Rootkitting the ubuntu system
(heed the warnings, Rootkits are dangerous)

 

Warning – This project is really dangerous follow all instructions or the machine will not be usable.

Warning – This components used in the project contain obscene language (since this is hardcoded in the rootkit).  It is not intended to offend anyone.

Keep a backup copy of the ubuntu vmware image  (ubuntu-8.04.zip) zip file for precaution.

Again this is dangerous do not try this on other computers because it is an offense.

• Start your virtual machine (ubuntu)
• download the file rootkit.tgz in your virtual machine from here (dangerous link)
• right click on the file and click extract here.
• Open the terminal
• change directory to fk-0.4 (the folder that you just extracted)
  
  
• This step requires the root priviledges $ sudo ./install

 

   warning - once installed you cannot shutdown you machine if you do it will not start

 

   you should see something like the image below

 

6. open firefox then type https://www.my.asu.edu/

7. Then open the shell and type the following

netstat –protocol=inet

netstat is a command that displays the active connections

8. In the shell type

cd /dev/proc/fuckit/config

you should note that the files:  lports shows the local ports to hide, progs shows the programs to hide, and rports shows the remote ports to hide.

Hiding the active connections

• the file rports contains the ports to be hidden from netstat.
• The port used here is 443 (my.asu.edu uses https)
• hide the port 443

            

  you should achieve something like this even though there are active connections they are hidden

  take adequate screen shots

  explain what happnened and its implications?

  Explain the use of the file progs, lports? How would you use them to cause more damages?

  Detecting the rootkit

• Type the following commands in the shell sudo apt-get install rkhunter
• This step installs the rkhunter (rootkit hunter)
• sudo rkhunter -c
• You might have to press enter a few times
• Rkhunter detects the rootkit we have installed
• take a few screenshots showing the results of the scan

 Removing the rootkit

• Download the file delrk.tar.gz
• extract the file
• then use the shell to change directory to fix-fu
• then execute the command sudo ./delrk
• rootkit should be gone and you should be able to see the active connections with netstat
• you should be able to restart ubuntu successfully

 

describe what you think the rootkit remover did and is this method prevents this rootkit in the future?