Rookit介绍
Rootkit是指其主要功能为:隐藏其他程序进程的软件,可能是一个或一个以上的软件组合。在今天,Rootkit一词更多地是指被作为驱动程序,加载到操作系统内核中的恶意软件。
rootkit原理图
vulab@sechelper:~/1337kit$ sudo python3 builder.py --config config.yml # 编译rootkit
[sudo] password for vulab:
████ ████████ ████████ ██████████ █████ ███ █████
░░███ ███░░░░███ ███░░░░███░███░░░░███░░███ ░░░ ░░███
░███ ░░░ ░███░░░ ░███░░░ ███ ░███ █████ ████ ███████
░███ ██████░ ██████░ ███ ░███░░███ ░░███ ░░░███░
░███ ░░░░░░███ ░░░░░░███ ███ ░██████░ ░███ ░███
░███ ███ ░███ ███ ░███ ███ ░███░░███ ░███ ░███ ███
█████░░████████ ░░████████ ███ ████ █████ █████ ░░█████
░░░░░ ░░░░░░░░ ░░░░░░░░ ░░░ ░░░░ ░░░░░ ░░░░░ ░░░░░
LKM Rootkit Builder
...
LD [M] /tmp/ItclNzX3O3hJUXQ3/project.ko
make[1]: Leaving directory '/usr/src/linux-headers-5.4.0-109-generic'
=== File /home/vulab/1337kit/project.ko created ===
vulab@sechelper:~/1337kit$ sudo insmod project.ko # 将rootkit安装到内核
vulab@sechelper:~/1337kit$ sudo lsmod # 查看内核模块
vulab@sechelper:~/1337kit$ sudo rmmod project # 卸载内核模块
检查系统是否被植入rootkit
vulab@sechelper:~$ sudo apt install chkrootkit # 安装chkrootkit
vulab@sechelper:~$ sudo chkrootkit
[sudo] password for vulab:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
...
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet ...
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not tested
sudo apt install rkhunter # 安装rkhunter
rhkhunter 配置
vulab@sechelper:~$ sudo rkhunter --check
[ Rootkit Hunter version 1.4.6 ]
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command [ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
...
隐藏的rootkit如何删除
Rootkit在内核模块里找不到,那么就存在删除不掉的可能,这时候需要将感染系统以文件挂载到其它Linux系统上,进行清除操作。
参考: