Open s4miii opened 7 years ago
ld.so.preload either truly does not exist, or a deeper kernel space hook is intercepting open()
Compiling rootkit libraries.
symbols/headers/const.h:34:14: warning: ‘yum_options’ defined but not used [-Wunused-variable]
symbols/headers/const.h:36:14: warning: ‘yum_commands’ defined but not used [-Wunused-variable]
symbols/headers/const.h:40:14: warning: ‘apt_options’ defined but not used [-Wunused-variable]
symbols/headers/const.h:42:14: warning: ‘apt_commands’ defined but not used [-Wunused-variable]
Actually I want to connect to my server remotely, how is it possible ? because ssh won't work and even I tried via netcat too, for example this is your ssh script :
./ssh.sh my-user 127.0.0.1 5342
the output is :
my-user @127.0.0.1's password:
Permission denied, please try again.
my-user @127.0.0.1's password:
Permission denied, please try again.
my-user @127.0.0.1's password:
nothing work actually !
https://asciinema.org/a/a8u6ca1n2ujmgijgldrcdu425
CHANGE_ME=1 sh -c 'cat /proc/self/maps; ls /lib/ | grep "libc"'
If vlany is actually installed, the library path and address space should show up in /proc/self/maps, but of course it would usually be hidden. Not to forget that libcrypt (and libssl if ssl was enabled) will also show up. Please show me full output. Thanks for your reply, yes I always connect to this Server via SSH, but with vlany, just showing Permission denied, and also I'm root !
Maybe if you remove the line about homo...., Your script will be work 😅
alright, the output as you want is :
root@mk:/mysystem/mk# PAYUCFCZOALI=1 sh -c 'cat /proc/self/maps; ls /lib/ | grep "libc"'
08048000-08053000 r-xp 00000000 08:01 797847 /bin/cat
08053000-08054000 r--p 0000a000 08:01 797847 /bin/cat
08054000-08055000 rw-p 0000b000 08:01 797847 /bin/cat
08055000-08076000 rw-p 00000000 00:00 0 [heap]
b7228000-b7359000 r--p 00200000 08:01 398345 /usr/lib/locale/locale-archive
b7359000-b7559000 r--p 00000000 08:01 398345 /usr/lib/locale/locale-archive
b7559000-b755a000 rw-p 00000000 00:00 0
b755a000-b7700000 r-xp 00000000 08:01 1044886 /lib/i386-linux-gnu/libc-2.15.so
b7700000-b7702000 r--p 001a6000 08:01 1044886 /lib/i386-linux-gnu/libc-2.15.so
b7702000-b7703000 rw-p 001a8000 08:01 1044886 /lib/i386-linux-gnu/libc-2.15.so
b7703000-b7706000 rw-p 00000000 00:00 0
b7710000-b7712000 rw-p 00000000 00:00 0
b7712000-b7713000 r-xp 00000000 00:00 0 [vdso]
b7713000-b7733000 r-xp 00000000 08:01 1044895 /lib/i386-linux-gnu/ld-2.15.so
b7733000-b7734000 r--p 0001f000 08:01 1044895 /lib/i386-linux-gnu/ld-2.15.so
b7734000-b7735000 rw-p 00020000 08:01 1044895 /lib/i386-linux-gnu/ld-2.15.so
bff35000-bff56000 rw-p 00000000 00:00 0 [stack]
klibc-LZ1cv1NoEVO2ugnvqTw3e4qPc8Y.so
libc.so.sysinfo.25
Doesn't seem like vlany is installed, properly.
Try echo /lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64 > /etc/ld.so.preload
and see if you can log into the backdoor user via ssh.
Also start a new bash shell and show PAYUCFCZOALI=1 sh -c 'cat /proc/self/maps; ls /lib/ | grep "libc"'
output again after echoing the lib path into ld.so.preload.
when I done this :
echo /lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64 > /etc/ld.so.preload
And opened new bash shell, it shows me :
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
After that I again tiring to connect via ssh and it won't work :
Permission denied, please try again.
and the out of this command :
root# PAYUCFCZOALI=1 sh -c 'cat /proc/self/maps; ls /lib/ | grep "libc"'
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
08048000-08053000 r-xp 00000000 08:01 797847 /bin/cat
08053000-08054000 r--p 0000a000 08:01 797847 /bin/cat
08054000-08055000 rw-p 0000b000 08:01 797847 /bin/cat
08055000-08076000 rw-p 00000000 00:00 0 [heap]
b72b5000-b73e6000 r--p 00200000 08:01 398345 /usr/lib/locale/locale-archive
b73e6000-b75e6000 r--p 00000000 08:01 398345 /usr/lib/locale/locale-archive
b75e6000-b75e7000 rw-p 00000000 00:00 0
b75e7000-b778d000 r-xp 00000000 08:01 1044886 /lib/i386-linux-gnu/libc-2.15.so
b778d000-b778f000 r--p 001a6000 08:01 1044886 /lib/i386-linux-gnu/libc-2.15.so
b778f000-b7790000 rw-p 001a8000 08:01 1044886 /lib/i386-linux-gnu/libc-2.15.so
b7790000-b7793000 rw-p 00000000 00:00 0
b779d000-b779f000 rw-p 00000000 00:00 0
b779f000-b77a0000 r-xp 00000000 00:00 0 [vdso]
b77a0000-b77c0000 r-xp 00000000 08:01 1044895 /lib/i386-linux-gnu/ld-2.15.so
b77c0000-b77c1000 r--p 0001f000 08:01 1044895 /lib/i386-linux-gnu/ld-2.15.so
b77c1000-b77c2000 rw-p 00020000 08:01 1044895 /lib/i386-linux-gnu/ld-2.15.so
bface000-bfaef000 rw-p 00000000 00:00 0 [stack]
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
klibc-LZ1cv1NoEVO2ugnvqTw3e4qPc8Y.so
libc.so.sysinfo.25
Using the environment variable, look in /lib/libc.so.sysinfo.25/ for the full name of the library, and put that where 'full_name_of_lib' is. It's always randomized, so I don't know what yours will be.
YtBG48AqRvST.so.x86_64 YtBG48AqRvST.so.i686
Yes. Put that into ld.so.preload, and show me the results. Try connecting to the ssh backdoor user.
won't work, it's shows again
Permission denied, please try again.
so I removed the /lib/libc.so.sysinfo.25
via chattr
, and re-install vlany
, in this time SSH shows this :
groups: cannot find name for group ID 239939463
ls: reading directory /etc/bash_completion.d: Operation not permitted
su: Cannot determine your user name.
for uninstall the previous version, removing/lib/libc.so.sysinfo.25
is enough ?
and would you please give me an example about the connection via netcat ?
because it's won't work either :(
Hi, any idea about this error ?
groups: cannot find name for group ID 239939463
ls: reading directory /etc/bash_completion.d: Operation not permitted
su: Cannot determine your user name.
when I wanna connect via SSH it shows me this error
Do not remove the installation directory. Ever. Shit will go down. This will cause the dynamic linker to throw a fit, and in more real scenarios, the dynamic linker isn't going to be using /etc/ld.so.preload, so you'd have to hunt for what file the dynamic linker now uses. Recompiling vlany is enough to reinstall, but I've not released anything to automatize the process of uninstalling (properly)/installing new versions. So this needs to be done manually. The accept backdoor is deprecated. Look at the netcat help output. Additionally, that's a common error. The severity of it varies though.
Alright, thank you for your reply, actually I tested vlany on the other server, and again it shows this :
ls: reading directory /etc/bash_completion.d: Operation not permitted
su: Cannot determine your user name.
Connection to x.x.x.x closed.
normally I connect to via SSH, but with vlany I can't.
This Server is :
Distributor ID: Debian
Description: Debian GNU/Linux 6.0.10 (squeeze)
Release: 6.0.10
Codename: squeeze
any idea?
Sometimes there isn't any /boot/grub/grub.cfg
or /etc/grub.conf
or any type of grub.conf
is there anyway to fix this issue ?
thnx
Not all boxes use GRUB as a bootloader. Just reference whatever other config the bootloader uses. i.e. syslinux, gummiboot
Dear mempodippy Thank you so much...
Hey bro, first of all thank you so much because of your great job, actually I installed it on
Ubuntu/Linaro 4.6.3-1ubuntu5
, the progress done without any error, even my Apache and SSH service restarted , but nothing work, like I do nothing !?Am I miss something ? I do as your wizard, any idea? and is there any video or youtube link for the installation ? maybe I done something wrong ? thanks a lot.