readme

一款经典的lkm后门

Sebek: kernel module based data collection tool for Linux honeypots
----------------------------------------------------------------------

This is the top level README, it is focused the overall organization
of the source distribution.

Introduction:

Sebek consists of a rootkit that gathers data on a honeypot and a 
collector that runs on a separate machine on the same broadcast domain.
Data is transmitted from the honeypot to the collector in a somewhat 
covert manner using spoofed IP and MAC address. Currently packets are 
transmitted as Blowfish encrypted UDP packets that have configurable 
SRC and DST ports.

There are three major components to the system: a modified version
of the adore rootkit that records all data from the read system call 
to a special device, an application that monitors this device, 
transmitting data data on the LAN, and a application that collects 
the data off of the LAN.  These components reside in the following 
directories:

adore/
	This is a modified Linux rootkit, it is capable of keystroke 
	logging on sessions even if an intruder installs his/her own 
	version of SSH or shell.  Further, it is able to record 
	passwords entered and recover files copied with SCP to or 
	from the system.  

mon/
	This holds the application that watches the sebek device and
	transmits the data onto the LAN.  There are a couple
	of options as to application to use but all do essentially
	the following: decouple the time between interactive data 
	recorded by the rootkit and the transmission of packets, 
	obscuring the true source of the packets by forging all data
	possible, and encrypting the data data of value.  

sniff/
	This holds the application that is used to collect data from 
	the local LAN.  It can collect data from multiple honeypots 
	concurrently and each honeypot has its own logfile based on 
	the IP address of the honeypot. In its native form the logfile
	is not pleasing to the eye, but we have provided a mechanism 
	to render to logfile according to the desires of the user.

dump/
	This contains the perl scripts used to process the sniff logs
	and extract out copied files, interactive session activity etc.
	Currently, only one script called sbdump is present. Without 
	this script examining the logfiles by hand will make you sad 
	and weepy.


Check out ./sebek.html for how to make this fly.


Current Status:

I would consider this a early beta at best, but in many situations
it is still darn useful. Most of the actual code has been used for 
some time however the build process is quite crude and may be 
displeasing, we intend to resolve this shortly. As well, the 
documentation as you can see also sucks, but soon that will suck less.



Contact Info:
	
Questions, Comments, and Insults can be directed to ebalas@iu.edu