Close Panel




OpenSSH Backdoor With PAM Support

By IPSECS Admin. Posted in Exploitation | 2 Comments »

How many of you using my OpenSSH 5.5p1 bakcdoor published on this url? It’s probably that you experience error about PAM and GSSAPI Authentication. In order to resolve this issue you must be enable PAM and Kerberos5 during compilation as shown below:

./configure –prefix=/usr –sysconfdir=/etc/ssh –enable-pam –enable-kerberos5

After successfully installing the OpenSSH backdoor and restarting sshd service, can you login as root with magic password? The answer is indeed “No”.  It’s because the authentication now handled by PAM module so authentication experiences failure. This experience may occur on Linux RHEL, CentOS, Ubuntu, and others family.

Read more »





[UPDATE] KBeast – The New Kernel Rootkit

By IPSECS Admin. Posted in Exploitation | 6 Comments »

KBeast (Kernel Beast) is new kernel rootkit based on the publicly known rootkit, modification is made in order to support kernel 2.6.16, 2.6.18, 2.6.32, and 2.6.35. Actually it should work for kernel 2.6.9 up to 2.6.35 or more, but our installer script is only created for 2.6.16, 2.6.18, 2.6.32, and 2.6.35. Below are quick step installing the beast:

  • wget
  • tar zxvf ipsecs-kbeast-v1.tar.gz
  • cd kbeast-v1/
  • modify config.h to meet your requirement, remember that _MAGIC_NAME_ must be user with sh/bash shell
  • In order to install in kernel 2.6.16 or 2.6.18, execute ./setup build 0
  • In order to install in kernel 2.6.32 or 2.6.35, execute ./setup build (actually it should work for the recent kernel)
  • In order to install in kernel 2.6.9, edit .cc1 file to remove all sys_unlinkat() related code, modify syscall table address manually, then execute ./setup build 0

Be kind to note that the beast has been tested in, but not limited to, kernel 2.6.9, 2.6.16, 2.6.18, 2.6.32, 2.6.35 (i386 or x86_64). The feature of this rootkit are:

Read more »





OpenSSH 5.5p1 Backdoor

By IPSECS Admin. Posted in Exploitation | 1 Comment »

OpenSSH can be modified as powerful unix/linux backdoor that gave instant root access without being logged by the system. It’s also possible to record username and password for all incoming or outgoing SSH login. Some patches has been developed in order to modify OpenSSH 2.x, OpenSSH 3.x, and OpenSSH 4.x as a backdoor. We develop patch for OpenSSH 5.5p1 which can be downloaded here.





Hiding Sniffer From Rootkit Hunters

By IPSECS Admin. Posted in Exploitation, Forensics | No Comments »

Several years ago, i create backdoor which sends root shell to attacker without opening TCP/UDP port. Reverse shell is sent to attacker based on packet sniffed by backdoor. I can easily hide the file and process created by rootkit with system call redirection. But wait, i remember some things, common mistakes which usually left by attacker, here are their mistakes:

  • Mesh up with binary file hash checksum, since i use kernel based rootkit this is not my concern.
  • Forget to hide files, directory, process, tcp/udp ports.
  • Forget to hide kernel rootkit from detection command likes lsmod, modinfo, modstat, kldstat.
  • Forget to hide interface promiscuous mode and network sniffers.
  • Above mistake can be detected by common rootkit hunters like chkrootkit and rkhunters

So what should we do?! My kernel rootkit almost solve all that mistakes except hiding my sniffer from chkrootkit. Rkhunter shows no anomaly but chkrootkit shows my sniffer.

eth0: PACKET SNIFFER(/opt/_xhidex_/_xhidex_getraw[14848])

System administrator will aware that someone runs sniffer on their machine, i did some hack to solve this issue which finally i decide to hack chkrootkit. Some years ago, i found someone did rush trick by aliasing chkrootkit to ‘cat <some_static_file>’. I bet that system administrator can quickly detect this trick. Fortunately chkrootkit is just shell script so we can modify this file easily. Here, you can download freely chkrootkit patch to hide your sniffers.

After patch being applied on chkrootkit, below are chkrootkit output:

eth0: not promisc and no packet sniffer sockets

Lesson which can be taken is that people talk so much things about rootkit, backdoor, malware, worm, botnet but they ussually forget to secure their toys. Starting now, install your tool on your own system before install them on some else machine. Check if gnu standard utility, chkrootkit, and rkhunter can detect your tool. The other lesson is that rootkit hunters should check itself so it can check its integrity. This check can be based on hash or other secure method so self detection can be perform accurately. As workaround for system administrator, after doing rootkit hunter installation please save its hash checksum. Please save both MD5 and SHA checksum to guarantee rootkit hunter integrity.





Web Backdooring & Keylogging

By IPSECS Admin. Posted in Exploitation, Presentation | 1 Comment »

Thinking how to backdoor & keylog website in unusual way is something that fun to be implemented. Kiddies usually use public backdoor to come back to compromised server or website, dumping the database, and cracking hash of confidential information likes password and CC number. Public backdoor is somewhat easy to be detected by administrator while hash cracking sometimes gives no result.

Modifying source code of website to be a backdoor and keylogger is not kind of new technique, but just few kiddies know about this. By modifying the source code, we can make more invisible backdoor than using public ones. We also can record confidential information likes password and CC number in plaintext, so we don’t have to crack it. I have implemented this technique in phpbb3, modifying its source code become backdoor & keylogger. This concept can be used to modify ecommerce application so just try to imagine when your CC number being stolen.

Download my paper, presentation, and phpbb3 patch which has been presented in STIMIK Palcomtech Palembang.





Our Old Researches

By IPSECS Admin. Posted in News | Comments Off

Click here to view our old researches. Enjoy!