juanschallibaum
commented
6 years ago Thanks for report! I'm also a rootkit rookie. The most part of this rootkit is mixed from another 3 rootkits, and i also did the work of making compatible with various systems. It's not very difficult, you only must to see what change in kernel structures from version to version. Follow the compiler errors, and check this page:
to see how structures were changing. The rootkit neither works in openSUSE, since they keep the kernel version number low and uses structures of newest kernels, then my code fails, but it's easy to adapt. I suppose something similar must be happening with your CentOS. Regarding audit, i didn't experiment with it, but i can say you that when you have the privileges, you can do anything with the kernel. Any security system running in the compromised system can be circunvented, because you are the owner of the kernel. The rootkit should be detected outside the operating system, and i still need to encrypt communications, and other important anti-forensics stuffs, but i'm still in working with that. I hope that helps you at least a little. Bye
EBWi11
1.this rootkit cannot make success on my centos7(3.10.0-862.el7.x86_64)
2.I recently tried to create HIDS,i consult some infomation(actually i am a rootkit rookie),I noticed that Linux audit is very good,audit can help me hook syscall like connect(),execve() etc.and my question is,Is it possible for Linux audit to be a source of data for HIDS,If audit starts at the very beginning, is there any risk of being circumvented?
thanks!!