Network security often encountered rootkit, NSA, and security intrusion detection dictionary of terms (NSA Glossary of Terms Used in Security and Intrusion Detection) rootkit defined as follows: A hacker security tool that captures passwords and message traffic to and from a computer . A collection of tools that allows a hacker to provide a backdoor into a system, collect information on other systems on the network, mask the fact that the system is compromised, and much more. Rootkit is a classic example of Trojan Horse software. Rootkit Is Available for A Wide Range of Operating Systems.
Many people have a misunderstanding, they think that rootkit is a tool for obtaining system root access. In fact, rootkit is an attacker to hide your own trace and reserve root access tools. Typically, an attacker obtains root access via a remote attack, or first password guess or password to enable the system's access rights. After entering the system, if he has not yet obtained the root permissions, the ROOT permission of the system is obtained through some security vulnerabilities. Next, the attacker will install rootkit in the invasive host, and then he will often log in through the ROOTKIT's lattime inspection system. If you only have yourself, the attacker began to clean up the information in the log. After obtaining other systems and passwords through the rootkit's sniffer, the attacker uses this information to invade other systems.
What is rootkit
Rootkit appeared in the early 1990s, in a safe consultation report in February 1994, Rootkit was first used. This security consultation is the CA-1994-01 of CERT-CC, the topic is ONGOING NETWORK MONITORING Attacks, the latest revision time is September 19, 1997. From now on, Rootkit's technology has developed very rapidly, and the application is getting wider and more difficult. Among them, there is the most rootkit for both SunOS and Linux operating system (Tree stroke: P). All rootkit is basically consisting of several separate programs, a typical rootkit includes:
Ethernet snifting the device program, used to obtain information such as username and password transmitted on the network.
Trojan horse programs, such as inetd or login, providing the attacker with the back door.
Hide an attacker's directory and processes, such as PS, NetStat, RSHD, and LS, etc.
It may also include some log cleaning tools, such as: Zap, Zap2, or Z2, an attacker uses these cleaning tools to delete an entry for your own traces in WTMP, UTMP, and LastLog.
Some complex rootkits can also provide attackers with Telnet, Shell, and Finger and other services.
It also includes some scripts that are used to clean the / var / log and / var / adm directory.
An attacker uses Rootkit to replace the original PS, LS, NetStat, and DF and other programs such as the system, so that the system administrator cannot discover your own traces through these tools. Then use the log cleaning tool to clean the system log and eliminate your own trace. The attacker then often enters the system to view the log of the sniffer through the installed back door to initiate other attacks. If an attacker is able to properly install rootkit and rationally clean the log files, the system administrator will be difficult to detect the system has been invaded until the administrator of some other system and the log of the sniffer will fill all the disk. He will not be able to spend a great disaster. However, most attackers are not very careful or simply deleting all the system logs all when cleaning the system log, and the alert system administrator can determine the system to be invaded according to these abnormal conditions. However, during the system recovery and cleanup, most common commands such as PS, DF, and LS are already unbelieved. Many rootkits have a program called FIX. Before installing rootkit, the attacker can first use this program to make a snapshot of a system binary code, and then install alternatives. FIX can fake the three time stamps of alternatives (Atime, CTIME, MTIME), DATE, Permission, users and assigned users groups based on the original program. If an attacker can accurately use these excellent applications, it will make the system administrator to find it when installing rootkit. Linux rootkit iv
As mentioned earlier, most of the rootkit is for Linux and Sunos, let's introduce a very typical rootkit - linux rootkit iv for Linux systems. Linux rootkit iv is an open source rootkit, which is written in Lord Somer and is released in November 1998. However, it is not the first Linux rootkit, with Linux rootkit, such as LRK, LNRK, LRK2, and LRK3 before it. These rootkits include commonly used rootkit components, such as sniffers, log editing / delete tools, and latrans.
After so many years of development, Linux rootkit IV functions have become more and more features. However, although its code is very large, it is very easy to install and use, as long as Make Install can be successfully installed. If you have to install a shadow tool, you can do make shadow install. Note: Linux rootkit IV can only be used for the kernel of Linux 2.x. Below we briefly introduce the various tools contained in Linux rootkit iv, please refer to the ReadMe file of its release package.
Hide invasive procedure
In order to hide the trail of invaders, the author of Linux rootkit IV is a personal, writing alternatives to many system commands, using these programs instead of the original system command to hide the invaders. These programs include:
LS, Find, DU
These programs prevent the display of the invader's file and the space occupied by the intruder file. Before compiling, the intruder can set the position where yourself in your file via rootkit_files_file, the default is / dev / ptyr. Note If you use the showflag option when compiling, you can use the ls - / command to list all files. These processes can also automatically hide all the names: PTYR, Hack.DIR, and W4R3z.
PS, TOP, PIDOF
These procedures are used to hide all and intruders related processes.
Netstat
Hide out / into the network data traffic that specifies the IP address or port.
Killall
Will not kill the process of hidden by intruders.
Ifconfig
If the intruder starts a sniffer, this program blocks the display of the Promisc tag, so that the system administrator is difficult to find that the network interface is already in hybrid mode. crontab
Hide crontab entry on the attacker.
TCPD
Blocking some connections to the log
Syslogd
Filter some of the connection information in the log
Trojan
Provide backmen for local users, including:
CHFN
Enhance the procedure for local ordinary user privileges. Run CHFN, when it is prompted to enter a new username, if the user enters the Rookit password, his permissions are upgraded to root. The default rootkit password is SATORI.
chsh
It is also a program that enhances local user privileges. Run Chsh, when it is prompted to enter a new shell, if the user enters the rootkit password, his permissions are enhanced to root.
Passwd
The same effect as the above two programs. When prompted to enter a new password, if you enter the ROOKIT password, the permissions can become root.
login
Allow any account to log in via the rootkit password. If you are rejected using the root account login, you can try Rewt. This program can also disable history history of the command when using the latter.
Trojan Network Monitoring Procedure
These programs provide a back door for remote users, providing remote users, inetd, RSH, SSH and other services, depending on the version. With the upgrade of the version, Linux rootkit IV is more and more powerful, and the characteristics are increasingly rich. Generally include the following network service procedures:
inetd
Troy IneTd program provides an attacker with a remote access service.
RSHD
Provide a remote shell service for the attacker. An attacker can start a remote root shell using the RSH -L RootkitPassword Host Command command.
sshd
Provide an attacker with a back door program for SSH services.
Toolbox
All programs that do not belong to the above types can be attributed to this type, and they implement features such as log cleaning, packet sniffing, and remote shell port bindings, including:
Fix
Document property forgery
linsniffer
Packet sniffer program.
Sniffchk
A simple Bash Shell script, check if there is a sniffer in the system running.
WTED
WTMP / UTMP log editor. You can use this tool to edit all WTMP or UTMP type files.
Z2
UTMP / WTMP / LastLog Log Cleanup Tool. You can delete all entries about a username in the UTMP / WTMP / LastLog log file. However, if you need to manually modify its source code, set the location of the log file.
Bindshell
Bind the shell service on a port, the default port is 12497. Provide Shell service for remote attackers.
How to find rootkit
Obviously, only make your network very installed to make the attacker can be able to multiply, in order to be its own network from rootkit. However, I am afraid that no one can provide this guarantee, but maintain some good habits in daily network management maintenance, can reduce the losses caused by rootkit to some extent, and find the presence of rootkit in time.
First, do not use a clear text to transfer your password on the network, or use a disposable password. In this way, even if your system has been installed rootkit, the attacker can not listen through the network, get more usernames and passwords, thereby avoiding the spread of intrusion.
Using TripWire and AIDE and other testing tools can help you find an attacker's invasion, they can provide system integrity checks. Such tools are different from other intrusion detection tools, which are not detected by the so-called attack feature code to detect intrusion behavior, but monitoring and checking the changes in the system. Tripwire first creates a feature database using a specific feature code function to create a system file and directory that requires monitors. The feature code function is a function of using any file as an input to generate a fixed size data (signature). Intrusioners have modified the files, even if the file size is constant, it will damage the file's signature. With this database, TripWire can easily discover changes in the system. And the signature of the document is almost impossible. Any variation of the system has escaped Tripwire's monitoring (of course, the premise is that you have made an accurate configuration for your own system: P, for the use of TripWire and Aide, please refer to this Articles related to the station). Finally, you need to be able to put this featured database to a safe place. A few times a few times, I wrote a few Rootkit analysis articles, this authority as a summary of this series of articles. However, in the recently released phrack58-0x07 (Linux on-the-fly kernel Patching WITHOUT LKM), a rootkit that directly modifies the kernel data structure is therefore decided to write a continuation.
Author: nixe0n
Reprinted: www.netguard.com.cn