Iptable_Evil – An Evil Bit Backdoor For Iptables

January 15, 2022

When connecting to the backdoored VM from a VM that does not set the evil bit, the SSH connection will eventually time out.

  iptable evil 3 ssh timed out 741010 iptable evil 4 reserved unset 741624

Packet captures of backdoor and non-backdoor SSH connections are in the docs/ folder in this repo for your perusal.

Kernel Version

  • 5.8.0-48-generic (Ubuntu 20.04)

Further Information and Resources

  • RFC 3514 inventing the evil bit: https://tools.ietf.org/html/rfc3514
  • Ben Cox’s introduction to the evil bit: https://blog.benjojo.co.uk/post/evil-bit-RFC3514-real-world-usage
  • Ben Cox’s iptables_uwu (mostly just for giving the names of things to research): https://github.com/benjojo/iptables-uwu
  • A somewhat outdated but very detailed explanation of how iptables works and how to add targets and modules to it: https://inai.de/documents/Netfilter_Modules.pdf
  • https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
  • Bootlin’s Elixir search is significantly easier to use to find identifiers in the kernel than grep: https://elixir.bootlin.com/linux/v5.8/source/net/ipv4/netfilter/ip_tables.c#L225
  • Ubuntu’s docs explain how to build the kernel: https://wiki.ubuntu.com/Kernel/BuildYourOwnKernel
Download Iptable_Evil

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source

You may have missed

news

Microsoft Addresses Four Critical Zero-Days in November Patch Tuesday Updates

November 14, 2024
news

AI Threat Worsening in 2025: Insights from Google Cloud

November 14, 2024
news

Lazarus Group’s Code Smuggling Technique Exploits Extended Attributes in macOS

November 14, 2024
news

Ethical Hacker or Not? Amazon MOVEit Leaker’s Controversial Claims

November 14, 2024
news

Hive0145 Targets Europe with Sophisticated Strela Stealer Campaigns

November 14, 2024