Open unixfox opened 7 years ago
You'll have to reinstall the rootkit. vlany's persistence method makes this difficult though. To reinstall, you'd have to be in an owner shell and clear ld.so.preload and then make the file immutable with chattr. Otherwise infected processes will continue trying to write the shared library path to ld.so.preload. Once ld.so.preload is immutable and empty, remove your hidden directory and reboot the box. (You might want to keep some kind of temporary root access to the box so that you can reinstall vlany.)
In fact, you could just recompile vlany and replace the old shared libraries with the newly compiled ones.
Thank you for the answer, do you know it's possible to introduce a feature to update the shared libraries using a script for example or it'll be too difficult to do it?
It's possible. I'll start seeing what I can do on Friday.
As of today, reinstalling vlany is difficult due to the modifications made to the dynamic linker. Take a look at misc/patch_ld.py This stops /etc/ld.so.preload from being used by the dynamic linker and instead uses a new random file stored in /etc/ for preloading the rootkit library. Once all the "/etc/ld.so.preload" strings are replaced in the dynamic linker libs, the only way to change the preload file after this is by replacing the new file location, and to do that, you need to know the new file location. I could make a script to revert the dynamic linker back to normality, but it'd basically be the same as patch_ld.py anyway.
I've a version of vlany installed on a test machine and I want to update vlany to the latest version served on Github. Is there a proper way to do that or I've to reinstall the rootkit?