This article discusses some of Backdoor Linux platform attacker after the successful invasion is often used, and one of the most famous rootkit tools? Knark carried out a detailed analysis, and pointed out how to find the system found after the invasion and whether kark how to recover.
What is the "rootkit"?
Often left to clean up the footprints and the back door after the work invaders, the most commonly used back door to create tools that rootkit. Do not be fooled by the name, this so-called "rootkit" is not used to the super-user root, it is an intruder in the invasion of a too host, create a back door and be used for camouflage use package. This program package usually includes a log cleaner, backdoor procedures. At the same time, the program package usually with some fake ps, ls, who, w, netstat, etc. The program originally system itself, so the programmer trying to query the system through these commands when the situation can not be through these false the system program find the whereabouts of the intruder.
In some hacker organizations, rootkit (or backdoor) is a very interesting topic. Various rootkit was developed and published on the internet. Among these rootkit, LKM in particular was concerned, because it is the use of modern operating system module technology. As part of the kernel is running, this rootkit will be increasingly more powerful than traditional techniques more difficult to be found. Once installed on the target machine is running, the system will be completely controlled in the hands of a hacker. System administrators could not find even traces of potential safety problems, because they can no longer trust their operating system. When the purpose of backdoor is even a system administrator attempts to make up for system vulnerabilities can also be hacker to access the system.
Intruder by: setting uid processes, systems Trojans, cron and other methods to achieve the back door after the intruder with root privileges from a non-privileged user.
Set uid programs. Hackers in some file management system to put some set uid script. Whenever they perform this procedure as long as they become root.
System Trojans. Hackers replace some system programs, such as "login" program. Therefore, as long as certain conditions are met, those procedures would give hackers the highest authority.
Cron back door. Hackers increase in cron or modify some of the tasks to run at a particular time program, they can get the highest authority.
Specifically by the following method may give a remote user access to the highest: ".rhost" file, ssh authentication key, bind shell, Trojan service program.
".rhosts" File. Once the "+ +" is added to a user's .rhosts file, anyone anywhere can use this account to log into the country without a password is required.
ssh authentication key. Hackers his own public key into the target machine's ssh configuration file "authorized_keys", he can use that account to access the machine without the need for a password.
Bind shell. Hackers bind a shell to a specific tcp port. Anyone telnet port can get an interactive shell. More sophisticated back door of this approach can be based on udp, or unconnected tcp, or icmp protocol.
Trojaned service program. Any open service can be a Trojan to provide access for remote users. For example, using inetd services in a specific port to create a bind shell, or provide access via ssh daemon.
After implantation and operation of the intruder backdoor program, he will try to hide the evidence of their existence, mainly involves two aspects: how to hide his file and how to hide his process.
In order to hide files, the intruder needs to do the following things: replace some of the systems commonly used commands like "ls", "du", "fsck". At the bottom side, put them through some areas of the hard disk is marked as bad blocks file and put it in there. Or if he is crazy enough, he put some files in the boot block.
In order to hide the process, he can replace the "ps" program, or by modifying the argv  to make the program look like a legitimate service program. Interesting is a program to change the interrupt-driven, then it will not appear in the process table.
Knark is the second generation of the new rootkit tools - its based on LJM (loadable kernel module) technology, the use of such technology can effectively hide the system information. On the code and README file are marked with no responsibility declaration stating that the code can not be used for illegal activities. However, the software can easily be used for this purpose.
Knark by email@example.com written mainly based http://www.dataguard.no/bugtraq/1997_4/0059.html code written in Runar Jensen heroin.c, design ideas come from Phrack 52 in plaguez published articles Weakening the Linux Kernel ". in the majority of the code rewritten heroin.c later, Creed decided to rename" Knark ", in Swedish means other software can be written addicts .Creed www.sekure. net / ~ happy-h / get, but because the site is only in Swedish version, and therefore not widely used.
The first public version Knark is 0.41, released in June, 1999. It can index to B4B0 # 9 in: http: //packetstorm.securify.com/mag/b4b0/b4b0-09.txt. Followed by 0.50 and 0.59 was released, the current version is 0.59. Version 0.59 can be downloaded from here.
Knark0.59 has the following features:
Hide or display the file or directory
TCP or UDP connections hidden
Redirect program execution
Unauthorized user rights to increase ( "rootme")
Change a running process UID / GID tools
Unauthorized, the remote execution daemon privileges program
Kill -31 to hide running processes
Joint use of program execution and file redirect hide the intruder can provide a variety of backdoors execution. Since the implementation of redirection is performed at the kernel level, so file detection tool will not find the program file is modified - the original implementation of the program and has not been modified, so the configuration of the detection tool in the path environment will not find any abnormality.
If Knark combine another hidden system modules currently loaded LKM tools for the modhide, it is possible to achieve even by lsmod command can not be found in the knark.