在生产环境中,系统被入侵后,黑客会放置自己的后门。LKM后门和传统的后门不一样,它可以通过隐藏进程、端口、文件的方式隐藏自己,不被管理员轻易发现,也就是常说的rootkit技术。
LKM是什么?load kernel module,可加载内核模块的缩写。
xlkm一个脚本,通过对准上线机器现加载内核模块进行备份,来判别模块是否替换、篡改。
主要思路就是:列出系统加载的内核模块并备份,对现加载的模块的md5校验并备份其信息,然后进行对比。
实现起来比较简单,我shell也不是很好,大家就凑活着看吧。
#!/bin/bash
#code:key1088
#mail:key1088@163.com
#bash –version
#GNU bash, version 3.2.25(1)-release (i686-redhat-linux-gnu)
#Copyright (C) 2005 Free Software Foundation, Inc
if [ $(whoami) != "root" ];
then
echo "Not root"
exit 0
fi
xlkmroot=/usr/local/xlkm
help(){
echo -e " 33[32m List:"
echo "[1.Start LKM List Backup]"
echo "[2.Test LKM List Change]"
echo "[3.Delete All Backup]"
echo "[4.Quit]"
echo -e " 33[0m"
}
SETUPXLKM(){
if test -d $xlkmroot ;then
echo "LKM exist Backup!!"
exit 1
fi
mkdir $xlkmroot
chmod 700 $xlkmroot
}
DELXLKM(){
rm -rf $xlkmroot
echo
echo -e " 33[34mDelete XLKM Backup Sccessfully 33[0m"
echo
}
START(){
while [ -z $passwd ]
do
echo
echo -n "Input encrypt passwd[No Null]:"
read passwd
done
echo "WAITing….."
lsmod > $xlkmroot/lkmlist.main
for i in $(modprobe -l)
do
md5sum $i >> $xlkmroot/lkmfile.md5.main
done
cd $xlkmroot
zip -P $passwd mainfile.zip ./.main > /dev/null
rc=$?
if [ "$rc" == 0 ];
then
echo
echo -e " 33[34mLKM List Backup Successfully! 33[0m"
echo
else
echo
echo -e " 33[34mBeijule! Error! 33[0m"
echo
fi
rm -f $xlkmroot/lkm > /dev/null
}
LKMCHANGE(){
echo "Test LKM Change"
cd $xlkmroot
while [ "$ra" != 0 ]
do
echo
echo -n "Input encrypt passwd[No Null]:"
read passwd
unzip -P $passwd mainfile.zip > /dev/null 2>&1
ra=$?
if [ "$ra" != 0 ];then echo "Invalid password!! "; fi
done
echo "WAITing….."
lsmod > $xlkmroot/lkmlist.new
for i in $(modprobe -l)
do
md5sum $i >> $xlkmroot/lkmfile.md5.new
done
echo "LKM List Change:"
echo -e " 33[31m"
diff $xlkmroot/lkmlist.main $xlkmroot/lkmlist.new
echo -e " 33[0m"
echo "LKM File Md5 Change:"
echo -e " 33[31m"
diff $xlkmroot/lkmfile.md5.main $xlkmroot/lkmfile.md5.new
echo -e " 33[0m"
rm -f *.new .main
}
while :
do
help
echo -n "Input List num:"
read x
case "$x" in
1)
SETUPXLKM
START
;;
2)
LKMCHANGE
;;
3)
DELXLKM
;;
4)
exit 0
;;
)
echo -e " 33[31mError !!!!!"
echo -e "Pleae input [1-4] list option 33[0m"
;;
esac
done