awesome-linux-rootkits/details/reptile.md
Ilya V. Matveychikov 4ef5de8bd5
Update reptile.md
2018-07-04 00:35:29 +04:00

3.3 KiB

Reptile rootkit details

https://github.com/f0rb1dd3n/Reptile

Environment

  • x86, x86_64
  • Linux kernel 2.6.x/3.x/4.x
  • Debian/Ubuntu, RHEL/CentOS/Fedora

Persistency

Boot-time module loading using OS-specific startup files:

Detection evasion

Rootkit is trying to evade from detection by:

Management interface

Implemented via kill(2):

Supported commands are:

Altering system behaviour

Hooking of system calls by patching syscall-handlers in sys_call_table[]:

Hiding (tampering) of file contents

Filtering of file content while reading:

Hiding of files and directories

Filtering of directory entries:

Hiding of processes and process trees

Filtering PID-like numeric entries while listing /proc:

Backdoor/shell

Reverse shell spawning by port-knocking-like technique: