Please read this! It is important. Otherwise you maybe crash your kernel! ========================================================================= 0. Intro -------- Only *YOU* are responsible for your own actions. So if you are dumb enough to own machines and install this software on it, only you can be blamed for it. Do not say you have not been warned! 1. Install by hand ------------------ You can skip this section if you want to use the "configure" script. This section might be important if the configure script does not run somehow or produces wrong output. Edit Makefile and set proper values. Everyone should choose an own ADORE_KEY to make it impossible to scan for installed adore. Also ELITE_UID and ELITE_GID should be changed to own values. When commenting in the MODVERSIONS-switch, adore will be compiled for modversioned kernels. Modversioned kernels have a /proc/ksyms file that looks like ... foo_barR12345678 ... where normal kernels would look like ... foo_bar ... On some systems it can't find modversions.h. Try disabling MODVERSIONS even when you see the symbols are version-ed. It seems to me that using MODVERSIONS isn't necessary on newer kernels. Hidden ports (adore-ng.h) go decimal, i.e. '2222' hides everything which belongs to port 2222. The tcp-hiding has been redesigned completely. It uses a technique similar to the one described by palmers in phrack (http://www.phrack.org/show.php?p=58&a=6) By default 2222 and 7350 are hidden. Only IPv4 (tcp4) stuff is hidden. It is now very hard for adore-scanners to find a running adore because it is not longer possible to chdir() or stat() PID-dirs in /proc if PID is hidden. It is completely invisible, except to processes which are hidden them self. Files are now hidden using both, a ELITE_UID and a ELITE_GID which are chosen randomly upon 'configure'. So we have 2**64 possible values which is impossible to brute-force and thus checking for hidden files by brute-forcing uid/gid. Older Linux systems have a width of 16 bit for UID's and GID's, newer systems have 32 bit. Adore supports both. Either give 4 (for 32 bit) or 2 (for 16 bit) as argument to configure e.g. 'configure 4'. The default is 4. Make sure SMP is enabled when it is in kernel. Don't forget to recompile when you changed Makefile. Two 'makes' may produce two different adore's that maybe can't interact (i.e. further hidden-files are visible now due to UID-change). For this reason, the Makefiles are backed-up to allow a restore. 2. Install by script -------------------- Run configure-script. Script should give you some messages which uid's are used etc. View Makefile to see if everything is fine. Edit adore-ng.h to meet with your services you want to hide. Defaults to port 2222 and 7350. Do 'make'. "insmod ./adore.o" as root. Use "ava" to hide files, processes and so on then. When ava responds, there is no adore, but you are sure there is, then you maybe compiled adore.o and ava with different ADORE_KEY's. Do 'make clean; make' to put it in sync. "insmod ./cleaner.o; rmmod cleaner" to hide the adore LKM from lsmod. Or use "startadore" script. Use "relink" script to relink adore-ng into one of the LKMs already available on the system, so it is automatically loaded during reboot. 3. libinvisible --------------- libinvisible was written to have a layer between adore and ava. Since there are other OS's which may be targeted by adore-like modules, ava.c could easily ported, if one writes the proper library-calls. libinvisible maybe also used from within sysop-written hidden logdeamons as easy API to adore. Adore was written for EDUCATIONAL PURPOSES, for testing on honey-pot boxens (watching suspicious "broken" accounts) and intrusion testings. If you need more help watching broken accounts, you may also use EoE to watch what is executed. 4. Use 'R' with care -------------------- 'R' switch of ava isn't well researched. It may crash your machine. 'R'emoving current shell isn't good idea. 5. A word on detecting root-kits ------------------------------- Adore has quite good anti-detection measurements in version 0.5 and better. Since we use the new proc technique we completely control what user-space programs see. It isn't even longer possible to detect hidden processes by walking through the task-list and checking for PF_INVISBLE flag because adore now uses a different approach to check for hidden procs. I know of tools which read the disk raw by accessing /dev/hdXY and comparing getdents() result with it. Thats the only thing where someone may detect adore yet, but only if there are hidden files! It is not necessary to hide files in all cases. Plus, modern systems support file-systems which are located completely in-memory. This technique will fail here. Child-processes of hidden processes are hidden automatically. 6. Troubleshooting ------------------ In case gcc can't find modversions.h try to disable MODVERSIONS flag in Makefile. 7. SMP primer ------------- Adore-ng was successfully tested on UP and SMP systems. 8. etc ------- You can also control adore-ng by hand via echo & cat, look at adore-ng.c to see how. You can specify an optional FS where files can be hidden. Only use this switch ("insmod adore-ng.o opt_fs=/opt" for example) when you are sure that / and (your particular) /opt have a different FS, for example ext3 on / and reiser on /opt. otherwise you will get FS inconsistencies for sure. The opt_fs argument should not be needed in most cases anyway. Mounts of other partitions with the same FS will be affected by adore too. So if / and /opt both have ext3, you dont need to worry. Adore will handle both without a opt_fs switch. Stealth