You can also hide things from all users (including root) because the rootkit works on such a low level.
Of course, you already have to have root access to the system. This is for advanced, low-level track covering if you were to compromise a system and want to keep full root access.
For my example, I'm going to use Enye LKM Rootkit. This is from their website :
ENYELKM is a LKM Rootkit for Linux x86 with kernels v2.6.x.
It puts salts inside system_call and sysenter_entry handlers. So
it does not modify sys_call_table, or IDT content.
What the rootkit does:
- Copy enyelkm.ko file to '/etc/.enyelkmHIDE^IT.ko', so when LKM
is loaded that file will be hidden.
- Add the string 'insmod /etc/.enyelkmHIDE^IT.ko' between the marks
# and # to /etc/rc.d/rc.sysinit file. So
when LKM is loaded these lines will be hidden (it is explained after).
- Load LKM with 'insmod /etc/.enyelkmHIDE^IT.ko'.
- Try modify date of /etc/rc.d/rc.sysinit file with date from
/etc/rc.d/rc, and set +i attribute to /etc/.enyelkmHIDE^IT.ko
with touch and chattr commands.
* Hide files, directories and processes:
Every file, directory and process with substring 'HIDE^IT' on
his name is hidden. Processes with gid = 0x489196ab are hidden
too. Reverse shell (after is explained) run with gid = 0x489196ab, so
it and every process launched from it is hidden.
* Hide chunks inside a file:
Every byte between the marks is hidden:
text to hide
* Get local root:
Doing: # kill -s 58 12345
you get id 0.
* Hide module to 'lsmod':
LKM is auto hidden.
*This rootkit has no file to search. The detection is done at a low level
by system call comparison.
Because it is a kernel module, it can be reprogrammed. *nix pro's out there, go ahead and have a blast
Please do give feedback/suggestions.
Edited by Venom, 07 April 2006 - 11:06 AM.