Analysis and Prevention of the Linux intrusion tool Knark

Source: Internet
Author: User
Article Title: Analysis and Prevention of the Linux intrusion tool Knark. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

This article discusses some backdoor technologies that attackers often use after successful intrusion in Linux, and one of the most famous rootkit tools? Knark makes a detailed analysis and points out how to find out if the system is kark and how to recover after the system is intruded.

  What is "rootkit "?

Intruders often clean up footprints and leave backdoors after intrusion. The most common backdoor creation tool is rootkit. Don't be confused by the name. This so-called "rootkit" is not used by the Super User root. It is an intruder after invading a too many hosts, A program used to create and disguise backdoors. This package usually contains the log cleaner, backdoor, and other programs. At the same time, the program package usually carries some spoofed ps, ls, who, w, netstat and other programs originally belonging to the system. In this case, when programmers try to query the system through these commands, they will not be able to detect the whereabouts of intruders through these fake system programs.

In some hacker organizations, rootkit (or backdoor) is a topic of great interest. Different rootkits are developed and published on the internet. Among these rootkits, LKM is particularly concerned because it uses the module technology of modern operating systems. As part of the kernel, such rootkit will become more powerful and less noticeable than traditional technologies. Once installed and run on the target machine, the system will be completely controlled in hacker's hands. Even the System Administrators cannot find any trace of security risks because they can no longer trust their operating systems. The purpose of the backdoor program is to grant the hacker system access permission even when the system administrator tries to make up for the system vulnerability.

Intruders use methods such as uid program, system Trojan program, and cron backdoor to enable non-privileged users to use root permissions.

* Set the uid program. Hackers put uid script programs in some file systems. Whenever they execute this program, they will become root.

* System Trojan program. The hacker replaces some system programs, such as the "login" program. Therefore, as long as certain conditions are met, those programs will give hackers the highest permissions.

* Cron backdoor. A hacker adds or modifies some tasks in cron and runs the program at a specific time to obtain the highest permissions.

You can use the following methods to grant the remote user the highest access permission: ". rhost" file, ssh authentication key, bind shell, and Trojan service program.

* ". Rhosts" file. Once "++" is added to a user's. rhosts file, anyone can use this account to log in without a password.

* Ssh authentication key. A hacker puts his own public key in the target machine's ssh configuration file "authorized_keys". He can use this account to access the machine without a password.

* Bind shell. A hacker binds a shell to a specific tcp port. Anyone can telnet this port to obtain the interactive shell. More sophisticated backdoors can be based on udp, unconnected tcp, or even icmp.

* Trojaned service program. Any opened service can be used as a Trojan to provide remote users with access permissions. For example, use the inetd service to create a bind shell on a specific port, or use the ssh daemon to provide access.

After an intruder embeds and runs a backdoor program, he tries to hide his own evidence. This involves two problems: how to hide his file and how to hide his process.

To hide files, intruders need to do the following: replace some common system commands such as "ls", "du", "fsck ". At the underlying level, they mark some areas in the hard disk as bad blocks and place their files there. Or if he is crazy enough, he will put some files into the boot block.

To hide a process, he can replace the "ps" program, or modify argv [] to make the program look like a legal service program. Interestingly, if you change a program to an interrupt driver, it will not appear in the process table.

  RootKit-Knark history

Knark is a new rootkit tool of the Second Generation-based on the LJM (loadable kernel module) technology, which can effectively hide system information. The author adds a statement in the Code and README file that is not liable and declares that the Code cannot be used as an illegal activity. However, the software can be easily used for this purpose.

Knark is written by the creed@sekure.net, mainly based on the heroin. c code written by Jenkins. the design idea mainly comes from the Weakening the Linux Kernel published by plaguez in Phrack 52 ". After re-writing most of heroin. c's code, Creed decided to rename it as "Knark", which is a drug addict in Swedish. Other software written by Creed can be found at www.sekure.net /~ Happy-h.

The first public version of Knark is 0.41, which was released on June, 1999. You can refer to B4B0 #9 at http://packetstorm.securify.com/mag/b4b0/b4b0-09.txt. Later versions 0.50 and 0.59 were released. The current version is 0.59. You can download version 0.59 from here.

  Knark features

Knark0.59 has the following features:

* Hide or display files or directories

* Hide TCP or UDP connections

* Program execution redirection

* Increase the permissions of unauthorized users ("rootme ")

* Changed the UID/GID tool of a running process.

* Remote daemon execution by unauthorized and privileged programs

* Kill? 31 to hide Running Processes

The combined use of program execution re-targeting and file hiding allow intruders to execute various Backdoor programs. Because the execution of redirection is performed at the kernel level, the file detection tool will not find that the program file is modified-the original execution program is not modified, therefore, the configuration detection tool does not detect any exceptions in the PATH environment.

If Knark is combined with another LKM tool modhide used to hide the module currently loaded by the system, the existence of knark may not be found even through the lsmod command.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.