father
The Fahter LD_PRELOAD rootkit requires to compile the config settings into the binary.
This command compiles the binary and stores the path in the variable LAST_FATHER_PATH.
If local_path is not defined, the command will create a temporary directory and copy
the sources into the directory before compiling the rootkit.
Father can be found at this GitHub-Page
###
commands:
- type: father
cmd: generate
hiddenport: 2222
shell_pass: "superpass"
env_var: "norkt"
- type: debug
cmd: ""
varstore: True
# {'LAST_FATHER_PATH': '/tmp/tmpuou9rb0a/Father/rk.so', 'RESULT_STDOUT': 'Saved to /tmp/tmpuou9rb0a/Father/rk.so', 'RESULT_RETURNCODE': '0'}
- gid
The group id under which the rootkit will operate. All processes of this gid will be hidden.
- Type:
int
- Default:
1337
- srcport
The magic port number that allows to connect to the accept-backdoor of father.
- Type:
int
- Default:
54321
- epochtime
Time for timebomb() to go off, in seconds since 1970-01-01
- Type:
int
- Default:
0000000000
- env_var
Magic environment variable for Local Privilege Escalation (LPE). If this environment variable is set, it is possible to escalate privileges using sudo or gpasswd
- Type:
str
- Default:
lobster
- file_prefix
Magic prefix for hidden files.
- Type:
str
- Default:
lobster
- preload_file
Hide this preload file(hide the rootkit)
- Type:
str
- Default:
ld.so.preload
Port to remove from netstat output, etc
- Type:
str(hex)
- Default:
D431
- shell_pass
Password for accept() backdoor shell
- Type:
str
- Default:
lobster
- install_path
Location of rootkit on disk
- Type:
str
- Default:
/lib/selinux.so.3
- local_path
Copy the rootkit to this local path before compiling it. If not set, the builder will generate a temporary path.
- Type:
str
- arch
Target arch to compile the rootkit to. Currently only amd64 is supported.
- Type:
str
- Default:
amd64
- build_command
Use this command to build the rootkit. This setting might be useful for compiling the rootkit in a chroot-environment.
- Type:
str
- Default:
make