存档

文章标签 ‘rootkit’

Detecting Kernel Rootkits

2013年8月2日 评论已被关闭

原文在 http://www.la-samhna.de/library/rootkits/detect.html 里面的一些方法值得参考,特别是最后面那节

阅读全文…

检测sk13b suckit linux rootkit

2010年12月22日 评论已被关闭

看了下面几行,再看看chkrootkit和rkhunter的检测代码,就知道为啥默认安装的suckit sk这么好检测了。检测sk1.x其实还有其他的方法,可以检测隐藏进程,还可以利用sk13b的一些bug来做检测 :) sk13b里还有个好东西,那就是让人怀念的elfuck,经典的ELF加密程序。

顺便发个sk13b的下载地址。04年的东西现在还能用,真没想到,一个内核rootkit写成这样,让那些经常更新还不稳定的软件情何以堪啊。

http://www.xfocus.net/tools/200408/763.html

阅读全文…

很不错的openssh后门

2009年8月8日 4 条评论

试用了几个openssh backdoor,这个是用户体验最好的一个,好在哪自己看看、用用就知道了。唯一不足的地方是他只能用在3.6.1p2里,解决这个问题很简单,把version.h改改再编译就是了。覆盖文件之后记得执行/usr/sbin/sshd -t测试并修正配置文件,直到没有提示为止。分享之。

阅读全文…

DR Linux 2.6 rootkit released

2008年9月8日 评论已被关闭

不好检测的LINUX RK。

o Hide processes
o Hide network sockets
o Hide files
o Get a remote MOSDEF Node (via hidden userland-backdoor)

The major benefit of the DR rootkit is that all this happens
transparently to the end user. The children of a hidden process are also
automatically hidden. The sockets a hidden process creates are also
hidden. But if you are a hidden process, you can see hidden resources.
This makes the DR rootkit nicely manageable.

DR loads via insmod – we’ve tested the rootkit on a number of Linux
distributions including CentOS and Ubuntu.

The CANVAS support and backdoor logic were written by Daniel Palacio
during his Immunity summer internship. He provided both the kernel hooks
and the userland backdoor to the project.

The rootkit engine (DR.c) was written by Bas Alberts and consists of a
debug register based hooking engine that does not modify the IDT or
syscall table at all. It was written as a reference implementation for
people wanting to experiment with such a rootkit technology, and was
designed to be able to integrate easily into existing syscall hook based
rootkits.

It has known limitations and considerations which you can read about in
the attached README.

You can find the source to the DR rootkit at:

URL: http://www.immunityinc.com/downloads/linux_rootkit_source.tbz2
MD5SUM: 1256523fa8a87949c5e588c981108ee8