Hacking For Beginners – Manthan Desai

2010

cleaned correctly, a normal system administrator is unaware that the intrusion has even occurred until another sitecontacts him or the disks fill because of the sniffer logs.

The most severe threat to system security that can be caused by a rootkit comes from those that deploy LKM (LoadableKernel Module) trojans. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernelwithout requiring a kernel recompilation. Even if an infected system is rebooted, the LKM process will reload the Trojanduring boot-up just like any other kernel module. Loadable Kernel Modules are used by many operating systems includingLinux, Solaris, and FreeBSD.

The LKM rootkits facilitate the subversion of system binaries. Knark, Adore, and Rtkit are just a few of many LKM rootkitsavailable today. As they run as part of the kernel, these rootkits are less detectable than conventional ones.

Let us see how a typical backdoor can be installed by an intruder.

The goal of backdoor is to give access to the hacker despite measures by the compromised system's administrator, withleast amount of time and visibility. The backdoor that gives local user root access can be: set uid trojanedsystem programs, cron job backdoor.

Set uid programs. The attacker may plant some set uid shell program in the file system, which when executed will grantthe root to the attacker.

Trojaned system programs. The attacker can alter some system programs, such as "login" that will give him root access.

Cron job backdoor. The attacker may add or modify the jobs of the cron program is running so that he can getroot access.

The backdoor that gives remote user root access can be: ".rhost" authorized keys, bind shell, trojaned service.

".rhosts" file. Once "+ +" is in some user's .rhosts file, log into that account from anywhere withoutpassword.ssh authorized keys. The attacker may put his public key into victims ssh configuration file "authorized_keys", sothat he can log into that account without password.Bind shell. The attacker can bind the shell to certain TCP port. Anybody doing a telnet to that port will have aninteractive shell. More sophisticated backdoors of this kind can be UDP based, or unconnected TCP, or even ICMPbased.Trojaned service. Any open service be trojaned to give access to remote user. For example, trojaned the inetdprogram creates a bind shell at certain port, or trojaned ssh daemon give access to certain password.

After the intruder plants and runs the backdoor, his attention turns to hiding his files and processes. However, these canbe easily detected by the system administrator - especially if the system is running tripwire.

Let us see how a LKM rootkit helps achieve the attacker's needs.

In the case of LKM trojaned rootkits, the attacker can put LKM in /tmp or /var/tmp, the directory that the systemadministrator cannot monitor. Moreover, he can effectively hide files, processes, and network connections. Since he canmodify the kernel structures, he can replace the original system calls with his own version.

To hide files. Commands like "ls", "du" use sys_getdents() to obtain the information of a directory. The LKM willjust filter out files such that they are hidden.To hide processes. In Linux implementations, process information is mapped to a directory in /proc file system. Anattacker can modify sys_getdents() and mark this process as invisible in the task structure. The normalimplementation is to set task's flag (signal number) to some unused value.To hide network connections. Similar to process hiding, the attacker can try to hide something inside/proc/net/tcp and /proc/net/udp files. He can trojan the sys_read () so that whenever the system reads these twofiles and a line matching certain string, the system call will not reveal the network connection.

www.hackingtech.co.tv

Page 89