也许是我写得太多了吧,辛辛苦苦我打了半天的字啊!然后说太多了,就直接无法跳转了,跳转回去写得都没了!
faint!
此文献给我当初被这个可恶的程序备受折磨得服务器跟我!
从http://www.ossec.net/rootkits/ 偷来了不少RootKit程序,其中有个sk-1.3a这个软件吸引了我。这个程序曾经安装过前段时间Debian服务器被黑的事件,当初就是这个程序导致了Debian服务器接连被黑掉的恶性结果。具体如何入侵到Debian服务器这个不说,我先分析分析这个程序是如何工作的。
拿到这个程序的名字为sk-1.3a.tar.gz,tar –xvzf sk-1.3a.tar.gz到我的Redhat7.2中。
[root@Learning backdoor]# tar -xvzf sk-1.3a.tar.gz
sk-1.3a/
sk-1.3a/include/
sk-1.3a/include/types.h
sk-1.3a/include/sk.h
sk-1.3a/include/defs.h
sk-1.3a/include/extern.h
sk-1.3a/include/skarg.h
sk-1.3a/include/strasm.h
sk-1.3a/include/stuff.h
sk-1.3a/include/idt.h
sk-1.3a/include/skstr.h
sk-1.3a/include/rdata.h
sk-1.3a/include/sha1.h
sk-1.3a/include/lib.h
sk-1.3a/include/crypto.h
sk-1.3a/src/
sk-1.3a/src/main.c
sk-1.3a/src/kmem.c
sk-1.3a/src/pattern.c
sk-1.3a/src/kernel.c
sk-1.3a/src/printf.c
sk-1.3a/src/client.c
sk-1.3a/src/install.c
sk-1.3a/src/Makefile
sk-1.3a/src/sha1.c
sk-1.3a/src/zbin2oct.c
sk-1.3a/src/lib.c
sk-1.3a/src/crypto.c
sk-1.3a/src/backdoor.c
sk-1.3a/src/zlogin.c
sk-1.3a/src/zpass.c
sk-1.3a/Makefile
sk-1.3a/config
sk-1.3a/doc/
sk-1.3a/doc/README
sk-1.3a/doc/license
sk-1.3a/doc/CHANGES
sk-1.3a/doc/TODO
[root@Learning backdoor]# cd sk-1.3a
[root@Learning sk-1.3a]# ls
config doc include Makefile src