blob: 0ef76b002a02b508ca6c14bee1a99c6404e2b171 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
# LOKI3
This code was stolen from Phrack magazine. It is a 20+ year old backdoor
for Linux, BSD, Solaris, ... which works over icmp.
http://www.phrack.org/issues/49/6.html
http://www.phrack.org/issues/51/6.html
This code no longer compiled as of ~2016 I made it compile on modern
systems with musl-gcc, so it will "just work".
## Building
### Install musl-gcc
I use musl because the objects reusulting from static linking using
gcc or clang do not work on older kernels.
Installing is easy on Ubuntu 20.04:
```
apt install musl-tools
```
Cross compilers can be found here: https://musl.cc/
### Building
`make` will list the available targets.
#### Linux
`make linux`
## Persistence
If compiled with PERSISTENCE defined, lokid will install a SysV init
script when SIGTERM is recieved. This signal is typically sent when
the system is rebooted or the process is killed with `kill` or
`killall` without specifying which signal to send (ex: kill -9 or kill
-HUP send the SIGKILL and SIGHUP signals, respectively).
When lokid is ran, it removes this persistence to avoid detection.
## Process Masquerading
This process masquerades itself as a kernel thread. See prochide.c for
more details.
|
