
mysqld 1197 mysql 30u IPv4 36159029 0t0 TCP server.local:mysql->server2.local:38980 (ESTABLISHED)
mysqld 1197 mysql 33u IPv4 36159030 0t0 TCP server.local:mysql->server2.local:38981 (ESTABLISHED)
mysqld 1197 mysql 34u IPv4 35610785 0t0 TCP server.local:mysql->server2.local:36691 (ESTABLISHED)
mysqld 1197 mysql 35u IPv4 36159033 0t0 TCP server.local:mysql->server2.local:38982 (ESTABLISHED)
mysqld 1197 mysql 37u IPv4 35610786 0t0 TCP server.local:mysql->server2.local:36692 (ESTABLISHED)
mysqld 1197 mysql 38u IPv4 35611462 0t0 TCP server.local:mysql->server2.local:36693 (ESTABLISHED)
mysqld 1197 mysql 39u IPv4 35611463 0t0 TCP server.local:mysql->server2.local:36694 (ESTABLISHED)
mysqld 1197 mysql 40u IPv4 36159034 0t0 TCP server.local:mysql->server2.local:38983 (ESTABLISHED)
mysqld 1197 mysql 43u IPv4 36159035 0t0 TCP server.local:mysql->server2.local:38984 (ESTABLISHED)
mysqld 1197 mysql 45u IPv4 35611464 0t0 TCP server.local:mysql->server2.local:36695 (ESTABLISHED)
mysqld 1197 mysql 46u IPv4 35611466 0t0 TCP server.local:mysql->server2.local:36696 (ESTABLISHED)
mysqld 1197 mysql 47u IPv4 35611468 0t0 TCP server.local:mysql->server2.local:36698 (ESTABLISHED)
mysqld 1197 mysql 53u IPv4 35611467 0t0 TCP server.local:mysql->server2.local:36697 (ESTABLISHED)
mysqld 1197 mysql 81u IPv4 28934739 0t0 TCP server.local:mysql->server.local:41298 (ESTABLISHED)
mysqld 1197 mysql 84u IPv4 28934741 0t0 TCP server.local:mysql->server.local:41299 (ESTABLISHED)
mysqld 1197 mysql 114u IPv4 28934743 0t0 TCP server.local:mysql->server.local:41300 (ESTABLISHED)
miniserv. 1275 root 5u IPv4 4105 0t0 TCP *:20000 (LISTEN)
miniserv. 1275 root 6u IPv4 4106 0t0 UDP *:20000
Apache2 1286 root 4u IPv6 4129 0t0 TCP *:www (LISTEN)
Apache2 1286 root 6u IPv6 4133 0t0 TCP *:https (LISTEN)
avahi-dae 1300 avahi 13u IPv4 4217 0t0 UDP *:mdns
avahi-dae 1300 avahi 14u IPv6 4218 0t0 UDP *:mdns
avahi-dae 1300 avahi 15u IPv4 4219 0t0 UDP *:60072
avahi-dae 1300 avahi 16u IPv6 4220 0t0 UDP *:44413
Apache2 1396 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
Apache2 1396 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
Apache2 1396 www-data 35u IPv4 53893609 0t0 TCP server.local:33766->server2.local:9001 (ESTABLISHED)
master 1628 root 12u IPv4 5232 0t0 TCP *:smtp (LISTEN)
master 1628 root 103u IPv4 5359 0t0 TCP *:submission (LISTEN)
miniserv. 1935 root 6u IPv4 6530 0t0 TCP *:webmin (LISTEN)
miniserv. 1935 root 7u IPv4 6531 0t0 UDP *:10000
Apache2 2545 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
Apache2 2545 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
Apache2 2545 www-data 35u IPv4 53924796 0t0 TCP server.local:33844->server2.local:9001 (ESTABLISHED)
Apache2 3155 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
Apache2 3155 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
Apache2 3155 www-data 35u IPv4 53803788 0t0 TCP server.local:33550->server2.local:9001 (ESTABLISHED)
Apache2 4436 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
Apache2 4436 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
Apache2 4436 www-data 35u IPv4 53924619 0t0 TCP server.local:33843->server2.local:9001 (ESTABLISHED)
Apache2 8768 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
Apache2 8768 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
Apache2 8768 www-data 35u IPv4 53892156 0t0 TCP server.local:33764->server2.local:9001 (ESTABLISHED)
Apache2 8773 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
Apache2 8773 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
Apache2 8773 www-data 35u IPv4 53912304 0t0 TCP server.local:33797->server2.local:9001 (ESTABLISHED)
Apache2 9275 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
Apache2 9275 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
Apache2 9275 www-data 35u IPv4 53923945 0t0 TCP server.local:33840->server2.local:9001 (ESTABLISHED)
Apache2 9276 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
Apache2 9276 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
Apache2 9276 www-data 35u IPv4 53890648 0t0 TCP server.local:33754->server2.local:9001 (ESTABLISHED)
sshd 10312 root 3r IPv4 53910247 0t0 TCP server.stratoserver.net:ssh->dynamic.b-ras1.srl.dublin.eircom.net:18262 (ESTABLISHED)
Apache2 10555 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
Apache2 10555 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
Apache2 10555 www-data 35u IPv4 53918771 0t0 TCP server.local:33805->server2.local:9001 (ESTABLISHED)
Apache2 10557 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
Apache2 10557 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
Apache2 10557 www-data 35u IPv4 53925404 0t0 TCP server.local:33845->server2.local:9001 (ESTABLISHED)
proftpd 13576 proftpd 1u IPv6 51926297 0t0 TCP *:ftp (LISTEN)
Java 16797 idoms 84u IPv6 28876534 0t0 TCP server.local:41029->server.local:mysql (ESTABLISHED)
Java 16797 idoms 86u IPv6 28876536 0t0 TCP server.local:41031->server.local:mysql (ESTABLISHED)
Java 16797 idoms 87u IPv6 28876537 0t0 TCP server.local:41030->server.local:mysql (ESTABLISHED)
Java 16797 idoms 88u IPv6 28876619 0t0 TCP *:9001 (LISTEN)
Java 16797 idoms 100u IPv6 28934738 0t0 TCP server.local:41298->server.local:mysql (ESTABLISHED)
Java 16797 idoms 104u IPv6 28934740 0t0 TCP server.local:41299->server.local:mysql (ESTABLISHED)
Java 16797 idoms 106u IPv6 28934742 0t0 TCP server.local:41300->server.local:mysql (ESTABLISHED)
Apache2 26222 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
Apache2 26222 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
私の訓練されていない目はそこに奇妙なものを見ていません。誰かが私に何か提案をすることができますか?
Webアプリケーションはcurl
を使用しますか、それともデータベースとの通信などのネットワーク操作を行いますか?
ネットワーク接続が確立されるときはいつでも、送信元ポート、宛先IP、および宛先ポートを選択する必要があります。送信元ポートは ephemeral range から選択されます。
これらのネットワーク接続の1つがポート60922を選択し、rkhunterの実行と同時にそれを使用していたと思われます。それがrkhunterが生成した唯一のアラートである場合、それはほぼ間違いなく誤検知であり、心配する必要はありません。繰り返し報告する場合は、さらに調査する必要があります。