Brokepkg is a LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x and ARM64, with suport after kernel 5.7, without kallsyms_lookup_name.
echo $(head -1 /etc/os-release|tr -d '"'|cut -d= -f2): $(uname -r)- Ubuntu 23.04: 6.2.0-26-generic
- Ubuntu 22.04.1 LTS: 5.17.0-1026-oem
- Arch linux: 5.13.12-arch1-1
- Kali linux: 5.10.0-kali3-amd64
- Linux mint: 4.19.0-8-amd64
- Ubuntu 18.04.6 LTS: 4.15.0-194-generic
- Debian 9(stretch): 4.9.0-15-amd64
- Ubuntu 16.04.6 LTS: 4.4.0-142-generic
- Hide/unhide any process by sending a signal 63;
- Sending a signal 31(to any pid) makes the module become (in)visible;
- Sending a signal 64(to any pid) makes the given user become root;
- Files or directories contain the MAGIC_HIDE become invisible;
- Sending a signal 62 to some port you make he invisible;
- Full TTY/PTY shell and traffic encrypted with openssl
To install the rootkit, see this wiki page
You can see a usage manual here
Remove brokepkg invisibility to uninstall him
kill -31 0Then remove the module
sudo rmmod brokepkg- LKM HACKING:
- Diamorphine:
- TheXcellerator:
- Conviso:
- HardDisk:
- Reptile: