How To Install Old CentOS Kernel or Packages (and Few Reasons Why You Want It)

When we update packages in Linux OS such as CentOS and RHEL, normally the update process will pull latest packages from the repository. But sometimes the latest is not what we want, for example there is a support page in Citrix website - https://support.citrix.com/article/CTX200094 that describes that sometimes when updating we get version/release that not supported by the vendor (in this case, Citrix XenServer). In my case I am trying to check whether LKRG (the Linux Kernel Runtime Guard) could detect one of my servers that got hacked by some rootkit, but as I will show I got baffled by missing kernel rpm packages.

Background (Why do you want old Kernel Devel package?)

Some hacker installed rootkit in my server, and I want to do some analysis on it. I want to use a server that is more idle than the hacked server, but the kernel version differs and seems that linux kernel module is specific to the kernel version. So I need to install the specific version that is equal to the hacked server.

Just running yum install will not do :

[root@lb ~]# yum install kernel-devel-3.10.0-1127.10.1.el7.x86_64

Failed to set locale, defaulting to C

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

 * base: mirror.idroot.cloud

 * extras: mirror.papua.go.id

 * updates: mirror.hostnic.id

No package kernel-devel-3.10.0-1127.10.1.el7.x86_64 available.


Another reason is, there might be a need in an IT Support organization to support older releases because of operational issues that crop up when the kernel got upgraded to newer level. I assume the reason we (I am a part of such IT organization) unable to support newer kernel is that some part/of components are not quite covered by the current contract so no one be able to solve the operational issues.

Where to get one?

So we need to search around in the internet. 
1. We could get kernel-devel rpm packages from Linux cern : (https://linuxsoft.cern.ch/cern/centos/7/updates/x86_64/repoview/kernel-devel.html), but I somehow worry about downloading from unofficial site and want to avoid installing rpms individually. 
2. We could also download from CentOS vault directly : 
(https://vault.centos.org/7.8.2003/updates/x86_64/Packages/). Still I want more automated solution.

Ultimate solution : enable CentOS vault repo 7.8

yum repolist all



After some digging around with 'yum repolist all', it seems that the already installed file /etc/yum.repos.d/CentOS-Vault.repo contains references to the CentOS vault Repo, but by default they are not enabled and they also only have references until Centos 7.3. The reason is :

rpm -qf /etc/yum.repos.d/CentOS-Vault.repo 

centos-release-7-4.1708.el7.centos.x86_64


So the reason is I have centos release 7.4 installed, and the kernel I want to install is in centos 7.8. So what I need to do is to update to centos 7.9; giving us centos 7.8 entries in CentOS-vault.repo.

yum update centos-release


yum update centos-release


After that lets check yum repolist all:

yum repolist all




Using the disabled repo

Then we need to specify which repo we need to temporarily enable when installing the package :

yum install --enablerepo=C7.8.2003-base --enablerepo=C7.8.2003-updates kernel-3.10.0-1127.10.1.el7.x86_64





Thats all folks!

..not quite

LKRG and Stuffs

Lets continue to install some stuffs:

yum install --enablerepo=C7.8.2003-base --enablerepo=C7.8.2003-updates kernel-headers-3.10.0-1127.10.1.el7.x86_64 kernel-tools-3.10.0-1127.10.1.el7.x86_64 kernel-devel-3.10.0-1127.10.1.el7.x86_64 gcc


then extract the LKRG

[root@lb ~]# tar -xvzf lkrg-0.9.1.tar.gz 


Kernel version is still the old one, so I need to restart

[root@lb ~]# uname -a

Linux xxxxx.redacted.com 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


[root@lb ~]# shutdown -rf now


Check kernel version after boot

[root@lb ~]# uname -a

Linux lb.paas.telkom.co.id 3.10.0-1127.10.1.el7.x86_64 #1 SMP Wed Jun 3 14:28:03 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux


Make and Install lkrg

[root@lb ~]# cd lkrg-0.9.1

[root@lb lkrg-0.9.1]# make


..

[root@lb lkrg-0.9.1]# make install

[root@lb lkrg-0.9.1]# systemctl start lkrg

[root@lb lkrg-0.9.1]# dmesg | tail



Copying the rootkit file

[root@lb lkrg-0.9.1]# scp node6:/usr/falc0n/falc0n.ko .

falc0n.ko                                                                                  100%  783KB  36.5MB/s   00:00  


[root@lb lkrg-0.9.1]# modinfo falc0n.ko 

filename:       /root/lkrg-0.9.1/falc0n.ko

intree:         Y

license:        GPL

retpoline:      Y

rhelversion:    7.8

srcversion:     81F508029A53F7490CCDB44

depends:        

vermagic:       3.10.0-1127.10.1.el7.x86_64 SMP mod_unload modversion


[root@lb lkrg-0.9.1]# mkdir -p /lib/modules/3.10.0-1127.10.1.el7.x86_64/kernel/sdc/falc0n

[root@lb lkrg-0.9.1]# cp falc0n.ko /lib/modules/3.10.0-1127.10.1.el7.x86_64/kernel/sdc/

[root@lb lkrg-0.9.1]# depmod


Copying the rootkit file, and try to enable it





Seems that my VM crashed :D 

Thats all for now.. 


Update : it seems that not the VM crashed, but the sshd daemon got killed. To workaround that, see the next post..


Comments

Post a Comment

Popular posts from this blog

Long running process in Linux using PHP

Background To do stuff, I usually create web-based applications written in PHP. Sometimes we need to run something that takes a long time, far longer than the 10 second psychological limit for web pages. A bit of googling in stack overflow found us this  http://stackoverflow.com/questions/2212635/best-way-to-manage-long-running-php-script , but I will tell the similar story with a different solution. One of the long running tasks that need to be run is a Pentaho data integration transformation. Difficulties in long running PHP scripts I encountered some problems when trying to make PHP do long running tasks : PHP script timeout. This could be solved by running set_time_limit(0); before the long running tasks. Memory leaks. The framework I normally use have a bit of memory issues, this can be solved either by patching the framework (ok, it is a bit difficult to do, but I did something similar in the past ) or splitting the data to process into several batches. And if you
Read more

Reverse Engineering Reptile Kernel module to Extract Authentication code

Image
 This time I will show how to (partially) reverse engineer a linux kernel module. The linux kernel module is larger than usual kernel module because it is actually a Reptile-based rootkit dropped by some hacker.  Part 1. Get basic module information First we gather basic module info by using modinfo : [root@lb lkrg-0.9.1]# modinfo falc0n filename:       /lib/modules/3.10.0-1127.10.1.el7.x86_64/kernel/sdc/falc0n.ko intree:         Y license:         GPL retpoline:       Y rhelversion:     7.8 srcversion:     81F508029A53F7490CCDB44 depends:         vermagic:       3.10.0-1127.10.1.el7.x86_64 SMP mod_unload modversions   We could also refer to the kernel module file not yet installed in the OS : [root@lb lkrg-0.9.1]# file falc0n.ko falc0n.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=1bde6abf4732eb620983032a47fbcf07689ece11, not stripped [root@lb lkrg-0.9.1]# modinfo falc0n.ko filename:       /root/lkrg-0.9.1/falc0n.ko intree:         Y license:         GPL retp
Read more

SAP System Copy Lessons Learned

Image
Background Earlier this year I was part of a team that does System Copy for a 20 terabyte plus SAP ERP RM-CA System. And just now I am involved in doing two system copy in just over one week, for much lesser amount of data. I think I would note some lessons learned from the experience in this blog. For the record, we are migrating from HP/UX and AIX to Linux x86 platform. Things that go wrong First, following the System Copy guide carefully is quite a lot of work - mainly because some important stuff are hidden in references in the guide. And reading a SAP note that are referenced in another SAP note, that are referenced in Installation Guide.. is a bit too much. Let me describe what thing goes wrong. VM Time drift The Oracle RAC Cluster have time drift problem, killing one instance when the other is shutting down. The cure for our VMWare-based Linux database server is hidden in SAP Note 989963 "Linux VMWARE Timing", which is basically add a tinker panic 0 in the
Read more