Copyright 2001 OLS3, this chronic is only for educational reference, any reference, please take the author's consent. (The above statement is mainly to prevent businessmen from taking the same year, in addition, please use it, do not limit, or This feels that there is any unpleasant). What is the rootkit? Before explanation is rootkit, you must explain first, what is the Trojaned System Commands? Trojaned System Commands Chinese or can be translated into a "Trojan Machine" (or Troji System Directive). I believe everyone should know the "Trojan Tute" this allusion ?! All, on the surface, disguise into normal procedures, but actually, reveal, change the normal procedure, and leave some special system The latter door, in order to facilitate the operation of the host, or the procedure for destroying behavior, we say that this is a Trojan horse program, commonly known as: backdoor or Trojan. When you hide this procedure, we call it: the source of Trojans. The source of Trojans can probably be divided into the following: Root-compromise, in the host system, in the case of Cracker The general permission user carefully designed traps executed the unidentified program installed the talented program, which was infected by the NetWork Worm. Then, the system was invaded, infected worm, execution Unknown procedures, these three, most common. In terms of system invasion, most of the Cracker will not make, immediately and obviously destroyed, only the hacker of the next product Survey to show yourself, pretend to be self-sympathy, or satisfying yourself, the Script Kids of the hacker family will be the same. (In fact, these guys are not the real hacker, just the ready-made tools, there is a vulnerability Host, attacking behavior) Usually, they will install a number of muta programs, replace the normal programs, let the system work, try not to have any abilities, then leave convenient backdoors, free to enter and exit, Next, they will quietly leave after clearance (such as record files, instruction history files). Wait until, it is necessary to come in, it will come in ..... (Shang Shang The hacker will not make any changes to the system, and will notify the station owner. The station has a vulnerability? Even help the main owner, make the vulnerability, and the usual name is: education experiment, they carefully: Can I get the respect and status of a hacker community? It is a stroke, which is a set of common Trojans, making a set of program kits to facilitate Cracker to capture and install Trojans on the victims of victims. Some rootkit pure experimental nature, Rootkit itself is a rootkit Trojan, let the trial rootkit, the Trojan. (Rootkit Rootkit ?!;
-) Rootkit has a lot of kind. Usually in rootkit, the Trojan, mostly spread in the form of original program code, many of which are gradually transplanted with early BSD UNIX systems (port), so almost On a variety of machine platforms, there are Rootkit traces, and variant and pattern can be said to be, the shape is color, the five flowers. (I am now on the hand, there is no dozens, Linux, Freebsd, Solaris, NT, W2K , Novell, DOS .... have) in general, rootkit, it is common Trojans and tools:. bindshellchfnchshcrontabdufindfixifconfiginetdkillalllinsnifferloginlsnetstatpasswdpidofpsrshdsniffchksyslogdtcpdtopwtedz2 II symptoms of rootkit: after the host Trojans, usually there is not much difference (. However, there will be obvious pathogens, and the network management personnel will observe the operation of the host, and there will be no strange itinerary in memory. (Process) This is because, these commonly used instructions have been replaced by Cracker, in other words, when using these Trojans to watch, you can see the picture, it is very likely that it is assumented! However, Trojan procedure, after all Not a real program, there is always a little difference between it and the original procedures, perhaps in the short term, but I can't feel the same, but long, I can't fully exactly the original real truly. Function. Therefore, these differences will eventually be one day, causing the host anomalies. Therefore, once you find any strange phenomena, the first thing you have to do is: Try to doubt: Whether my host is in Trojan ?! Third. Simple examination: However, the light is suspicious, there is no way, and often suspects, the network management person will get back sooner or later. "The neurlanced"; -q Good use tool! Here, Introduction http://www.chkrootkit.org launched Chkrootkit. As the name suggests, Chkrootkit is to check if rootkit exists. Chkrootkit can be used in the following platform: Linux 2.0.x, 2.2.x FreeBSD 2.2.x, 3 .x and 4 .0 OpenBSD 2.6, 2.7 and 2.8 (if you are very concerned about security, you will recommend you OpenBSD 2.8, I am playing this. ^ _ ^) Solaris 2.5.1, 2.6 and 8.0. Up to now (05/08 / 2001) So far, the latest version is: chkrootkit v0.32 it can detect the rootkit and worm: lrk3 lrk4 lrk5 lrk6 (and some variants) Solaris rootkit FreeBSD rootkit t0rn (including some variants and t0rn v8) Ambient's rootkit for Linux (ARK) Ramen Worm;
rh [67] -shaper RSHA Romanian rootkit RK17 Lion Worm Adore Worm LPD Worm kenny-rk Adore LKM inspection system program which mainly the following: basename biff chfn chsh cron date dirname du echo env find fingerd gpm grep identd ifconfig inetd killall login ls mail mingetty netstat passwd pidof pop2 pop3 ps pstree rlogind rpcinfo rshd sendmail sshd su syslogd tar tcpd telnetd timed top traceroute write installation method: chkrootkit installation and use, very simple (please be sure to refer http://www.chkrootkit.org/! FAQ) download can be downloaded to hkrootkit.tar.gz or ftp.tnc.edu.tw/security/ download: chkrootkit-0.32.tar.gz (Be careful! Is this also Trojan? ^ _ ^ ....... open your joke, don't be true!) Unzip tar xvzf chkrootkit-0.32.tar.gz compile CD chkrootkit-0.32make sense execution ./chkrootkit> chk.lst Check Chk.lst this text Document, see if there is any Trojan or Worm? The following is the part of chk.lst, which means that the system should be clean. (Not 100%! But at least peace of mind!) Rootdir is `/ 'Checking `basename' ... Not vulnerableChecking` biff '... NOT TESTEDChecking `chfn' ... Not vulnerableChecking` chsh '... Not vulnerableChecking `cron' ... Not vulnerableChecking` date '... Not vulnerableChecking `du '... not vulnera bleChecking `dirname '... Not vulnerableChecking` echo' ... Not vulnerableChecking `env '... Not vulnerableChecking` find' ... Not vulnerableChecking `fingerd '... Not vulnerableChecking` gpm' ... Not vulnerableChecking ` grep '... Not vulnerableChecking `su' ... Not vulnerableChecking` ifconfig '... Not vulnerableChecking `inetd' ... Not vulnerableChecking` identd '... Not vulnerableChecking `killall' ... Not vulnerableChecking` login ' ... NOT Vulnerablechecking `Ls' ... NOT Vulnerablechecking` Mail '... NOT Vulnerablechecking `MINGETTY'
... NOTSTAT '... NOT Vulnerablechecking `Passwd' ... Not Vulnerablechecking` Pidof '... NOT Vulnerablechecking `Pop2' ... NOT TESTEDCHECKING` POP3 '... NOT TESTEDCHECKING `PS' .. . Not vulnerableChecking `pstree '... Not vulnerableChecking` rpcinfo' ... Not vulnerableChecking `rlogind '... Not vulnerableChecking` rshd' ... Not vulnerableChecking `sendmail '... Not vulnerableChecking` sshd' ... Not vulnerableChecking `syslogd '... Not vulnerableChecking` tar' ... Not vulnerableChecking `tcpd '... Not vulnerableChecking` top' ... Not vulnerableChecking `telnetd '... Not vulnerableChecking` timed' ... Not vulnerableChecking ` traceroute '... Not vulnerableChecking `write' ... Not vulnerableChecking` asp '... Not vulnerableChecking `bindshell' ... Not vulnerableChecking` z2 '... Nothing deletedChecking `wted' ... Nothing deletedChecking` rexedcs' ... NOT Vulnerablechecking `Sniffer '... eth0 is not Promiscchecking` Aliens' ... No Suspect Filessearching for Snifer's Logs, IT May Take a while ... Nothing foundSearching for t0rn's default files and dirs ... Nothing foundSearching for t0rn's v8 defaults ... Nothing foundSearching for Lion Worm default files and dirs ... Nothing foundSearching for RSHA's default files and dir ... Nothing foundSearching for RH-Sharpe's default FILES ... NOTHING FOUNDSEARCHING for Ambient '
