vlany icon indicating copy to clipboard operation
vlany copied to clipboard

Published 20 hours ago verified publisher icon mempodippy

Nothing work for me, on Ubuntu 12.04.5 LTS !

Open s4miii opened this issue 7 years ago • 17 comments

Hey bro, first of all thank you so much because of your great job, actually I installed it on Ubuntu/Linaro 4.6.3-1ubuntu5, the progress done without any error, even my Apache and SSH service restarted , but nothing work, like I do nothing !?

Am I miss something ? I do as your wizard, any idea? and is there any video or youtube link for the installation ? maybe I done something wrong ? thanks a lot.

s4miii avatar May 31 '17 12:05 s4miii

ld.so.preload either truly does not exist, or a deeper kernel space hook is intercepting open()

Compiling rootkit libraries.

symbols/headers/const.h:34:14: warning: ‘yum_options’ defined but not used [-Wunused-variable]
symbols/headers/const.h:36:14: warning: ‘yum_commands’ defined but not used [-Wunused-variable]
symbols/headers/const.h:40:14: warning: ‘apt_options’ defined but not used [-Wunused-variable]
symbols/headers/const.h:42:14: warning: ‘apt_commands’ defined but not used [-Wunused-variable]

s4miii avatar May 31 '17 14:05 s4miii

Actually I want to connect to my server remotely, how is it possible ? because ssh won't work and even I tried via netcat too, for example this is your ssh script : ./ssh.sh my-user 127.0.0.1 5342

the output is :

my-user @127.0.0.1's password: 
Permission denied, please try again.
my-user @127.0.0.1's password: 
Permission denied, please try again.
my-user @127.0.0.1's password:

nothing work actually !

s4miii avatar May 31 '17 17:05 s4miii

https://asciinema.org/a/a8u6ca1n2ujmgijgldrcdu425

Are you able to connect to the server via ssh as a regular user? Or is permission denied all round? In reference to the output you posted, nothing there relates to why you can't log in. I should remove those arrays on the repo though... Ubuntu 12.04.5 LTS also provided some security changes from previous releases... The Ubuntu documentation for 12.04.5 LTS is... minimal. (lol) Execute the following commands and post the output as a reply please. Replace 'CHANGE_ME' with the name of the environment variable created/used during the vlany installation script. Make sure you're also root before executing this, since if vlany is installed, the environment variable does nothing until you're root. Alter ls/grep below if you changed the default installation settings. CHANGE_ME=1 sh -c 'cat /proc/self/maps; ls /lib/ | grep "libc"' If vlany is actually installed, the library path and address space should show up in /proc/self/maps, but of course it would usually be hidden. Not to forget that libcrypt (and libssl if ssl was enabled) will also show up. Please show me full output.

mempodippy avatar Jun 01 '17 12:06 mempodippy

Thanks for your reply, yes I always connect to this Server via SSH, but with vlany, just showing Permission denied, and also I'm root !

Maybe if you remove the line about homo...., Your script will be work 😅

alright, the output as you want is :

root@mk:/mysystem/mk# PAYUCFCZOALI=1 sh -c 'cat /proc/self/maps; ls /lib/ | grep "libc"'
08048000-08053000 r-xp 00000000 08:01 797847     /bin/cat
08053000-08054000 r--p 0000a000 08:01 797847     /bin/cat
08054000-08055000 rw-p 0000b000 08:01 797847     /bin/cat
08055000-08076000 rw-p 00000000 00:00 0          [heap]
b7228000-b7359000 r--p 00200000 08:01 398345     /usr/lib/locale/locale-archive
b7359000-b7559000 r--p 00000000 08:01 398345     /usr/lib/locale/locale-archive
b7559000-b755a000 rw-p 00000000 00:00 0 
b755a000-b7700000 r-xp 00000000 08:01 1044886    /lib/i386-linux-gnu/libc-2.15.so
b7700000-b7702000 r--p 001a6000 08:01 1044886    /lib/i386-linux-gnu/libc-2.15.so
b7702000-b7703000 rw-p 001a8000 08:01 1044886    /lib/i386-linux-gnu/libc-2.15.so
b7703000-b7706000 rw-p 00000000 00:00 0 
b7710000-b7712000 rw-p 00000000 00:00 0 
b7712000-b7713000 r-xp 00000000 00:00 0          [vdso]
b7713000-b7733000 r-xp 00000000 08:01 1044895    /lib/i386-linux-gnu/ld-2.15.so
b7733000-b7734000 r--p 0001f000 08:01 1044895    /lib/i386-linux-gnu/ld-2.15.so
b7734000-b7735000 rw-p 00020000 08:01 1044895    /lib/i386-linux-gnu/ld-2.15.so
bff35000-bff56000 rw-p 00000000 00:00 0          [stack]
klibc-LZ1cv1NoEVO2ugnvqTw3e4qPc8Y.so
libc.so.sysinfo.25

s4miii avatar Jun 01 '17 13:06 s4miii

Doesn't seem like vlany is installed, properly. Try echo /lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64 > /etc/ld.so.preload and see if you can log into the backdoor user via ssh. Also start a new bash shell and show PAYUCFCZOALI=1 sh -c 'cat /proc/self/maps; ls /lib/ | grep "libc"' output again after echoing the lib path into ld.so.preload.

mempodippy avatar Jun 01 '17 15:06 mempodippy

when I done this : echo /lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64 > /etc/ld.so.preload And opened new bash shell, it shows me :

ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.

After that I again tiring to connect via ssh and it won't work :

Permission denied, please try again.

and the out of this command :

root# PAYUCFCZOALI=1 sh -c 'cat /proc/self/maps; ls /lib/ | grep "libc"'
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
08048000-08053000 r-xp 00000000 08:01 797847     /bin/cat
08053000-08054000 r--p 0000a000 08:01 797847     /bin/cat
08054000-08055000 rw-p 0000b000 08:01 797847     /bin/cat
08055000-08076000 rw-p 00000000 00:00 0          [heap]
b72b5000-b73e6000 r--p 00200000 08:01 398345     /usr/lib/locale/locale-archive
b73e6000-b75e6000 r--p 00000000 08:01 398345     /usr/lib/locale/locale-archive
b75e6000-b75e7000 rw-p 00000000 00:00 0 
b75e7000-b778d000 r-xp 00000000 08:01 1044886    /lib/i386-linux-gnu/libc-2.15.so
b778d000-b778f000 r--p 001a6000 08:01 1044886    /lib/i386-linux-gnu/libc-2.15.so
b778f000-b7790000 rw-p 001a8000 08:01 1044886    /lib/i386-linux-gnu/libc-2.15.so
b7790000-b7793000 rw-p 00000000 00:00 0 
b779d000-b779f000 rw-p 00000000 00:00 0 
b779f000-b77a0000 r-xp 00000000 00:00 0          [vdso]
b77a0000-b77c0000 r-xp 00000000 08:01 1044895    /lib/i386-linux-gnu/ld-2.15.so
b77c0000-b77c1000 r--p 0001f000 08:01 1044895    /lib/i386-linux-gnu/ld-2.15.so
b77c1000-b77c2000 rw-p 00020000 08:01 1044895    /lib/i386-linux-gnu/ld-2.15.so
bface000-bfaef000 rw-p 00000000 00:00 0          [stack]
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
ERROR: ld.so: object '/lib/libc.so.sysinfo.25/full_name_of_lib.so.x86_64' from /etc/ld.so.preload cannot be preloaded: ignored.
klibc-LZ1cv1NoEVO2ugnvqTw3e4qPc8Y.so
libc.so.sysinfo.25

s4miii avatar Jun 01 '17 15:06 s4miii

Using the environment variable, look in /lib/libc.so.sysinfo.25/ for the full name of the library, and put that where 'full_name_of_lib' is. It's always randomized, so I don't know what yours will be.

mempodippy avatar Jun 01 '17 15:06 mempodippy

YtBG48AqRvST.so.x86_64 YtBG48AqRvST.so.i686

s4miii avatar Jun 01 '17 17:06 s4miii

Yes. Put that into ld.so.preload, and show me the results. Try connecting to the ssh backdoor user.

mempodippy avatar Jun 01 '17 17:06 mempodippy

won't work, it's shows again Permission denied, please try again.

so I removed the /lib/libc.so.sysinfo.25 via chattr, and re-install vlany, in this time SSH shows this :

groups: cannot find name for group ID 239939463
ls: reading directory /etc/bash_completion.d: Operation not permitted
su: Cannot determine your user name.

s4miii avatar Jun 01 '17 17:06 s4miii

for uninstall the previous version, removing /lib/libc.so.sysinfo.25 is enough ? and would you please give me an example about the connection via netcat ? because it's won't work either :(

s4miii avatar Jun 01 '17 17:06 s4miii

Hi, any idea about this error ?

groups: cannot find name for group ID 239939463
ls: reading directory /etc/bash_completion.d: Operation not permitted
su: Cannot determine your user name.

when I wanna connect via SSH it shows me this error

s4miii avatar Jun 03 '17 09:06 s4miii

Do not remove the installation directory. Ever. Shit will go down. This will cause the dynamic linker to throw a fit, and in more real scenarios, the dynamic linker isn't going to be using /etc/ld.so.preload, so you'd have to hunt for what file the dynamic linker now uses. Recompiling vlany is enough to reinstall, but I've not released anything to automatize the process of uninstalling (properly)/installing new versions. So this needs to be done manually. The accept backdoor is deprecated. Look at the netcat help output. Additionally, that's a common error. The severity of it varies though.

mempodippy avatar Jun 05 '17 17:06 mempodippy

Alright, thank you for your reply, actually I tested vlany on the other server, and again it shows this :

ls: reading directory /etc/bash_completion.d: Operation not permitted
su: Cannot determine your user name.
Connection to x.x.x.x closed.

normally I connect to via SSH, but with vlany I can't.

This Server is :

Distributor ID:	Debian
Description:	Debian GNU/Linux 6.0.10 (squeeze)
Release:	6.0.10
Codename:	squeeze

any idea?

s4miii avatar Jun 05 '17 20:06 s4miii

Sometimes there isn't any /boot/grub/grub.cfg or /etc/grub.conf or any type of grub.conf is there anyway to fix this issue ? thnx

s4miii avatar Jun 25 '17 13:06 s4miii

Not all boxes use GRUB as a bootloader. Just reference whatever other config the bootloader uses. i.e. syslinux, gummiboot

mempodippy avatar Jun 25 '17 15:06 mempodippy

Dear mempodippy Thank you so much...

s4miii avatar Sep 13 '17 14:09 s4miii