VERY IMPORTANT

This analysis examines a Linux rootkit malware deployed by remote attackers on a compromised CentOS system. The malware consists of a kernel module (sysinitd.ko) and a user-space binary (sysinitd). The kernel module hijacks inbound network traffic using a Netfilter hook, creates procfs entries for communication, and starts the user-space process. The user-space component disguises itself as 'bash' and enables remote command execution with root privileges. The attackers use a special 'attack-init' packet to initiate communication and can send encrypted commands to control the system. The analysis details the malware's initialization, network interception, data exchange mechanisms, and command execution process.