Artisanal Defrosted httpd Backdoor
Back when I worked as a teaching assistant for a network system security class, I handled the labs, and one of the labs was on malware, so I assigned my students with this task: find pieces of malware that were surreptitiously installed into their (individual) virtual machines, and scrub the the VM clean of all such nasty bytes.
I installed a basic root shell (that bound to an innocent-looking
port, with an innocent-looking process name), and an Apache web server
mod_rootme. When Apache web server has
enabled, if you connect to the web server port and issue the magic
incantation (‘get root’), you will get a root shell. Boom.
mod_rootme code is fairly old – it was written by Christophe Devine in 2004. It seems that Christophe doesn’t maintain this code
anymore. I could not find working versions of
the latest I found was version 0.4 of
mod_rootme in a blog post
from 2009. (That is a wayback machine link. The original site seems
to have vanished from the Internet.)
mod_rootme 0.4 did not compile out-of-the-box, I made some
changes to make it work: mainly to build it with apxs, the APache
eXtenSion tool. I also removed some old code I didn’t mean to use,
mainly the code that supported older versions of Apache web server.
Other than having to figure out apxs-based build system and a tiny bit
of refactoring, I haven’t sweated this much. So: apply caveat
emptor and all that really hard.
Christophe is known to be a platform-neutral programmer – the
original Makefile has rules for building
mod_rootme on Linux,
FreeBSD, OpenBSD, MacOS X, Cygwin, SunOS, IRIX, HPUX, OSF; and
against Apache versions 1.x, 2.x, and 2.2. I have tested this code
only on Debian 8.0 (and previously on Ubuntu Server 12.04 for the
class, but not this time), and it seems to work the way it should.
Now, about the assignment: I imagined the first root shell would be to
easy to detect, but no one in the class found it. I did not expect
all students to find
mod_rootme (it doesn’t actively maintain any open
ports or spawn a suspicious-looking process, after all), but everyone
did! That was actually pretty trivial, since malware detection
programs such as rkhunter and unhide can detect the presence of
For this very reason, I am hoping that it should not be too harmful to have this code in circulation again, and that someone somewhere will find the code instructional.
I have posted my modifications to
mod_rootme in github.