ENYELKM is a LKM Rootkit for Linux x86 with kernels v2.6.x.

It puts salts inside system_call and sysenter_entry handlers. So
it does not modify sys_call_table, or IDT content.

What the rootkit does:

 - Copy enyelkm.ko file to '/etc/.enyelkmHIDE^IT.ko', so when LKM
 is loaded that file will be hidden.

 - Add the string 'insmod /etc/.enyelkmHIDE^IT.ko' between the marks
 # and # to /etc/rc.d/rc.sysinit file. So
 when LKM is loaded these lines will be hidden (it is explained after).

 - Load LKM with 'insmod /etc/.enyelkmHIDE^IT.ko'.

 - Try modify date of /etc/rc.d/rc.sysinit file with date from
 /etc/rc.d/rc, and set +i attribute to /etc/.enyelkmHIDE^IT.ko
 with touch and chattr commands.


 * Hide files, directories and processes:

 Every file, directory and process with substring 'HIDE^IT' on
 his name is hidden. Processes with gid = 0x489196ab are hidden
 too. Reverse shell (after is explained) run with gid = 0x489196ab, so
 it and every process launched from it is hidden.

 * Hide chunks inside a file:

 Every byte between the marks is hidden:
 (marks included)

 #
 text to hide
 #


 * Get local root:

 Doing: # kill -s 58 12345
 you get id 0.


 * Hide module to 'lsmod':

 LKM is auto hidden.