path: root/other/adore-ng/README

Please read this! It is important. Otherwise you maybe crash your kernel!
=========================================================================


0. Intro
--------

Only *YOU* are responsible for your own actions. So if you are
dumb enough to own machines and install this software on it,
only you can be blamed for it.

Do not say you have not been warned!


1. Install by hand
------------------

You can skip this section if you want to use the "configure"
script. This section might be important if the configure
script does not run somehow or produces wrong output.

Edit Makefile and set proper values.

Everyone should choose an own ADORE_KEY to make it impossible to scan
for installed adore. Also ELITE_UID and ELITE_GID should be
changed to own values.
When commenting in the MODVERSIONS-switch, adore will be compiled
for modversioned kernels. Modversioned kernels have a /proc/ksyms file
that looks like

...
foo_barR12345678
...

where normal kernels would look like

...
foo_bar
...

On some systems it can't find modversions.h. Try disabling MODVERSIONS even
when you see the symbols are version-ed. It seems to me that using MODVERSIONS
isn't necessary on newer kernels.


Hidden ports (adore-ng.h) go decimal, i.e. '2222' hides everything which belongs to port
2222.
The tcp-hiding has been redesigned completely. It uses a technique similar to
the one described by palmers in phrack (http://www.phrack.org/show.php?p=58&a=6)
By default 2222 and 7350 are hidden. Only IPv4 (tcp4) stuff is hidden.

It is now very hard for adore-scanners to find a running adore because
it is not longer possible to chdir() or stat() PID-dirs in /proc
if PID is hidden. It is completely invisible, except to processes which
are hidden them self.
Files are now hidden using both, a ELITE_UID and a ELITE_GID which are chosen
randomly upon 'configure'. So we have 2**64 possible values which is
impossible to brute-force and thus checking for hidden files by brute-forcing
uid/gid.

Older Linux systems have a width of 16 bit for UID's and GID's, newer systems
have 32 bit. Adore supports both. Either give 4 (for 32 bit) or 2 (for 16 bit)
as argument to configure e.g. 'configure 4'. The default is 4.


Make sure SMP is enabled when it is in kernel.
Don't forget to recompile when you changed Makefile.
Two 'makes' may produce two different adore's that maybe can't
interact (i.e. further hidden-files are visible now due to UID-change).
For this reason, the Makefiles are backed-up to allow a restore.



2. Install by script
--------------------

Run configure-script.
Script should give you some messages which uid's are used etc.
View Makefile to see if everything is fine. Edit adore-ng.h to meet
with your services you want to hide. Defaults to port 2222 and 7350.
Do 'make'.
"insmod ./adore.o" as root.
Use "ava" to hide files, processes and so on then.

When ava responds, there is no adore, but you are sure there is,
then you maybe compiled adore.o and ava with different ADORE_KEY's.
Do 'make clean; make' to put it in sync.

"insmod ./cleaner.o; rmmod cleaner" to hide the adore LKM from lsmod.
Or use "startadore" script. Use "relink" script to relink adore-ng
into one of the LKMs already available on the system, so it is
automatically loaded during reboot.

3. libinvisible
---------------

libinvisible was written to have a layer between adore and ava.
Since there are other OS's which may be targeted by adore-like modules,
ava.c could easily ported, if one writes the proper library-calls.
libinvisible maybe also used from within sysop-written hidden logdeamons
as easy API to adore.


Adore was written for EDUCATIONAL PURPOSES, for testing on honey-pot 
boxens (watching suspicious "broken" accounts) and intrusion testings.
If you need more help watching broken accounts, you may also use
EoE to watch what is executed.


4. Use 'R' with care
--------------------

'R' switch of ava isn't well researched. It may crash your machine.
'R'emoving current shell isn't good idea.


5. A word on detecting root-kits
-------------------------------

Adore has quite good anti-detection measurements in version 0.5 and better.
Since we use the new proc technique we completely control what user-space
programs see. It isn't even longer possible to detect hidden processes
by walking through the task-list and checking for PF_INVISBLE flag
because adore now uses a different approach to check for hidden procs.
I know of tools which read the disk raw by accessing /dev/hdXY and comparing
getdents() result with it. Thats the only thing where someone may detect
adore yet, but only if there are hidden files! It is not necessary to hide
files in all cases. Plus, modern systems support file-systems which are located
completely in-memory. This technique will fail here.

Child-processes of hidden processes are hidden automatically.


6. Troubleshooting
------------------

In case gcc can't find modversions.h try to disable
MODVERSIONS flag in Makefile.


7. SMP primer
-------------

Adore-ng was successfully tested on UP and SMP systems.



8. etc
-------

You can also control adore-ng by hand via echo & cat, look at adore-ng.c
to see how.
You can specify an optional FS where files can be hidden.
Only use this switch ("insmod adore-ng.o opt_fs=/opt" for example)
when you are sure that / and (your particular) /opt have a different
FS, for example ext3 on / and reiser on /opt. otherwise you will
get FS inconsistencies for sure. The opt_fs argument should not
be needed in most cases anyway. Mounts of other partitions with the same
FS will be affected by adore too. So if / and /opt both have ext3, you
dont need to worry. Adore will handle both without a opt_fs switch.

Stealth