| 点击上方“SecMind安全管家”关注我们 Linux后门检测与系统恢复 安全攻防 系列 小白是某公司的Linux系统管理员。某天小白突然觉得公司的机器存在异常,并经常有被人监控的感觉。于是他通过分析日志、监控网络通信等手段发现该系统有很大的可能被黑客入侵并留了rootkit后门。 01 什么是Rootkit 什么是rootkit?简单的说,rootkit是一种特殊的恶意软件,它的特殊性在于,我们无法找到它。其主要功能为:隐藏其他程序进程的软件,可能是一个或一个以上的软件组合。最早rootkit是用于善意用途的,但后来rootkit也被黑客用在入侵和攻击他人的计算机系统上。计算机病毒、间谍软件等也常使用rootkit来隐藏踪迹,因此rootkit已被大多数的杀毒软件归类为具危害性的恶意软件。Linux、Windows、Mac OS等操作系统都有机会成为Rootkit的受害目标。  Rootkit也可视为一项技术。在今天,Rootkit一词更多地是指被作为驱动程序,加载到操作系统内核中的恶意软件。因为其代码运行在特权模式之下,从而能造成意料之外的危险。 Rootkit木马就像是信息世界里的 AIDS,一旦感染,就难以用一般手段消灭了,因为它和自然界里的同类做的事情一样,破坏了系统自身检测的完整性。 计算机系统没有免疫功能,但是它提供了对自身环境的相关检测功能——枚举进程、文件列表、级别权限保护等,大部分杀毒软件和进程工具都依赖于系统自带的检测功能才得以运作,而 Rootkit木马要破坏的,正是这些功能。  基于Linux内核的rootkit的历史可以赘述到1990年代中期,从最早的hijack syscall/pghandler/IDT到mem injection,大部分的手法都是一个特点:HOOK。HOOK怎么下是门学问,这个星球上最有缺的rootkit是能让HOOK形成一条跟userspace完全对应的codepath,如何和密码工程配合则会让此类持久化技术发挥到极致。编写rootkit的质量的大部分情况都取决于对内核本身的了解程度,就如你的了解你最爱的人的各个方面是一样的道理。那么rootkit一般是怎么防御和检测呢?常见的检测思路是采用对比内存DUMPCORE和SYMTABLE之间的差异。 02 Rookit扫描和检测 小白正在使用的linux系统版本是CentOS。他先从网上找来了rootkit检测工具:rkhunter、determine和chekrootkit  chkrootkit是一个检测系统中rootkit的工具。可以检测多种rootkit。 rkhunter是Linux下的一款开源入侵检测工具。rkhunter具有比chkrootkit更为全面的扫描范围。除rootkit特征码扫描外,rkhunter还支持端口扫描,常用开源软件版本和文件变动情况检查等。 determine可能用于检测来自ps / top等LKM rootkit的隐藏进程。它可以帮助管理员检查他们的机器是否有隐藏的进程。它还包含一个(小而可扩展的) 可以扫描内存的特征数据库。deter-mine 适用于2.4 和 2.6 的Linux 内核。 工具下载: Rkhunter: http://down.51cto.com/data/149294 deter-mine http://stealth.openwall.net/rootkits/removal/determine-0-24.tgz chkrootkit: ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar 或 http://www.chkrootkit.org 03 使用rkhunter进行扫描 第一步:首先对压缩包进行解压,这里我们直接右键点击解压到此处。 第二步:安装rkhunter。 进入 rkhunter-1.3.6 文件夹,右击,选择“在终端中打开”,在终端中输入命令:./installer.sh –install  第三步:对系统进行扫描 rkhunter –c --rwo //对系统进行扫描,只在终端中显示警告信息  第四步:查看扫描结果并分析 扫描后自动生成报告rkhunter.log,位于/var/log下  这里复制出警告信息: Warning: Checking for prerequisites [ Warning ] The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'. Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option is used, all the files on their system are known to be genuine, and installed from a reliable source. The rkhunter '--check' option will compare the current file properties against previously stored values, and report if any values differ. However, rkhunte cannot determine what has caused the change, that is for the user to do. Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable Warning: Sebek LKM [ Warning ] Kernel symbol 'adore or sebek' found Warning: Account 'testadmin' is root equivalent (UID = 0) Warning: Account 'supervisor' is root equivalent (UID = 0) Warning: The SSH configuration option 'PermitRootLogin' has not been set. The default value may be 'yes', to allow root access. Warning: Hidden directory found: /dev/.udev Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text Warning: Application 'httpd', version '2.2.3', is out of date, and possibly a security risk. Warning: Application 'named', version '9.3.6-P1', is out of date, and possibly a security risk. Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk. Warning: Application 'php', version '5.1.6', is out of date, and possibly a security risk. Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk. One or more warnings have been found while checking the system. Please check the log file (/var/log/rkhunter.log) 上面提示说可能存在Sebek LKM,检测报告中对应的内容为:  04 使用determine进行扫描 第一步:对压缩包进行解压。 第二步:安装determine:进入determine文件夹,终端中输入命令:make  第三步:开始扫描,终端中输入命令: ./determine > determine.log 这会在determine文件夹中生成determine.log文件  第四步:查看扫描结果并分析  分析determine.log,发现系统中存在多个隐藏进程,在/proc下没有与之对应的进程文件,可能存在后门。 05 使用chkrootkit进行扫描 第一步:对压缩包进行解压。 第二步:安装chkrootkit:在终端中输入:make  第三步:开始扫描 ./chkrootkit > chkrootkit.log 对系统进行扫描,并在当前目录下生成报告chkrootkit.log.  第四步:查看扫描结果并分析: ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not infected Checking `mingetty'... not infected Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not infected Checking `timed'... not found Checking `traceroute'... not infected Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/.libgcrypt.so.11.hmac /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/firefox-3.0.18/.autoreg /usr/lib/.libfipscheck.so.1.1.0.hmac /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/.libfipscheck.so.1.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac /lib/.libssl.so.6.hmac /lib/.libssl.so.0.9.8e.hmac Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for LOC rootkit... nothing found Searching for Romanian rootkit... nothing found Searching for HKRK rootkit... nothing found Searching for Suckit rootkit... nothing found Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for Fu rootkit default files... nothing found Searching for ESRK rootkit default files... nothing found Searching for rootedoor... nothing found Searching for ENYELKM rootkit default files... nothing found Searching for common ssh-scanners default files... nothing found Searching for suspect PHP files... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed chkdirs: nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) Checking `w55808'... not infected Checking `wted'... chkwtmp: nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... chklastlog: nothing deleted Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! root 4068 tty1 /sbin/mingetty tty1 ! root 4069 tty2 /sbin/mingetty tty2 ! root 4070 tty3 /sbin/mingetty tty3 ! root 4071 tty4 /sbin/mingetty tty4 ! root 4172 tty7 /usr/bin/Xorg :0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7 chkutmp: nothing deleted Checking `OSX_RSPLUG'... not infected 分析chkrootkit.log,没有发现异常。 06 综合分析 从上面的扫描结果看,可以确定的是这个系统存在rootkit后门Sebek LKM。sebek是运行在内核空间的一段代码,记录系统用户存取的一些或者全部数据。这个工具的功能有:记录加密会话中击键,恢复使用SCP拷贝的文件,捕获远程系统被记录的口令,恢复使用Burneye保护的二进制程序的口令还有其它的一些入侵分析任务相关的作用。 07 系统修复 要想清除这个rootkit后门,我们可以利用现有的工具和文件,采用最快捷的方式恢复系统内核,并在系统中寻找可以的隐藏文件。我们首先要下载对应系统内核相关的压缩包,生成新的、干净的内核模块,替换原有模块文件。 这里已经下载好了相关的系统内核:  第一步:恢复前利用 ls -aR 将/home 下的文件列出,并保存为 homefiles1.txt。 ls -aR >homefiles1.txt  第二步:利用已编译的内核模块 rpm 包快速恢复系统内核模块文件。 在终端中输入以下命令: cd /test/src //进入到rpm包存放的目录 rpm -i --force kernel-2.6.18-194.el5.i686.rpm  之后重启系统。 第三步:查找隐藏的文件 在/home目录下,输入如下命令: ls -aR > homefiles2.txt  我们现在对比 homefiles1.txt、homefiles2.txt这两个文件,这里输入如下命令: diff homefiles1.txt homefiles2.txt diff是一个文件对比的工具  结果中可以看到“4a5”处表示homefiles2.txt中在第五行比第一个文件的第四行多了一行homefile2.txt。对比如图:  我们再来关注第393行和第495行:  发现ava在系统恢复后存在,且对比恢复前的文件列表,可知这是一个隐藏文件。 由此可知恢复系统后,在/home目录下出现了三个不同的文件: homefiles2.txt、ava、THIS_IS_A_HIDDEN_FILE第一个文件是我们创建的,那其他的两个文件又是什么用呢?我们找到目录下的文件并运行:  我们运行ava后,可以看到它有以下的功能:  它最主要作用就是使自己隐藏,也能把另一个文件或进程也隐藏起来。 I 打印信息(秘密UID等) h隐藏文件 u取消隐藏文件 r作为root执行 R永久删除PID U卸载adore(一个LKM rk,google adore会有很多详细的介绍) i使PID不可见 v使PID可见 参考链接 https://blog.csdn.net/tiandyoin/article/details/75136484  长按识别二维码关注我们  点击下方“阅读原文”查获取更好的安全服务 ---------------------------------------------------------------------------------------------------------------------- 我们尊重原创,也注重分享,文章来源于微信公众号:SecMind安全管家,建议关注公众号查看原文。如若侵权请联系qter@qter.org。 ---------------------------------------------------------------------------------------------------------------------- |
Copyright © 2001-2019 Comsenz Inc. Powered by Discuz! X3.4 ICP证: 冀ICP备10016221号-2
