As part of my research work I have to study a rootkit. So I downloaded ncom rootkit and tried installing. It didn't have any installation files.
Asked
Active
Viewed 2,003 times
1
-
Did it create a **.so** file ? – Navaneeth Sen May 05 '11 at 09:02
-
It comes with a .so file libncom.so – user3539 May 05 '11 at 11:43
-
The details of the lib is: **ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), stripped** – Navaneeth Sen May 06 '11 at 10:45
1 Answers
2
First, how do you know it's not installed? That sounds frivolous, but it is a root kit, and it's job is to hide installed things. Believing that you have a rootkit installed on a system makes everything that system tells you suspect.
This page: http://www.aggro.it/files/papers/ncom.html hints a bit about how it's installed. Looks like you might be able to use the shared-object file on individual executables by exporting LD_PRELOAD set to the ncom .so file name.
It also looks like the file /etc/ld.so.preload might be a way to get it dynmically linked in every executable.
-
That link says to run cat `/etc/ld.so.preload` to find if its there. But when I run, its not there in my system. `ld.so.preload` - What is the importance of that? – user3539 May 05 '11 at 15:45