Close Panel




Hiding Sniffer From Rootkit Hunters

By IPSECS Admin. Posted in Exploitation, Forensics | No Comments »

Several years ago, i create backdoor which sends root shell to attacker without opening TCP/UDP port. Reverse shell is sent to attacker based on packet sniffed by backdoor. I can easily hide the file and process created by rootkit with system call redirection. But wait, i remember some things, common mistakes which usually left by attacker, here are their mistakes:

  • Mesh up with binary file hash checksum, since i use kernel based rootkit this is not my concern.
  • Forget to hide files, directory, process, tcp/udp ports.
  • Forget to hide kernel rootkit from detection command likes lsmod, modinfo, modstat, kldstat.
  • Forget to hide interface promiscuous mode and network sniffers.
  • Above mistake can be detected by common rootkit hunters like chkrootkit and rkhunters

So what should we do?! My kernel rootkit almost solve all that mistakes except hiding my sniffer from chkrootkit. Rkhunter shows no anomaly but chkrootkit shows my sniffer.

eth0: PACKET SNIFFER(/opt/_xhidex_/_xhidex_getraw[14848])

System administrator will aware that someone runs sniffer on their machine, i did some hack to solve this issue which finally i decide to hack chkrootkit. Some years ago, i found someone did rush trick by aliasing chkrootkit to ‘cat <some_static_file>’. I bet that system administrator can quickly detect this trick. Fortunately chkrootkit is just shell script so we can modify this file easily. Here, you can download freely chkrootkit patch to hide your sniffers.

After patch being applied on chkrootkit, below are chkrootkit output:

eth0: not promisc and no packet sniffer sockets

Lesson which can be taken is that people talk so much things about rootkit, backdoor, malware, worm, botnet but they ussually forget to secure their toys. Starting now, install your tool on your own system before install them on some else machine. Check if gnu standard utility, chkrootkit, and rkhunter can detect your tool. The other lesson is that rootkit hunters should check itself so it can check its integrity. This check can be based on hash or other secure method so self detection can be perform accurately. As workaround for system administrator, after doing rootkit hunter installation please save its hash checksum. Please save both MD5 and SHA checksum to guarantee rootkit hunter integrity.





How to Cheat The Ads for Profit!

By IPSECS Admin. Posted in SEO and Ads | No Comments »

Have you ever thought to put your ads in compromised website? Have you ever done to modify someone ads with your own? Putting your ads in someone website will not help increasing your revenue in low-traffic website.

Have you ever thought to insert malware in compromised website and exploit their clients? yeah browser vulnerability is the answer! Inserting in low-traffic website will not really help spreading your malware and compromise their clients!

Now, even this is old for us (IPSECS), we release tool to identify trafffic rank based on Alexa. This tool will help you to identify Alexa Rank on massive collected domains. By knowing the traffic rank of domains, this tool helps you to decide if website is worth or not if you put your ads on them. By knowing the traffic rank of domains, you can know if website is potential or not in boosting your revenue. Our simple tool need some perl module to be installed:

  • strict
  • warnings
  • Switch
  • LWP::UserAgent
  • HTTP::Message

Lastly, you can download our tool to help indentifying traffic here. Cheat the ads for your profit, Boost your revenue now!