Whether the system is installed by the invader Rootkit

xiaoxiao2021-03-06  93

I. What is the rootkit?

Before explaining what is rootkit, you must first explain, what is Trojaned System Commands?

Trojaned System Commands Chinese or can be translated into a "Trojan horse program" (or Troy system instruction).

I believe everyone should know the "Trojan Horse Tucheng" creation?!

Any process, on the surface, it makes it a normal program, but in fact, it is secretly, replaced the normal procedure, and left some special system back door to facilitate rearward, can control the host in secret, or The procedure for destroying behavior, let's say that this is a Trojan horse program, commonly known as: backdoor or Trojan.

When this program is hidden, we call: in the Trojan.

The source of Trojans can probably be divided into the following:

The system is invaded, which is implanted by Cracker

In the host system, a general permission user carefully designed trap

Execute the unidentified procedure

Installed the talented program suite

Infected by NetWork Worm.

Among them, in the case: the system is invaded, infects the worm, and the three procedures are unknown. These three are most common.

In the case of system invasion, most of the Cracker will not make it, immediately and obviously destroyed, only the hacker of the next product, or to show yourself, pretend to be ourselves, or satisfy This is the Script Kids of the hacker family.

(In fact, these guys are not real hackers, just ready-made tools, and attack behavior on vulnerabilities.

Typically, they will install a number of muta, let the normal procedures are replaced, let the system work, try not to have any abilities, then leave the convenient back door, after supplying and out, then, they will be cleared After the traces (such as record files, instruction history documents), quietly leave. Wait until, it will come in again, it will come in .....

(The hacker of the upper top, will not do any changes to the system, and will notify the station owner, those there are vulnerabilities? Even help the main landlord, make the vulnerability, and the usual name is: education experiment, they Compared: Can I get the respect and status of the hacker community)

The so-called rootkit is a person with a heart, organizing these common Trojans, making a set of program kits to facilitate Cracker to attack the host, smoothly compile and install Trojans smoothly on the victims.

Some rootkit pure experimental properties, there are also rootkit itself, just a rootkit Trojan, let the trial rootkit, in the Trojan. (Rootkit Rootkit ?! ;-))

There are many kinds of rootkit. In normal rootkit, all Trojans, mostly spread in the form of original program code, many of which are gradually transplanted by early BSD UNIX systems (port), therefore, almost in various On the machine platform, there are Rootkit traces, and variant and pattern can be said to be, the shape is color, the five flowers.

(I have a Rootkit on my hands, there is no dozens, Linux, FreeBSD, Solaris, NT, W2K, Novell, Dos ....

In general, in rootkit, common Trojans and tools are:

Bindshell

CHFN

chsh

crontab

DU

Find

Fix

Ifconfig

inetd

Killall

linsniffer

login

LS

Netstat

Passwd

PIDOF

PS

RSHD

Sniffchk

Syslogd

TCPD

TOP

WTED

Z2

II. Symptoms of Rootkit:

After the Trojans in the host, there is usually not too big. (However, the quality of the Trojan will have a significant condition.)

Network management personnel observe the host's operations even if you use PS, NetStat, LSOF, TOP and other programs, and you will not find any strange itinerary, because these commonly used instructions have been Cracker Changed, in other words, when you view these Trojans, you can see the screen, it is likely to make it! However, the Trojan, after all, it is not a real program, it and the original procedures, always There are some differences, perhaps in the short term, but I can't feel the same, but long, I can't fully exert the original real functionality of the program. Therefore, these differences will eventually be one day, causing host abnormalities. Operation.

Therefore, once you find any strange phenomena, the first thing to do is:

Try to doubt: Does my host have a Trojan ?!

3. Simple examination method:

However, the light is suspicious, there is no way, and often suspected of suspected ghosts, network management people will get sooner or later. "Neurae weakness"; -q

Good use of tools!

Here, introducing the Chkrootkit launched by http://www.chkrootkit.org.

As the name suggests, Chkrootkit is a convenient tool that checks if rootkit exists.

Chkrootkit can be used in the following platforms:

Linux 2.0.x, 2.2.x

FreeBSD 2.2.x, 3.x and 4.0

OpenBSD 2.6, 2.7 and 2.8 (if you are very intentional to security, you will recommend you openbsd 2.8, I am playing this. ^ _ ^)

Solaris 2.5.1, 2.6 and 8.0.

As of now (05/08/2001), the latest version is: chkrootkit v0.32

It can detect the following rootkit and Worm:

LRK3

LRK4

LRK5

LRK6 (AND Some Variants)

Solaris rootkit

Freebsd rootkit

T0RN (include "and t0rn v8)

Ambient's Rootkit for Linux (ARK)

Ramen Worm; RH [67] -Shaper

RSHA

Romanian rootkit

RK17

Lion Worm

ADORE WORM

LPD WORM

Kenny-rk

ADORE LKM

It mainly checks the following procedures in the system:

Basename

BIFF

CHFN

chsh

cron

date

DIRNAME

DU

echo

ENV

Find

fingerd

gpm

GREP

Identd

Ifconfig

inetd

Killall

login

LS

Mail

MINGETTY

Netstat

Passwd

PIDOF

POP2

POP3

PS

PStree

rlogind

RPCINFO

RSHD

Sendmail

sshd

SU

Syslogd

Tar

TCPD

Telnetd

TIMED

TOP

Traceroute

Write

Installation method:

Chkrootkit installation and use is very simple! (Please refer to http://www.chkrootkit.org/ FAQ)

download

Can be downloaded to hkrootkit.tar.gz to http://www.chkrootkit.org

Or ftp.tnc.edu.tw/security/ download: chkrootkit-0.32.tar.gz (Be careful! Is this Trojan? ^ _ ^ ....... I opened you, don't be true!)

Decompression

Tar xvzf chkrootkit-0.32.tar.gz

Compile

CD chkrootkit-0.32

Make Sense

carried out

./chkrootkit> chk.lst

Check this text file to see if there is any Trojan or WORM?

The following is part of Chk.LST, which means that the system should be clean. (Not 100%! But at least peace of mind!) Rootdir is `/ '

Checking `basename '... not vulnerable

Checking `Biff '... NOT TESTED

Checking `CHFN '... NOT Vulnerable

Checking `Chsh '... not vulnerable

Checking `cron '... NOT Vulnerable

Checking `Date '... Not Vulnerable

Checking `du '... NOT Vulnerable

Checking `Dirname '... Not Vulnerable

Checking `echo '... not vulnerable

Checking `env '... Not Vulnerable

Checking `Find '... NOT Vulnerable

Checking `fingerd '... not vulnerable

Checking `GPM '... NOT Vulnerable

Checking `Grep '... not vulnerable

Checking `Su '... Not Vulnerable

Checking `ifconfig '... NOT Vulnerable

Checking `inetd '... not vulnerable

Checking `Identd '... Not Vulnerable

Checking `Killall '... NOT Vulnerable

Checking `login '... NOT Vulnerable

Checking `ls' ... Not Vulnerable

Checking `Mail '... Not Vulnerable

Checking `MINGETTY '... NOT Vulnerable

Checking `NetStat '... not vulnerable

Checking `Passwd '... Not Vulnerable

Checking `Pidof '... Not Vulnerable

Checking `pop2 '... NOT TESTED

Checking `pop3 '... NOT TESTED

Checking `PS '... NOT Vulnerable

Checking `PStree '... NOT Vulnerable

Checking `rpcinfo '... NOT Vulnerable

Checking `rlogind '... NOT Vulnerable

Checking `RSHD '... NOT Vulnerable

Checking `Sendmail '... NOT Vulnerable

Checking `sshd '... NOT Vulnerable

Checking `syslogd '... not vulnerable

Checking `Tar '... not vulnerable

Checking `TCPD '... NOT Vulnerable

Checking `Top '... Not Vulnerablechecking` Telnetd' ... Not Vulnerable

Checking `Timed '... Not Vulnerable

Checking `Traceroute '... Not Vulnerable

Checking `Write '... not vulnerable

Checking `ASP '... NOT Vulnerable

Checking `Bindshell '... not vulnerable

Checking `Z2 '... Nothing deleted

Checking `wted '... Nothing deleted

Checking `rexedcs' ... NOT Vulnerable

Checking `Sniffer '...

Eth0 is not promisc

Checking `Aliens' ... no Suspect Files

Searching for Sniffer's Logs, It May Take A While ... Nothing Found

Searching for t0rn's default files and dirs ... Nothing Found

Searching for t0rn's v8 defaults ... Nothing Found

Searching for Lion Worm Default Files and Dirs ... Nothing Found

Searching for Rsha's Default Files and Dir ... Nothing Found

Searching for rh-sharpe's default files ... Nothing Found

Searching for Ambient's Rootkit (ARK) Default Files and Dirs ... Nothing Found

Searching for Suspicious Files and Dirs, It May Take A While ...

Searching for LPD WORM FILES AND DIRS ... NOTHING FOUND

Searching for Ramen Worm Files and Dirs ... Nothing Found

Searching for rk17 files and dirs ... Nothing Found

Searching for adore Worm ... Nothing Found

Searching for Anomalies in Shell History Files ...

Checking `LKM '... Nothing Detected

Four. What should I do if I do the Trojan?

We can say: If there is a Trojan program, then the main control of this host is not in the network management!

In other words: this host has fallen! It's okay, the only celebration is: it is not moved away by the small ..... ;-)

If it is really unfortunate, I suggest you: you should hurry.

Check the back door

Tracing invasive reasons

Track the invasion source

Psychological preparation for reimbuilding system

Backup important file

Recommity system

More important, strengthen safety and anti-smoking knowledge

Good use tools (such as: installation: Check the file system integrity ": Tripware; Use MD5 Checksum comparison before installing any program suite)

Pay attention to relevant security messages

Diligent system

Develop good network management habits (such as avoiding telnet / ftp, modifying SSH2, SFTP2, SCP)

Continuous care monitoring

Work hard to maintain host security God Bless u and me ..... ^ _ ^

Note:

Some people say: "Pick a small system that is more secure ?!", because it does not cause hacker interest and attention ?!

I think this will be seen.

My suggestion is: It is best not to pick a small number of systems. (In case there is a vulnerability, no one launches the repair kit, or the company fell, or not willing to launch, crying you! Unless you have Ability to repair .....)

To select: At least one special group or company is maintaining, continuously launching a solid kit, continues in progress.

转载请注明原文地址:https://www.9cbs.com/read-123345.html

New Post(0)