Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Intrusion analysis and prevention tools Knark under Linux platform     - Use the vi text editor and copy and paste Linux tips (Linux)

- Running the open-source Swift under Linux platform (Linux)

- How to create a bootable USB disk to use MultiSystem on Ubuntu (Linux)

- Linux security-related basics (Linux)

- Ubuntu 14.10 installation GNOME 3.14 (Linux)

- Java semaphores (Programming)

- Source compiler install Nginx (Server)

- How to add a new resolution VirtualBox (Linux)

- Linux C programming and Shell Programming in the development of practical tools similarities summary (Programming)

- Linux IPTables anti-DDOS attack Shell Scripting (Linux)

- Ubuntu GCC, G ++ and fortran Version Switch (Linux)

- HBase Application Development Review and Summary of Series (Database)

- Linux AS4 VPN server in conjunction with a firewall perfect (Linux)

- When the master key encounter NULL (Database)

- CentOS install expect (Linux)

- Scope of variables in Object-C (Programming)

- CentOS 6.5 upgrade to CentOS 7 (Linux)

- PL / SQL -> UTL_FILE use presentation package (Database)

- Installation Experience open source car Automotive Grade Linux system (Linux)

- Mount NFS network file system (Linux)

  Intrusion analysis and prevention tools Knark under Linux platform
  Add Date : 2018-11-21      
  This article discusses some of Backdoor Linux platform attacker after the successful invasion is often used, and one of the most famous rootkit tools? Knark carried out a detailed analysis, and pointed out how to find the system found after the invasion and whether kark how to recover.

What is the "rootkit"?

Often left to clean up the footprints and the back door after the work invaders, the most commonly used back door to create tools that rootkit. Do not be fooled by the name, this so-called "rootkit" is not used to the super-user root, it is an intruder in the invasion of a too host, create a back door and be used for camouflage use package. This program package usually includes a log cleaner, backdoor procedures. At the same time, the program package usually with some fake ps, ls, who, w, netstat, etc. The program originally system itself, so the programmer trying to query the system through these commands when the situation can not be through these false the system program find the whereabouts of the intruder.

In some hacker organizations, rootkit (or backdoor) is a very interesting topic. Various rootkit was developed and published on the internet. Among these rootkit, LKM in particular was concerned, because it is the use of modern operating system module technology. As part of the kernel is running, this rootkit will be increasingly more powerful than traditional techniques more difficult to be found. Once installed on the target machine is running, the system will be completely controlled in the hands of a hacker. System administrators could not find even traces of potential safety problems, because they can no longer trust their operating system. When the purpose of backdoor is even a system administrator attempts to make up for system vulnerabilities can also be hacker to access the system.

Intruder by: setting uid processes, systems Trojans, cron and other methods to achieve the back door after the intruder with root privileges from a non-privileged user.

Set uid programs. Hackers in some file management system to put some set uid script. Whenever they perform this procedure as long as they become root.

System Trojans. Hackers replace some system programs, such as "login" program. Therefore, as long as certain conditions are met, those procedures would give hackers the highest authority.

Cron back door. Hackers increase in cron or modify some of the tasks to run at a particular time program, they can get the highest authority.

Specifically by the following method may give a remote user access to the highest: ".rhost" file, ssh authentication key, bind shell, Trojan service program.

".rhosts" File. Once the "+ +" is added to a user's .rhosts file, anyone anywhere can use this account to log into the country without a password is required.

ssh authentication key. Hackers his own public key into the target machine's ssh configuration file "authorized_keys", he can use that account to access the machine without the need for a password.

Bind shell. Hackers bind a shell to a specific tcp port. Anyone telnet port can get an interactive shell. More sophisticated back door of this approach can be based on udp, or unconnected tcp, or icmp protocol.

Trojaned service program. Any open service can be a Trojan to provide access for remote users. For example, using inetd services in a specific port to create a bind shell, or provide access via ssh daemon.

After implantation and operation of the intruder backdoor program, he will try to hide the evidence of their existence, mainly involves two aspects: how to hide his file and how to hide his process.

In order to hide files, the intruder needs to do the following things: replace some of the systems commonly used commands like "ls", "du", "fsck". At the bottom side, put them through some areas of the hard disk is marked as bad blocks file and put it in there. Or if he is crazy enough, he put some files in the boot block.

In order to hide the process, he can replace the "ps" program, or by modifying the argv [] to make the program look like a legitimate service program. Interesting is a program to change the interrupt-driven, then it will not appear in the process table.

RootKit-Knark history

Knark is the second generation of the new rootkit tools - its based on LJM (loadable kernel module) technology, the use of such technology can effectively hide the system information. On the code and README file are marked with no responsibility declaration stating that the code can not be used for illegal activities. However, the software can easily be used for this purpose.

Knark by creed@sekure.net written mainly based http://www.dataguard.no/bugtraq/1997_4/0059.html code written in Runar Jensen heroin.c, design ideas come from Phrack 52 in plaguez published articles Weakening the Linux Kernel ". in the majority of the code rewritten heroin.c later, Creed decided to rename" Knark ", in Swedish means other software can be written addicts .Creed www.sekure. net / ~ happy-h / get, but because the site is only in Swedish version, and therefore not widely used.

The first public version Knark is 0.41, released in June, 1999. It can index to B4B0 # 9 in: http: //packetstorm.securify.com/mag/b4b0/b4b0-09.txt. Followed by 0.50 and 0.59 was released, the current version is 0.59. Version 0.59 can be downloaded from here.

Knark0.59 has the following features:

Hide or display the file or directory

TCP or UDP connections hidden

Redirect program execution

Unauthorized user rights to increase ( "rootme")

Change a running process UID / GID tools

Unauthorized, the remote execution daemon privileges program

Kill -31 to hide running processes

Joint use of program execution and file redirect hide the intruder can provide a variety of backdoors execution. Since the implementation of redirection is performed at the kernel level, so file detection tool will not find the program file is modified - the original implementation of the program and has not been modified, so the configuration of the detection tool in the path environment will not find any abnormality.

If Knark combine another hidden system modules currently loaded LKM tools for the modhide, it is possible to achieve even by lsmod command can not be found in the knark.
- iptables using summary (Linux)
- Getting Started with Linux system to learn: how to install USB webcams come in raspberry (Linux)
- Node.js v4.0.0 installation configuration on Ubuntu 14.04 / 15.04 (Linux)
- RHEL 6.5 KVM analytical use (Server)
- RT-11SJ run at ambient PDP-11 MACRO-11 assembly (Programming)
- Spring inject a type of object to enumerate (Programming)
- LAN in Ubuntu shared folders to Windows (Linux)
- Java rewrite equals method (Programming)
- Linux virtual memory and physical memory (Linux)
- Snapshot DataGuard (Database)
- Dockerfile use to build a mirror-based CentOS 7 (Linux)
- Android system source code and compile the kernel source code (Programming)
- Confrontation dragged Library - Web front-end encryption slow (Linux)
- Linux Mint brightness adjustment --xrandr command learning (Linux)
- Process monitoring tools Supervisor start MongoDB (Database)
- Linux Network Programming - raw socket instance: MAC Address Scanner (Programming)
- Linux open handle limit adjustment (Linux)
- Analysis of memory mapping process in Linux x86-64 mode (Linux)
- Spring use Cache (Programming)
- 4 lvcreate example commonly used commands (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.