Iv. Installation and Use of the Knark Software Package
The core software of this package is knark and c, which is a Linux LKM (loadable kernel-module ). Run the "make" command to compile the knark software package and use the "insmod knark" command to load the module. When the knark is loaded and the hidden directory/proc/knark is created, the directory contains the following files:
Self-introduction by author
Hide the file list in the files System
Nethides hidden strings in/proc/net/[tcp | udp]
The list of pids hidden. The format is similar to ps command output.
Redirects redirected executable program entry list
After the software package is compiled, there will be the following tool software (they all depend on the loaded module knark. o. In addition to taskhack. c, it is used to directly modify/dev/kmem)
After intrusion, intruders often store various knark tools in hidden subdirectories created under A/dev/subdirectory, such as/dev/. ida/. knard.
5. Check whether the system has been installed with Knark
The author of Knark Creed released a tool: knarkfinder. c to discover hidden processes of Knark.
The most direct and effective way to check whether the system has Knark installed is to run a Knark software package such as rootme as a non-privileged user to check whether the user can obtain the root permission. Currently, Knark does not have an authentication mechanism. Therefore, any local user of Knark installed in the shareholding system can run this program and obtain the root permission.
The most effective way to detect whether the system is infected by knark or similar rootkit is to use kstat. For details, refer to the solution article Nexeon on this site: LKM rootkit detection.
6. Prevention of Knark
The most effective way to prevent knark is to prevent intruders from obtaining root permissions. However, after all conventional methods are used for security protection, the following methods can be used to prevent rootkit Based on LKM technology such as knark:
Creating and using a kernel that does not support module loading, that is, using a single kernel. In this way, knark cannot be inserted into the kernel.
Use lcap (http://pweb.netcom.com /~ Spoon/lcap/) to remove the kernel LKM function after the system is started. This prevents intruders from Loading modules. However, this method has some problems. Intruders can modify the startup script after obtaining the root permission and load the knark module before the lcap starts, thus avoiding the restrictions of lcap.
Related Articles]
- Linux backdoor technology and practices
- Introduction to Linux backdoor technology and practices in System Security
- Hacker Advanced Skills-Linux backdoor technology and practices
