🛡 Detect Medusa Rootkit on Linux – Test Guide
A new stealth rootkit called Medusa uses LD_PRELOAD to hijack dynamic libraries and hide files, processes, and ports from commands like ls, ps, and netstat.
Goal: Catch Medusa by bypassing its tricks.
⸻
How to Detect It (Step-by-Step)
1. Use statically built BusyBox – it doesn’t rely on dynamic libraries, so it ignores LD_PRELOAD.
2. Launch a clean shell:
3. Run commands inside it:
4. Compare output with normal shell.
If you see hidden files/processes appear in BusyBox but not in bash → You’re likely infected.
⸻
🔴 Don’t install BusyBox via apt on a live compromised system.
Instead:
• Run it from a USB or RAM (/dev/shm) to avoid overwriting evidence.
references:
github
blog
#Rootkit
@GoSecurity
A new stealth rootkit called Medusa uses LD_PRELOAD to hijack dynamic libraries and hide files, processes, and ports from commands like ls, ps, and netstat.
Goal: Catch Medusa by bypassing its tricks.
⸻
How to Detect It (Step-by-Step)
1. Use statically built BusyBox – it doesn’t rely on dynamic libraries, so it ignores LD_PRELOAD.
2. Launch a clean shell:
busybox ash
3. Run commands inside it:
ls -la /lib
ps aux
netstat -tulpn
4. Compare output with normal shell.
If you see hidden files/processes appear in BusyBox but not in bash → You’re likely infected.
⸻
🔴 Don’t install BusyBox via apt on a live compromised system.
Instead:
• Run it from a USB or RAM (/dev/shm) to avoid overwriting evidence.
references:
github
blog
#Rootkit
@GoSecurity
The OWASP Smart Contract Top 10 (2025) is a standard awareness document providing Web3 developers and security teams with insights into the top 10 vulnerabilities found in smart contracts.
https://owasp.org/www-project-smart-contract-top-10/
https://owasp.org/www-project-smart-contract-top-10/
Researchers cracked the encryption used by DarkBit ransomware
https://securityaffairs.com/181064/malware/researchers-cracked-the-encryption-used-by-darkbit-ransomware.html
https://securityaffairs.com/181064/malware/researchers-cracked-the-encryption-used-by-darkbit-ransomware.html
Security Affairs
Researchers cracked the encryption used by DarkBit ransomware
Researchers at cybersecurity firm Profero cracked DarkBit ransomware encryption, allowing victims to recover files for free.
Researcher earns Google Chrome ’s top $250K for a sandbox escape vulnerability enabling remote code execution.
https://securityaffairs.com/181057/hacking/chrome-sandbox-escape-nets-security-researcher-250000-reward.html
https://securityaffairs.com/181057/hacking/chrome-sandbox-escape-nets-security-researcher-250000-reward.html
Security Affairs
Chrome sandbox escape nets security researcher $250,000 reward
Researcher earns Google Chrome’s top $250K bounty for a sandbox escape vulnerability enabling remote code execution.
Offensive Security
Check CVE-2024-6387 https://github.com/xaitax/CVE-2024-6387_Check
The provided exploit code is optimized only for the i386 (32-bit) architecture.
https://github.com/zgzhang/cve-2024-6387-poc
https://github.com/zgzhang/cve-2024-6387-poc
Lesser Known Linux Persistence Mechanisms
John Hammond
https://youtu.be/whhOYRWd_rs?si=ThofWaLJoEauQkfH
John Hammond
https://youtu.be/whhOYRWd_rs?si=ThofWaLJoEauQkfH
YouTube
Lesser Known Linux Persistence Mechanisms
Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter
ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: h…
See what else I'm up to with: https://jh.live/newsletter
ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: h…
SERVER-SIDE TEMPLATE INJECTION:
https://research.checkpoint.com/2024/server-side-template-injection-transforming-web-applications-from-assets-to-liabilities/
https://research.checkpoint.com/2024/server-side-template-injection-transforming-web-applications-from-assets-to-liabilities/
Check Point Research
Server-Side Template Injection: Transforming Web Applications from Assets to Liabilities - Check Point Research
Executive Summary Research by Erez Goldberg Server-Side Template Injection (SSTI) vulnerabilities refer to weaknesses in web applications which attackers can exploit to inject malicious code into server-side templates. This allows them to execute arbitrary…
CVE-2025-39727
CVE-2025-39727 is a security vulnerability in the Linux kernel, specifically within the memory management (mm) subsystem, affecting the swap handling mechanism. The issue occurs due to a potential buffer overflow in the setup_clusters() function. In the setup_swap_map() function, only bad pages within the range (0, last_page] are checked. However, if maxpages is less than last_page, setup_clusters() may access memory beyond its allocated buffer when processing a badpage with an index greater than or equal to maxpages. This can lead to undefined behavior, including system crashes, memory corruption, or privilege escalation under certain conditions.
⸻
Potential Impact
This vulnerability is serious because it resides in the Linux kernel, which operates at ring 0, giving full control over system resources. Potential consequences include:
1. Local Privilege Escalation (LPE):
• A user with local access could exploit this vulnerability to overwrite kernel memory structures, potentially gaining root privileges.
• Example: Modifying the cred structure of a process to escalate a low-privilege account to full administrative rights.
2. Denial of Service (DoS):
• The overflow may trigger a kernel panic, crashing the system.
• Example: A server handling swap-intensive workloads could become unavailable until rebooted.
3. Memory Corruption / Data Leakage:
• The buffer overflow could corrupt adjacent kernel memory, leading to unpredictable behavior. In some scenarios, it may allow reading sensitive kernel data.
Note: Unlike some other kernel vulnerabilities, remote exploitation is highly unlikely without local code execution, as attackers must influence the swap system or memory directly.
⸻
Technical Details
The vulnerability arises from improper bounds checking in setup_clusters():
If badpages[i] >= maxpages, clusters[] is accessed out-of-bounds, leading to a heap or stack memory corruption.
This memory corruption can have multiple outcomes:
• Overwriting critical kernel structures → privilege escalation.
• Overwriting control data → kernel panic (DoS).
• In rare cases, manipulating data to execute code in kernel context (requires bypassing SMEP/SMAP/KASLR).
⸻
Example Scenario
1. A Linux server (e.g., Ubuntu 24.04) is running a vulnerable kernel.
2. An attacker has local access (low-privilege user or compromised process).
3. The attacker runs a crafted program that injects invalid badpage entries into the swap system, triggering the overflow in setup_clusters().
4. Consequences may include:
• Escalating privileges to root.
• Crashing the system (DoS).
• Potentially corrupting kernel memory or leaking sensitive data.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-39727
https://git.kernel.org/stable/c/152c1339dc13ad46f1b136e8693de15980750835
#Kernel #Linux
CVE-2025-39727 is a security vulnerability in the Linux kernel, specifically within the memory management (mm) subsystem, affecting the swap handling mechanism. The issue occurs due to a potential buffer overflow in the setup_clusters() function. In the setup_swap_map() function, only bad pages within the range (0, last_page] are checked. However, if maxpages is less than last_page, setup_clusters() may access memory beyond its allocated buffer when processing a badpage with an index greater than or equal to maxpages. This can lead to undefined behavior, including system crashes, memory corruption, or privilege escalation under certain conditions.
⸻
Potential Impact
This vulnerability is serious because it resides in the Linux kernel, which operates at ring 0, giving full control over system resources. Potential consequences include:
1. Local Privilege Escalation (LPE):
• A user with local access could exploit this vulnerability to overwrite kernel memory structures, potentially gaining root privileges.
• Example: Modifying the cred structure of a process to escalate a low-privilege account to full administrative rights.
2. Denial of Service (DoS):
• The overflow may trigger a kernel panic, crashing the system.
• Example: A server handling swap-intensive workloads could become unavailable until rebooted.
3. Memory Corruption / Data Leakage:
• The buffer overflow could corrupt adjacent kernel memory, leading to unpredictable behavior. In some scenarios, it may allow reading sensitive kernel data.
Note: Unlike some other kernel vulnerabilities, remote exploitation is highly unlikely without local code execution, as attackers must influence the swap system or memory directly.
⸻
Technical Details
The vulnerability arises from improper bounds checking in setup_clusters():
// simplified conceptual example
for (i = 0; i < nr_badpages; i++) {
page = badpages[i];
// no check if page >= maxpages
clusters[page / CLUSTER_SIZE]++;
}
If badpages[i] >= maxpages, clusters[] is accessed out-of-bounds, leading to a heap or stack memory corruption.
This memory corruption can have multiple outcomes:
• Overwriting critical kernel structures → privilege escalation.
• Overwriting control data → kernel panic (DoS).
• In rare cases, manipulating data to execute code in kernel context (requires bypassing SMEP/SMAP/KASLR).
⸻
Example Scenario
1. A Linux server (e.g., Ubuntu 24.04) is running a vulnerable kernel.
2. An attacker has local access (low-privilege user or compromised process).
3. The attacker runs a crafted program that injects invalid badpage entries into the swap system, triggering the overflow in setup_clusters().
4. Consequences may include:
• Escalating privileges to root.
• Crashing the system (DoS).
• Potentially corrupting kernel memory or leaking sensitive data.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-39727
https://git.kernel.org/stable/c/152c1339dc13ad46f1b136e8693de15980750835
#Kernel #Linux
🔥1