Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220068392
HistoryMar 29, 2006 - 12:00 a.m.

Sony in their CD inside the used rootkit techniques to hide files-the vulnerability warning-the black bar safety net

2006-03-2900:00:00
佚名
www.myhack58.com
7
JSON

sony use driver Aries. sys to hide any with$sys$at the beginning of the file,directory,registry,and even the process.

The real surprise comes when he finds that it was installed there by an audio CD he bought from Amazon. The CD he had was published by Sony, who licensed this “content protection scheme” from a company called First 4 Internet.

Really makes the author feel strange is:this Rootkit is from him from Amazon to buy the music CD. And this CD is a Sony issue. (The Sony from a company called First 4 Internet, the company purchased a"content protection scheme"of the license)

Reprint of related article;the original connection
https://www.xfocus.net/bbs/index.php?act=ST&f=1&t=5 6 3 5 9

Copyright 2 0 0 1 OLS3, this handout is intended for educational staff reference, any reference, Please first obtain the consent of the author.

(The above statement, the main is to prevent the businessman to get this article put take the interests, in addition to this, self-access, not restricted, or to feel any of the unpleasant)

A. What is a rootkit ?

In the description of what is a rootkit before, to the first description, what is trojaned system commands ?

trojaned system commands English or can be translated as “Trojan horses” (or, the Troy system of instruction).

I believe we should be aware of the “Trojan horse massacre” this allusion?!

Those who, on the surface, disguised as a normal program, and in fact, but secretly, the normal program change off, and leave some special system backdoors, in order to facilitate the next, you can secretly control the host operation, or to disrupt the behavior of the program, we said, This is a Trojan horse program, commonly known as: Backdoor program(Trojan) or Trojans(Trojan).

When the system, hides this program, we call it: in a Trojan horse.

Trojan source, probably can be divided into the following several kinds:

The system being invaded(root-compromise), were cracker the implant
In a host system, a General permission to the user to carefully design the trap
The implementation of the unsolicited program
The installation has been tampered with through the program kit
Is network worm (Internet worm) infections.
Which, again: the system was invaded, infected with worms, the Executive unsolicited to the program, the three, most common.

To system invasion, most of the cracker, in hack into a portion of the host, and will not be made, the immediate and obvious damage, only the lower products of the hackers, or eager to show off their own, pretend to own, or to meet their own is a Cracker of a family of script kids, only to be so.

(In fact, these guys, not really hacking, just picking up people off the shelf tools, to have the vulnerability of the host, attack behavior)

Usually, they install a number of Trojans, the normal procedure to change out, let the system time of the operation, trying not to appear any different shape, and then, leaving a convenient back door for future access, then, they will remove the traces left(such as log files, command history files), after quietly leaving. Until one day, need this portion of the host’s resources when it will come again in…

(On the products of the hackers, the system will not make any changes, and will notify the station master, the station of those who have vulnerability? Will even help out the station master, the vulnerability fill-up, and, usually the name is: Education experimental nature, they are more concerned about: whether the can get the hacker community respect and status)

The so-called rootkit, is people with disabilities, finishing these commonly used of the Trojans, made a set of program kits, with easy cracker hack into the host, the victim host, to successfully compile and install the Trojan program.

Some rootkits purely experimental nature, but also a rootkit itself, is a rootkit Trojan, so try to play rootkit, a Trojan. ( rootkit the rootkit almost?! ;-) )

rootkit of many types. Usually rootkit, contains the Trojan, mostly in the original program code in the form of spread, these programs, many are from the early BSD UNIX systems, the gradual transplantation(port)here, therefore, in almost all kinds of machines on the platform, there are rootkit traces, moreover, variants and pattern, can be said to be, diverse, multifarious.

(I am currently on the hand of the rootkit, it does not dozens, Linux, FreeBSD, Solaris, NT, W2K, Novell, DOS… Are there)

In General, rootkit, common Trojans and tools have:

bindshell
chfn
chsh
crontab
du
find
fix
ifconfig
inetd
killall
linsniffer
login
ls
netstat
passwd
pidof
ps
rshd
sniffchk
syslogd
tcpd
top
wted
z2

II. In the rootkit symptoms:

The host of the Trojans, usually do not have too much strange. (However, the poor quality of the Trojan program, then there will be obvious symptoms.)

Network administrators even use ps, netstat, lsof, top or other programs, to observe a host of operational, also does not found in memory, what a strange trip(process), this is because, this several commonly used instructions, has been cracker replaced, in other words, use these Trojan horse program to watch, you see the picture, most likely, are fake!

However, the Trojans, after all, not the real program, it and the original program, there is always a little difference, perhaps in the short term, do not feel out what strange, but, in the long run, always can not fully play the program of the original real function. Therefore, these differences, will end in one day, causing a host of abnormal functioning.

Therefore, once you found the system to have any strange phenomenon, the first thing to do is:

Try to doubt: my host is in a Trojan?!

III. Simple test method:

However, light is suspected, and no way with, and, often suspicious, the network management personnel sooner or later will get — “nervous breakdown” ;-Q

Make good use of tools!

In this case, the description http://www.chkrootkit.org the launch of chkrootkit.

As the name suggests, chkrootkit, check rootkit presence or absence of a convenient tool.

chkrootkit can be in the following platforms:

Linux 2.0. x, 2.2. x
FreeBSD 2.2. x, 3. x and 4.0
OpenBSD 2.6, 2.7 and 2.8 (if you have security very concerned about the words, it is strongly recommended you to OpenBSD 2.8, I was playing this. ^_^)
Solaris 2.5.1, 2.6 and 8.0.
As of now(05/08/2001)so far, the latest version is: chkrootkit v0. 3 2

It can detect the following rootkits and Backdoor:

lrk3
lrk4
lrk5
lrk6 (and some variants)
Solaris rootkit
FreeBSD rootkit
t0rn (including some variants and t0rn v8)
Ambient’s Rootkit for Linux (ARK)
Ramen Worm; rh[6 7]-shaper
RSHA
Romanian rootkit
RK17
Lion Worm
Adore Worm
LPD Worm
kenny-rk
Adore LKM
It is mainly to check the system in the following program:

basename
biff
chfn
chsh
cron
date
dirname
du
echo
env
find
fingerd
gpm
grep
identd
ifconfig
inetd
killall
login
ls
mail
mingetty
netstat
passwd
pidof
pop2
pop3
ps
pstree
rlogind
rpcinfo
rshd
sendmail
sshd
su
syslogd
tar
tcpd
telnetd
timed
top
traceroute
write
Installation method:

chkrootkit install and use, very simple! (Also please be sure to reference http://www.chkrootkit.org/ FAQ)

Download

To http://www.chkrootkit.org 下载 chkrootkit.tar.gz

Or to ftp.tnc.edu.tw/Security/ downloading: chkrootkit-0.32. tar. gz (be careful! Whether this is also a Trojan? ^_^ … And you open a joke, don’t take it seriously!)

Extract

tar xvzf chkrootkit-0.32.tar.gz

Compile

cd chkrootkit-0.32

make sense

Perform

./ chkrootkit > chk. lst

Check chk. lst this text file, see if there is detected any Trojan or worm ?

The following is chk. lst part of the content, this means, the system should be clean. (No one hundred percent! But at least reassuring!)

ROOTDIR is /' Checking basename’… Not vulnerable
Checking biff'... NOT TESTED Checking chfn’… Not vulnerable
Checking chsh'... Not vulnerable Checking cron’… Not vulnerable
Checking date'... Not vulnerable Checking du’… Not vulnerable
Checking dirname'... Not vulnerable Checking echo’… Not vulnerable
Checking env'... Not vulnerable Checking find’… Not vulnerable
Checking fingerd'... Not vulnerable Checking gpm’… Not vulnerable
Checking grep'... Not vulnerable Checking su’… Not vulnerable
Checking ifconfig'... Not vulnerable Checking inetd’… Not vulnerable
Checking identd'... Not vulnerable Checking killall’… Not vulnerable
Checking login'... Not vulnerable Checking ls’… Not vulnerable
Checking mail'... Not vulnerable Checking mingetty’… Not vulnerable
Checking netstat'... Not vulnerable Checking passwd’… Not vulnerable
Checking pidof'... Not vulnerable Checking pop2’… NOT TESTED
Checking pop3'... NOT TESTED Checking ps’… Not vulnerable
Checking pstree'... Not vulnerable Checking rpcinfo’… Not vulnerable
Checking rlogind'... Not vulnerable Checking rshd’… Not vulnerable
Checking sendmail'... Not vulnerable Checking sshd’… Not vulnerable
Checking syslogd'... Not vulnerable Checking tar’… Not vulnerable
Checking tcpd'... Not vulnerable Checking top’… Not vulnerable
Checking telnetd'... Not vulnerable Checking timed’… Not vulnerable
Checking traceroute'... Not vulnerable Checking write’… Not vulnerable
Checking asp'... Not vulnerable Checking bindshell’… Not vulnerable
Checking z2'... Nothing deleted Checking wted’… Nothing deleted
Checking rexedcs'... Not vulnerable Checking sniffer’…
eth0 is not promisc
Checking aliens'... No suspect files Searching for sniffer's logs, it may take a while... Nothing found Searching for t0rn's default files and dirs... Nothing found Searching for t0rn's v8 defaults... Nothing found Searching for Lion Worm default files and dirs... Nothing found Searching for RSHA's default files and dir... Nothing found Searching for RH-Sharpe's default files... Nothing found Searching for Ambient's rootkit (ark) default files and dirs... Nothing found Searching for suspicious files and dirs, it may take a while... Searching for LPD Worm files and dirs... Nothing found Searching for Ramen Worm files and dirs... Nothing found Searching for RK17 files and dirs... Nothing found Searching for Adore Worm... Nothing found Searching for anomalies in shell history files... Checking lkm’… Nothing detected

IV. In the unlikely event of a Trojan, what to do?

We can say: if the host, the presence of the Trojan program, then, this host mastership, already not in the network hands on!

In other words: this host has been the fall of the (compromised)! Okay, the only news is: it is not night small move… ;-)

If, indeed, unfortunately so, suggest that you: should hurry

The inventory of the back door
Tracing the invasion of reason
Track the invasion source
Do a good weight filling system of psychological preparation
Backup important files
Weight filling system
Afterwards more to strengthen security 防骇 knowledge
Make good use of tools (such as: installation: check file system integrity tools: Tripware; install any program kit before, using MD5 checksum comparison)
Note that relevant safety information
Ground fill system
To develop good management habits (such as: avoid the use of telnet / ftp, instead of ssh2, sftp2, scp)
Continuing care monitoring
Efforts to maintain host security
God bless u and Me… ^_^

Note:

Someone said: “pick one of the relatively few people use the system, would be more secure?!”, Because it is not caused by a hacker’s interest and attention?!

I want to see people see wisdom.

My advice is: best not to pick relatively few people use the system. (In case there is a vulnerability, no one launched a repair kit, or the company down, or reluctance to re-introduce, quasi-cry to die you! Unless you yourself have the ability to repair…)

And you want to pick: at least have a dedicated group or company in the maintenance, continue to launch a solid kit, continued in the progress of the system.

JSON