看不见的入侵者：在实践中的rootkit

by David Brumley 由大卫布伦利
< > < >

David Brumley works for the Stanford University Network Security Team (SUNSeT). 大卫布伦利工程斯坦福大学网络安全小组（日落）。 He graduated with honors from the University of Northern Colorado in mathematics with additional work in philosophy. 他毕业于科罗拉多大学荣誉北方数学的哲学额外工作。 In his free time he enjoys playing hockey and reading Kant. 在业余时间，他喜欢打曲棍球和阅读康德。



To catch a cracker you must understand the tools and techniques he will use to try to defeat you.要抓住一个黑客，你必须了解他的工具和技术将用于尝试打败你。 A system cracker's first goal is to hide his presence from you, the administrator.一个系统的黑客的首要目标是向你隐瞒他的存在，管理员。 One of the most widely used cracker tools for doing this is the rootkit.这其中一个用来做黑客工具是最广泛的rootkit。 A rootkit gets its name not because the toolbox is composed of tools to crack root, but instead because it comprises tools to keep root.一个rootkit得名并不是因为工具箱是由工具来破解的根源，而是因为它包括工具，让根。

Rootkits are used by intruders to hide and secure their presence on your system. Rootkits是入侵者使用的隐藏和保护他们的系统存在于你的。 An intruder achieves complete cloaking capability by relying on an administrator to trust the output of various system programs.入侵者各种系统程序的完整实现依靠隐形能力由管理员的信任输出。 This assumption is more or less true — most of the time system administrators trust ps to display all processes and ls to list all files.这个假设是或多或少真实-聚苯乙烯大部分时间系统管理员的信任，以显示所有进程和ls列出的所有文件。

The cracker hides simply by modifying these programs not to display his activities: ls is altered not to display the cracker's files, and ps is modified not to display the cracker's processes.他的活动显示隐藏的裂解装置只需修改这些计划不会：ls是改变不显示Cracker的文件和PS修改不显示Cracker的过程。 This simple method proves powerfully effective.这个简单的方法证明了有力有效的。 A system administrator often has no clue that anything is amiss.系统管理员往往没有什么不妥线索。 Should the administrator sense that the system does not "feel" right, she'll have a hard time tracking down the exact problem.如果系统管理员意义上说，没有“感觉”的权利，她就很难追查确切的问题。

To replace any of the programs mentioned here, the cracker must already have root access.旨在取代任何在这里提到，黑客必须已经拥有了root权限。 The initial attack that leads to superuser access is often very noisy.最初的攻击，导致超级用户往往是非常嘈杂。 Almost every exploit will produce a lot of network traffic and/or log activity.几乎每一个利用会产生大量的交通网络和/或日志活动。 Once in, though, the skilled attacker has no difficulty covering tracks.一旦进入公司，虽然，熟练的攻击者却可以覆盖轨道。 The average cracker will have programs in his rootkit such as z2 and wted that remove login entries from the wtmp, utmp, and lastlog files.平均裂解装置将z2方案等，并作为他的rootkit wted的去除，utmp的登录条目从wtmp中，和的lastlog文件。 Other shell scripts may clean up log entries in /var/log and /var/adm.其他shell脚本可能清理/ VaR的日志条目/日志和/ var /行政。 Luckily, the average cracker is sloppy.幸运的是，平均饼干是草率的。 Sometimes he will forget to clean out certain programs or will simply just zero out the log file.有时，他会忘记清理某些程序或将仅仅只是零出的日志文件。 Any time a log file has zero length it should be an immediate sign that something is amiss.任何时候，一个日志文件的长度为零，应立即签署了什么错。

Trojans 木马

Once the cracker cleans up the appropriate files to hide his tracks, he will want to leave a backdoor in order to avoid using his noisy exploit again.一旦黑客清理相应的文件来隐藏他的曲目，他希望留下一个后门，以避免再次使用他的嘈杂利用。 Rootkit backdoors — often called trojan horses — can typically be divided into two categories: local programs and network services. Rootkit的后门-通常被称为特洛伊木马-通常可以分为两类：本地节目和网络服务。 These trojaned programs are the core of the rootkit.这些木马程序的rootkit的核心。

Local programs that are trojaned often include chfn, chsh, login, and passwd.木马程序，因为这些地方往往包括chfn，chsh，登录，和passwd。 In each case, if the magic rootkit password is entered in the appropriate place, a root shell is spawned.在每一种情况下，如果魔术rootkit的密码输入到相应的地方，是产生一个root shell。 Of course a smart cracker will also disable the history mechanism in the root shell.当然，一个聪明的黑客也将禁用root的历史机制中。

The replacement for login is especially interesting.用于登录的更换是特别有趣。 Since some systems have shadowed and unshadowed password schemes, the cracker's replacement must be of the right type.由于一些系统的阴影和unshadowed密码计划，Cracker的更换必须是正确的类型。 A careless cracker might use the wrong kind of login trojan.一个粗心的黑客可能会使用错误的登录木马种。 When this happens, all or some accounts will be inaccessible, which should be an immediate tipoff that a cracker has gained control of your system.当发生这种情况，全部或部分帐户将无法访问，这应该是一个立即tipoff一个黑客已获得系统的控制你的。

inetd, the network super daemon, is also often trojaned. inetd的，网络超级守护进程，也常常木马。 The daemon will listen on an unusual port (rfe, port 5002 by default in Rootkit IV for Linux).守护进程将侦听一个不寻常的端口（注册消防工程师，5002端口的Linux在默认情况下四中的Rootkit）。 If the correct password is given after connection, a root shell is spawned and bound to the port.如果连接正确的密码后给予，是产生一个root shell，并绑定到端口。 The manner in which the shell is bound makes it essential to end all commands with a semi-colon (" ; ") in order to execute any command line.绑定的方式，使得它的外壳是必不可少的冒号命令停止一切与半（“;”），以执行任何命令行。

rshd is similarly trojaned. rshd同样是木马。 A root shell is spawned when the rootkit password is given as the username (ie, rsh [hostname] -l [rootkit password] will get you in to the compromised machine).一个root shell是催生的rootkit密码时）鉴于作为用户名（即硫醇[主机名] - 1 [rootkit的密码]将让你在机器的损害。

Last, a root shell is often simply left bound to a port by the program bindshell.最后，一个root shell通常仅仅遗留绑定到bindshell端口的程序。 This program requires no password.该方案无需密码。 By default the program is bound to port 31337, "eleet" in cracker jargon.根据预设程序绑定到端口31337，“eleet”在饼干的术语。

Satori 萨托

In all of these programs, the default password for the newest Linux rootkit (Rootkit IV) is satori .在所有这些方案中，四）默认密码为最新的Linux的rootkit（rootkit是顿悟 。 Older rootkits have used lrkr0x and h0tb0x as passwords.老年人的rootkit已经使用h0tb0x作为密码lrkr0x和。 Rarely is the default left unchanged, but it never hurts to check.很少是默认保持不变，但它绝不会伤害检查。

To expand their domain, the cracker may also install an Ethernet sniffer.为了扩大他们的领域，黑客还可以安装一个以太网嗅探器。 An Ethernet sniffer listens in on all traffic on the local network, grabbing passwords and usernames destined for other machines. ifconfig will normally report such odd behavior by alerting the administrator with the PROMISC flag.以太网嗅探监听所有流量在本地网络，抓密码和其他用户名旗为目的地的机器。ifconfig的，通常会与PROMISC管理员报告这些奇怪的行为，提醒。 Unfortunately, ifconfig is usually one of the programs modified.不幸的是，ifconfig是一个通常修改方案。

The allure of rootkits should now be obvious.该rootkit的吸引力现在应该是显而易见的。 Even if the administrator patches the program that initially led to root access, the cracker merely has to telnet to the proper port to get a root shell.即使管理员补丁程序，最初的访问导致根，只须有黑客远程登录到正确的端口得到一个root shell。 If this is closed, the cracker can try the backdoored login or rshd program.如果这是关闭时，黑客可以尝试登录或rshd的后门程序。 And even if that doesn't work, the cracker can still log in as a user (from perhaps a cracked password or his Ethernet sniffer) and used the trojaned ping, chfn, or chsh program to become the superuser once again.而且，即使不工作，黑客仍然可以登录的用户（也许是从他的破解密码或以太网嗅探器），并利用木马平，chfn，或chsh程序来再次成为超级用户。

Why do crackers break into systems?为什么黑客闯入系统？ Sometimes you are targeted directly.有时候，你是直接针对。 The cracker wants information or access specifically available at your installation.该裂解装置要安装在您的资料或访问具体。 Often, however, a cracker may simply want to break into any system in order to get on IRC, serve up WAREZ, or trade MP3s.通常，但是，黑客可能只是想要强行进入任何系统，以获取有关体育馆，warez的服务注册，或贸易的MP3。 If they do this, they might trojan crontab in order to hide jobs that rotate, modify, or check on the status of the illicit activity.如果他们做到这一点，他们可能会以木马隐藏的crontab作业，旋转，修改，或者检查非法活动的状态。

Hidden 隐藏

What tools does the administrator have to find these trojan-horse programs?没有什么工具，管理员必须找到这些特洛伊木马程序？ If a如果一
rootkit is properly installed, the administrator will not be able to tell the difference between the original and a modified program. Rootkit是正确安装，管理员将无法告诉程序之间的差额原件和修改。 A widely used cracker program named fix will take a snapshot of the system binary to be replaced.一种广泛使用的黑客程序命名的修补程序将采取一个系统快照的二进制更换。 When the trojaned or modified binary is moved into place, the fix program mimics all three timestamps (atime, ctime, and mtime) and CRC checksum of the original program.当木马或修改二进制的地方进入，此修复程序模仿所有三个时间戳（atime的，ctime和文件的修改时间）和CRC校验的原方案。 A carefully constructed and compiled binary will also have the same length.一个精心构建和编译的二进制文件也有同样的长度。

Without a cryptographically secure signature of every system binary, an administrator cannot trust that she has found the entire rootkit.没有每一个系统二进制加密安全签章的，管理员可以不相信她已经发现了整个的rootkit。 If even one program goes undetected, the intruder might have a way back into your system.如果连一个程序在不知不觉中，入侵者可能会重新找到你的系统。 Several utilities, such as tripwire and RedHat's rpm, provide secure MD5 checksums of binaries.转几个实用程序，如绊线和RedHat的，提供安全的MD5校验二进制文件。 To be truly secure, the reports must be kept offline in some sort of secure location, lest the hacker tamper with the report.要真正安全的，报告必须保持在安全的位置某种离线的，以免黑客篡改的报告。 (Not so long ago a system-cracker magazine called Phrack published an article on defeating online tripwire reports.) These reports may be the only thing that saves you from a complete reinstallation of the entire system. （不久前，一个系统的黑客杂志发表了一篇报告称Phrack击败在线绊一篇文章。）这些报告可能是唯一能拯救整个系统，你从一个完整的重新安装的。

Luckily, many crackers are careless, and portions of their rootkit can be detected.幸运的是，许多饼干都是粗心，rootkit的部分他们可以被检测出来。 The trojaned files above often have configuration files that list the programs to hide and which to display.木马通常有上述文件的配置文件列表中的程序用来隐藏和显示。 Often they forget to hide the configuration files themselves.他们常常忘了隐藏的配置文件本身。 Since /dev is the default location for many of these configuration files, looking in there for anything that is not a normal file is often a good idea.由于/ dev是这些配置文件的默认位置为许多，档案在那里寻找正常任何不是一个通常是一个好主意。 The default setup for many rootkits is to have the configuration file begin with pty , such as /dev/ptys or /dev/pryr .默认设置的很多的rootkit的，就是配置文件开始pty的pryr，如/ dev / ptys或/ dev /。

Another trick is to look at modification times of all programs. Although a good另一个窍门是看所有程序修改倍。虽然好
cracker will try to cover most of the times, they often forget a few files or directories. find / -mtime -N -print , where N is the number of days you expect the intruder has had access to your system, should work in most cases.黑客将试图掩盖大部分的时间，他们往往忘记了一些文件或目录。 查找/ -的mtime - N的打印，其中N是系统的天数您希望入侵者接触到你的，应该适用于大多数案件。 I've found many times the hacker has covered his tracks well in /bin and /sbin, but left the entire build directory for his rootkit in /tmp!我发现很多时候，黑客已经覆盖和/ sbin他的轨道以及在/ bin，但离开了整个构建tmp目录为/他的rootkit了！

Inside each modified directory you should compare the output of echo * with ls .在每个修改的目录，你应该比较ls的输出与回声*。 If ls has been trojaned and configured to hide anything, the echo command will show it.如果ls的木马，并已被配置为隐藏任何东西，echo命令将显示它。

Also pay close attention to the strings in the system binaries. Although /sbin/inetd may look the right size, if the string "/bin/bash" shows up in it, you should start worrying about what else has been replaced.同时密切关注系统中的二进制字符串。虽然/ sbin目录/ inetd的可以看看合适的规模，如果字符串“/斌/庆典”显示了它，你应该开始更换担心什么了。 Another trick is to look at the file type.另一种方法是看该文件类型。 If file /bin/inetd says that inetd is not stripped, it most certainly has been tampered with.如果文件/宾/ inetd的说，是因为inetd不剥离，它肯定已被篡改。

If you're lucky enough to have a /proc filesystem, spend some time to become acquainted with it — there is a lot of useful information there.如果你幸运地拥有一个/ proc文件系统，花一些时间才能熟悉它与-有很多有用的信息那里。 By walking the directory tree you can find which processes are running.通过遍历目录树中你可以找到哪些进程正在运行。 After comparing the output to what ps shows, you can determine with some level of certainty whether ps has been modified.在比较了什么ps的输出显示，你可以判断一些确定性聚苯乙烯是否已被修改。 Other files in /proc may show you all active network connections, and some others may even list all open file descriptors! /触发其他文件中可能会显示所有活动的网络连接，和其他一些人甚至会列出所有打开的文件描述符！

The easiest way to detect crackers, however, is to have a clean set of statically linked binaries for your system.最简单的方法来检测饼干，然而，你的系统有一个干净的链接库的静态集。 Statically linked? Sometimes a more advanced cracker will replace system libraries, so anything that dynamically uses them cannot be trusted.静态链接？有时更先进的裂解装置将取代系统库，因此任何动态地使用它们不能被信任。 If possible you should have a spare set of common programs such as ps, ls, ifconfig, perhaps lsof, etc., on a secure host.如果可能的话你应该有一个共同方案，如一套备用的ps，ls的，使用ifconfig，也许lsof的，等主机，安全。 When you find a compromised system, simply download the clean binaries, set your PATH environment variable to use them, and start looking for backdoors.当你发现一个隐患的系统，只要下载二进制文件的清理，设置你的PATH环境变量来使用他们，并开始寻找后门。

Various versions of rootkit are available at most cracker sites. rootkit的各种版本可在大多数黑客网站。 The most accessible versions are for open-source operating systems such as Linux and FreeBSD.最方便的版本，如Linux和FreeBSD的开源操作系统。 Also commonly reported are versions for Irix, SunOS, and Solaris.另外常见的是Solaris版本的Irix的，SunOS和。 The latest rootkit, Linux Rootkit IV, is distributed by The Crackers Layer, <最新的rootkit，Linux上的Rootkit四是散发出来的饼干层，<。 It is definitely worth the bandwidth to download the source and see how it works.这是绝对值得的带宽下载源代码，看看它是如何工作。

Rootkits have become very popular tools for both experienced and novice crackers.已成为非常流行的Rootkits工具，有经验的和新手饼干。 Your first line of defense should always be protection with regular patches and administration.你的第一道防线应该总是定期补丁管理和保护。 Equally important is the second line: a good plan in the event of a real compromise.同样重要的是第二行：一个真正的妥协的良好计划中的一个事件。 By arming yourself ahead of time with secure checksums and clean binaries, you will be much quicker and more effective in local and sitewide incident response.通过清洁二进制武装自己，提前与安全的校验和，您将更快，更有效地响应当地和整个网站的事件。

Utilities Included in Rootkit IV 包含水电四中的Rootkit

Programs That Hide the Cracker's Presence 隐藏的程序破解的存在

ls, find, du — will not display or count the cracker's files. ls的，发现，杜 - 不会显示或计算Cracker的文件。

ps, top, pidof — will not display the cracker's processes. ps的，顶部的pidof - 不会显示Cracker的过程。

netstat — will not display the attacker's traffic, usually used to hide daemons such as eggdrop, bindshell, or bnc. netstat的-不会显示攻击者的流量，通常用来隐藏bnc的守护进程，如蛋花汤，bindshell，或。

killall — will not kill the attacker's processes. killall会 - 不会杀死攻击者的过程。

ifconfig — will not display the PROMISC flag when sniffer is running.使用ifconfig -不会显示PROMISC旗子当嗅探器正在运行。

crontab — will hide the cracker's crontab entry. crontab中 - 将隐藏黑客的crontab条目。 The hidden crontab entry is in /dev by default.隐藏的crontab条目在/ dev的默认的。

tcpd — will not log connections listed in the configuration file. tcpd的 - 将不记录在配置文件中列出的连接。

syslogd - similar to tcpd. syslogd的 - 类似tcpd的。

Trojaned Programs That Have Backdoors 有后门木马程序，

chfn — root shell if rootkit password is entered in as new full name. chfn -根shell，如果rootkit的密码输入新的全名。

chsh — root shell if rootkit password is entered as new shell. chsh - 根shell，如果rootkit的密码输入新的shell。

passwd — root shell if rootkit password is entered as current password. passwd文件-根shell，如果rootkit的密码是密码输入为电流。

login — will allow the cracker to log in under any username with the rootkit password.登录-将允许黑客登录密码下的rootkit任何用户名的。 If root logins are refused, user rewt will work. It also disables history logging.如果root登录被拒绝，用户rewt会的工作。这也将禁用历史记录。

Trojaned Network Daemons trojan了网络守护进程

inetd — root shell listening on port rfe (5002). inetd的 - 根壳端口的RFE（5002）听力。 After connection, the rootkit password must be entered in as the first line.连接后，rootkit的密码必须输入的第一道防线。

rshd — trojaned so that if the username is the rootkit password, a root shell is bound to the port (ie rsh [hostname] -l [rootkit password]). rshd -木马，因此如果用户名是rootkit的密码，一个root shell绑定到端口（即硫醇[主机名] - 1 [rootkit的密码]）。

Cracker Utilities 克拉克尔公用事业

fix — installs a trojaned program (eg, ls) with the same timestamp and checksum information.修复-安装了一个具有相同的时间戳和校验和信息的木马程序（例如：ls）。

linsniffer — a network sniffer for Linux. linsniffer - 为Linux网络嗅探器。

sniffchk — checks to make sure a sniffer is still running. sniffchk - 检查，以确保嗅探器仍在运行。

wted — wtmp editor. wted - wtmp的编辑器。 You can modify the wtmp.您可以修改wtmp中。

z2 — erases entries from wtmp/utmp/lastlog.标准Z2 - 擦除作品参赛wtmp中/的utmp /的lastlog。

bindshell — binds a root shell to a port (port 31337 by default). bindshell - 一个root shell绑定到一个端口（默认端口是31337）。