Artisanal Defrosted httpd Backdoor

Back when I worked as a teaching assistant for a network system security class, I handled the labs, and one of the labs was on malware, so I assigned my students with this task: find pieces of malware that were surreptitiously installed into their (individual) virtual machines, and scrub the the VM clean of all such nasty bytes.

I installed a basic root shell (that bound to an innocent-looking port, with an innocent-looking process name), and an Apache web server module called mod_rootme. When Apache web server has mod_rootme enabled, if you connect to the web server port and issue the magic incantation ('get root'), you will get a root shell. Boom.

The mod_rootme code is fairly old – it was written by Christophe Devine in 2004. It seems that Christophe doesn't maintain this code anymore. I could not find working versions of mod_rootme anywhere: the latest I found was version 0.4 of mod_rootme in a blog post from 2009. (That is a wayback machine link. The original site seems to have vanished from the Internet.)

Since mod_rootme 0.4 did not compile out-of-the-box, I made some changes to make it work: mainly to build it with apxs, the APache eXtenSion tool. I also removed some old code I didn't mean to use, mainly the code that supported older versions of Apache web server. Other than having to figure out apxs-based build system and a tiny bit of refactoring, I haven't sweated this much. So: apply caveat emptor and all that really hard.

Christophe is known to be a platform-neutral programmer – the original Makefile has rules for building mod_rootme on Linux, FreeBSD, OpenBSD, MacOS X, Cygwin, SunOS, IRIX, HPUX, OSF; and against Apache versions 1.x, 2.x, and 2.2. I have tested this code only on Debian 8.0 (and previously on Ubuntu Server 12.04 for the class, but not this time), and it seems to work the way it should.

Now, about the assignment: I imagined the first root shell would be to easy to detect, but no one in the class found it. I did not expect all students to find mod_rootme (it doesn't actively maintain any open ports or spawn a suspicious-looking process, after all), but everyone did! That was actually pretty trivial, since malware detection programs such as rkhunter and unhide can detect the presence of mod_rootme.

For this very reason, I am hoping that it should not be too harmful to have this code in circulation again, and that someone somewhere will find the code instructional.

I have posted my modifications to mod_rootme in github.

(Posted on 2 April 2015.)