Still Shines.

Linux后门检测与系统恢复

Word count: 3.1k / Reading time: 14 min
2018/09/16 Share

小白是某公司的Linux系统管理员。某天小白突然觉得公司的机器存在异常,并经常有被人监控的感觉。于是他通过分析日志、监控网络通信等手段发现该系统有很大的可能被黑客入侵并留了rootkit后门。

什么是Rootkit

什么是rootkit?简单的说,rootkit是一种特殊的恶意软件,它的特殊性在于,我们无法找到它。其主要功能为:隐藏其他程序进程的软件,可能是一个或一个以上的软件组合。最早rootkit是用于善意用途的,但后来rootkit也被黑客用在入侵和攻击他人的计算机系统上。计算机病毒、间谍软件等也常使用rootkit来隐藏踪迹,因此rootkit已被大多数的杀毒软件归类为具危害性的恶意软件。Linux、Windows、Mac OS等操作系统都有机会成为Rootkit的受害目标。

Rootkit也可视为一项技术。在今天,Rootkit一词更多地是指被作为驱动程序,加载到操作系统内核中的恶意软件。因为其代码运行在特权模式之下,从而能造成意料之外的危险。

Rootkit木马就像是信息世界里的 AIDS,一旦感染,就难以用一般手段消灭了,因为它和自然界里的同类做的事情一样,破坏了系统自身检测的完整性。

计算机系统没有免疫功能,但是它提供了对自身环境的相关检测功能——枚举进程、文件列表、级别权限保护等,大部分杀毒软件和进程工具都依赖于系统自带的检测功能才得以运作,而 Rootkit木马要破坏的,正是这些功能。

基于Linux内核的rootkit的历史可以赘述到1990年代中期,从最早的hijack syscall/pghandler/IDT到mem injection,大部分的手法都是一个特点:HOOK。HOOK怎么下是门学问,这个星球上最有缺的rootkit是能让HOOK形成一条跟userspace完全对应的codepath,如何和密码工程配合则会让此类持久化技术发挥到极致。编写rootkit的质量的大部分情况都取决于对内核本身的了解程度,就如你的了解你最爱的人的各个方面是一样的道理。那么rootkit一般是怎么防御和检测呢?常见的检测思路是采用对比内存DUMPCORE和SYMTABLE之间的差异。

Rookit扫描和检测

检测工具

小白正在使用的linux系统版本是CentOS。他先从网上找来了rootkit检测工具:rkhunter、determine和chekrootkit

chkrootkit是一个检测系统中rootkit的工具。可以检测多种rootkit。

rkhunter是Linux下的一款开源入侵检测工具。rkhunter具有比chkrootkit更为全面的扫描范围。除rootkit特征码扫描外,rkhunter还支持端口扫描,常用开源软件版本和文件变动情况检查等。

determine可能用于检测来自ps / top等LKM rootkit的隐藏进程。它可以帮助管理员检查他们的机器是否有隐藏的进程。它还包含一个(小而可扩展的) 可以扫描内存的特征数据库。deter-mine 适用于2.4 和 2.6 的Linux 内核。

工具下载:
Rkhunter:http://down.51cto.com/data/149294
deter-mine:http://stealth.openwall.net/rootkits/removal/determine-0-24.tgz
chkrootkit:ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar或http://www.chkrootkit.org

开始检测

•使用rkhunter进行扫描

第一步:首先对压缩包进行解压,这里我们直接右键点击解压到此处。
第二步:安装rkhunter。
进入 rkhunter-1.3.6 文件夹,右击,选择“在终端中打开”,在终端中输入命令:

./installer.sh –install


第三步:对系统进行扫描

rkhunter –c –rwo //对系统进行扫描,只在终端中显示警告信息


第四步:查看扫描结果并分析
扫描后自动生成报告rkhunter.log,位于/var/log下

这里复制出警告信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Warning: Checking for prerequisites               [ Warning ]
The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in 'rkhunter --propupd'.
Warning: WARNING! It is the users responsibility to ensure that when the '--propupd' option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter '--check' option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.
Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne shell script text executable
Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
Warning: The command '/sbin/ifdown' has been replaced by a script: /sbin/ifdown: Bourne-Again shell script text executable
Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable
> Warning: Sebek LKM [ Warning ]
> Kernel symbol 'adore or sebek' found
Warning: Account 'testadmin' is root equivalent (UID = 0)
Warning: Account 'supervisor' is root equivalent (UID = 0)
Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
Warning: Application 'httpd', version '2.2.3', is out of date, and possibly a security risk.
Warning: Application 'named', version '9.3.6-P1', is out of date, and possibly a security risk.
Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
Warning: Application 'php', version '5.1.6', is out of date, and possibly a security risk.
Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

上面箭头标记出来的那一段提示说可能存在Sebek LKM,检测报告中对应的内容为:

•使用determine进行扫描

第一步:对压缩包进行解压。
第二步:安装determine
进入determine文件夹,终端中输入命令:

make

第三步:开始扫描,终端中输入命令:

./determine > determine.log

这会在determine文件夹中生成determine.log文件

第四步:查看扫描结果并分析

分析determine.log,发现系统中存在多个隐藏进程,在/proc下没有与之对应的进程文件,可能存在后门。

•使用chkrootkit进行扫描

第一步:对压缩包进行解压。
第二步:安装chkrootkit

在终端中输入:make

第三步:开始扫描

./chkrootkit > chkrootkit.log

对系统进行扫描,并在当前目录下生成报告chkrootkit.log.

第四步:查看扫描结果并分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/.libgcrypt.so.11.hmac /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/firefox-3.0.18/.autoreg /usr/lib/.libfipscheck.so.1.1.0.hmac /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/.libfipscheck.so.1.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac /lib/.libssl.so.6.hmac /lib/.libssl.so.0.9.8e.hmac

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 3 process hidden for readdir command
You have 3 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 4068 tty1 /sbin/mingetty tty1
! root 4069 tty2 /sbin/mingetty tty2
! root 4070 tty3 /sbin/mingetty tty3
! root 4071 tty4 /sbin/mingetty tty4
! root 4172 tty7 /usr/bin/Xorg :0 -br -audit 0 -auth /var/gdm/:0.Xauth -nolisten tcp vt7
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected

分析chkrootkit.log,没有发现异常。

综合分析

从上面的扫描结果看,可以确定的是这个系统存在rootkit后门Sebek LKM。sebek是运行在内核空间的一段代码,记录系统用户存取的一些或者全部数据。这个工具的功能有:记录加密会话中击键,恢复使用SCP拷贝的文件,捕获远程系统被记录的口令,恢复使用Burneye保护的二进制程序的口令还有其它的一些入侵分析任务相关的作用。

系统修复

要想清除这个rootkit后门,我们可以利用现有的工具和文件,采用最快捷的方式恢复系统内核,并在系统中寻找可以的隐藏文件。我们首先要下载对应系统内核相关的压缩包,生成新的、干净的内核模块,替换原有模块文件。

这里已经下载好了相关的系统内核:

第一步:恢复前利用 ls -aR 将/home 下的文件列出,并保存为 homefiles1.txt。

ls -aR >homefiles1.txt


第二步:利用已编译的内核模块 rpm 包快速恢复系统内核模块文件。
在终端中输入以下命令:

cd /test/src //进入到rpm包存放的目录
rpm -i –force kernel-2.6.18-194.el5.i686.rpm


之后重启系统。
第三步:查找隐藏的文件
在/home目录下,输入如下命令:

ls -aR > homefiles2.txt

我们现在对比 homefiles1.txt、homefiles2.txt这两个文件,这里输入如下命令:

diff homefiles1.txt homefiles2.txt

diff是一个文件对比的工具

结果中可以看到“4a5”处表示homefiles2.txt中在第五行比第一个文件的第四行多了一行homefile2.txt。对比如图:

我们再来关注第393行和第495行:

发现ava在系统恢复后存在,且对比恢复前的文件列表,可知这是一个隐藏文件。
由此可知恢复系统后,在/home目录下出现了三个不同的文件:homefiles2.txt、ava、THIS_IS_A_HIDDEN_FILE第一个文件是我们创建的,那其他的两个文件又是什么用呢?我们找到目录下的文件并运行:

我们运行ava后,可以看到它有以下的功能:

它最主要作用就是使自己隐藏,也能把另一个文件或进程也隐藏起来。

I 打印信息(秘密UID等)
h隐藏文件
u取消隐藏文件
r作为root执行
R永久删除PID
U卸载adore(一个LKM rk,google adore会有很多详细的介绍)
i使PID不可见
v使PID可见

参考文章:
https://blog.csdn.net/tiandyoin/article/details/75136484

CATALOG
  1. 1. 什么是Rootkit
  2. 2. Rookit扫描和检测
    1. 2.1. 检测工具
    2. 2.2. 开始检测
      1. 2.2.1. •使用rkhunter进行扫描
      2. 2.2.2. •使用determine进行扫描
      3. 2.2.3. •使用chkrootkit进行扫描
      4. 2.2.4. 综合分析
    3. 2.3. 系统修复