A Look at Root Kits As They Apply to Ubuntu

Posted: September 27, 2011 in Random pontifications
Tags: , , , ,


In the wake of the kernel.org scare, everyone is talking about root kits and hacking of Linux. So let’s talk about what a root kit, more particularly phalanx-b6 which is very similar to (if not identical) to the root kit installed on the kernel.org server. We will also discuss more practical methods for “rooting” a system in the Ubuntu world.

This was written and tested using Ubuntu 10.04.3 LTS as a frame of reference to make it relevant to the Ubuntu community. This is also written to clear up myths and misnomers about root kits.

The Compromised Machine

Like Windows , in the Linux world all root kits start with a compromised machine. In terms of every day use this usually comes in the form of weak credentials. Whether it is a weak password, or a stolen ssh key the most common method for getting “rooted” is by leaving your credentials weak. In the case of services like a publicly exposed VNC this is going to be the case, with a maximum 8 character password it is a virtually unsecurable service.

Less frequently there will be a service exploited that yields code execution, though this is not as frequent it is still possible. Of course in the home userspace you have all sorts of file format exploits, pdf’s packaged with malicious executables, debian packages that have been injected with malware, and of course browser based exploits (thank you Adobe we love you). Still most frequently the “rooting” occurs due to weak credentials, even in the event of one of the above mentioned exploits occuring you either had weak credentials or a poorly configured system that allowed local escalation, both are quite possible.

note : after running the initial bruteforce to get a time estimate we added the password to the beginning of the wordlist to clean up the screenshot

In this case we will focus on weak credentials, since that is by far the more common of and more easily demonstrated (meaning I don’t have to install vulnerable services to make it work).

This machine is going to have SSH installed with weak credentials, not something unlikely to be found either on an internet facing server or a home machine. Just as a quick illustration of why strong passwords are so important we are going to “crack” our VM really quickly, and gain ‘unauthorized’ access to it. Of course, it’s our VM so this is perfectly legal. For this demo we actually used a password that might be considered “reasonably strong” , yeah it’s not. It took us about 20 minutes to brute force this password which needless to say was “ag00dpassword!!”

* note : For those pointing out where we can secure this; yes denyhosts or fail2ban would be a great idea here , but many server admins don’t use them for whatever reason.

Installing Phalanx-b6

So here we have our remote terminal session going and we’re going to install the Phalanx rootkit on our Ubuntu 10.04 machine. So we’ve compiled it successfully on our victim machine (VM ;-)) and we’re going to run the install script now.

Uh oh, segmentation fault, that’s not good.

But wait…

Let’s take a look at what the system looks like after a reboot. Where did our “/.bad” directory go?

It’s no place to be found, because it’s being hidden by the Phalanx rootkit (along with /usr/share/.home/.ph1) Let’s see what a common anti-rootkit solution for Linux says about this, out comes the ever infamous (mostly for false positives) rkhunter.

And there it is rkhunter detected our phalanx root kit working happily on Ubuntu 10.04.3 LTS. Thankfully, this rather archaic rootkit was easily detected, unfortunately it is less easily removed, generally if you want to play it safe you will be doing a full reinstall after you see something like this occur.

For reference, Phalanx key logs, steals ssh keys and opens a back door listener port (9091).

Other Methods of Post Exploitation

Another commonly used method of post exploitation is loading up the system with backdoored php web shells and netcat listeners, possibly running hash cracking locally (although this is a really good way to get found).

We will look at a simple and publicly available post exploitation script, this script allows for adding of administrative users creating web shells (if a webserver is present) and the installation of several services such as nmap , hashcat, netcat, and others. This is just a simple shell script, and is something that is much easier to detect, the only methods that it uses to hide itself is by sanitizing logs, and it doesn’t do anything without direct interaction. This is quite simply just an automated tool to make post exploitation easy, similar to the metasploit meterpreter payload.

This is much more common then an actual root kit, and is often classified as a root kit, it is important to understand that this type of script is NOT a root kit.


So now that we’ve illustrated a couple of different techniques that are commonly used during post exploitation, what can we as system administrators or home users do?

  • USE STRONG CREDENTIALS : I can’t emphasize this enough, consult the beginning where we brute-forced our ssh password if you don’t know why you should.
  • Use things like denyhosts and fail2ban to prevent brute force attacks from being successful, use them in conjunction with key based authentication.
  • Audit your logs : This catches alot of activity, however not all.
  • Use strong outbound Firewall Policies : A strong outbound iptables firewall would have stopped the bindshell created by phalanx dead in it’s tracks, it would not have stopped the root kit from being active, but it would definitely have denied access to it, granted, the user had root privileges so could have insured the firewall policy was allowing the traffic.
  • If you think you’ve been compromised use things like rkhunter or chkrootkit, yeah they cough up a lot of false positives, but as you can see they DO work.

Basically just be careful with how you run your system, neither Ubuntu nor any other operating system is secure unless you follow a decent security model yourself.

If you would like to examine any of the files used in this article you may download them below (please be an adult with them). I also would not recommend installing them on your own machine, for obvious reasons.

Gotroot.sh Shell Script


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s