Section: .. / UNIX / penetration / rootkits /
|
The software in this directory is provided for the use of System Admins only, and is provided to keep them informed on the backdoors that are currently in circulation. We strongly discourage the use of these tools without proper permission.
|
| /// File Name: |
SInAR-0.3.tar.bz2 |
Description:
|
SInAR Solaris rootkit version 0.3. Invisible kernel based rootkit for Solaris 8, 9, and 10. Special TAX release.
| | Author: | Archim | | File Size: | 6582 | | Last Modified: | Oct 6 00:01:32 2005 |
| MD5 Checksum: | 544f71c02bf24ee9c0dc4e4c696abf3b |
|
| /// File Name: |
sk-1.3a.tar.gz |
Description:
|
The SucKIT is easy-to-use, Linux-i386 kernel-based rootkit. The code stays in memory through /dev/kmem trick, without help of LKM support nor System.map or such things. Everything is done on the fly. It can hide PIDs, files, tcp/udp/raw sockets, sniff TTYs. Next, it have integrated TTY shell access (xor+sha1) which can be invoked through any running service on a server. No compiling on target box needed, one binary can work on any of 2.2.x & 2.4.x kernels precompiled (libc-free).
| | Author: | Sd | | Homepage: | http://sd.g-art.nl/sk | | File Size: | 45051 | | Last Modified: | Jul 8 03:14:46 2002 |
| MD5 Checksum: | 5b947de74ce9ba53023569fe77cae75b |
|
| /// File Name: |
sm4ck.c |
Description:
|
sm4ck v0.1 adds three simple backdoors to the box you execute it on.
| | Author: | Sector9 of rewted.org | | File Size: | 3443 | | Last Modified: | Aug 16 20:05:24 1999 |
| MD5 Checksum: | 932b3e5d06df84fa9d92252e63798898 |
|
| /// File Name: |
sneaky-sneaky-1.12.tar.gz |
Description:
|
Sneaky-sneaky is a bidirectional spoofed ICMP tunnel backdoor that has built-in encryption and logging capabilities. It communicates via echo replies keeping the true source IP address encrypted inside of the payload.
| | Author: | Phish | | File Size: | 17353 | | Last Modified: | Nov 2 17:31:39 2002 |
| MD5 Checksum: | 1ff30567857b78272c86eaa119d49043 |
|
| /// File Name: |
sneaky-sneaky-1.48.tar.gz |
Description:
|
Sneaky-sneaky is a bidirectional spoofed ICMP tunnel backdoor that has built-in encryption and logging capabilities. It communicates via echo replies keeping the true source IP address encrypted inside of the payload.
| | Author: | Phish | | Changes: | Now with delays, decoys, timeouts and spoofing options. | | File Size: | 21256 | | Last Modified: | Dec 24 03:44:39 2002 |
| MD5 Checksum: | d670d308e31f0caca1bda8cde0fc72c2 |
|
| /// File Name: |
sol24.zip |
Description:
|
Solaris 2.4 rootkit.
| | File Size: | 5949 | | Last Modified: | Aug 16 20:06:53 1999 |
| MD5 Checksum: | 411213add7627494a48b94a504917b38 |
|
| /// File Name: |
sol25.zip |
Description:
|
Solaris 2.5.1 rootkit.
| | File Size: | 7882 | | Last Modified: | Aug 16 20:06:53 1999 |
| MD5 Checksum: | a7cb0fb898d231711a160a6308bb5342 |
|
| /// File Name: |
solaris-sshd.tar.gz |
Description:
|
This user-land rootkit hijacks the libc accept() call via LD_PRELOAD and yields back a non-interactive shell on the remote host. The .so file is placed under the trusted library path. This has been written to specifically target sshd on Solaris, although other daemons (e.g. bind, sendmail, apached) can also be targeted. It has been tested on Solaris 10. Read the files inside for comments on further shell interaction.
| | Author: | C Papathanasiou,Subere | | File Size: | 2056 | | Last Modified: | Feb 24 19:36:41 2009 |
| MD5 Checksum: | 0dab00507d3dfcc24d413cffa63f9143 |
|
| /// File Name: |
ssh-1.2.27rk.diff |
Description:
|
w00w00's magic backdoor patch for ssh 1.2.27. Magic password, does not log, permits root login, etc.
| | Author: | shadow | | Homepage: | http://www.w00w00.org | | File Size: | 3673 | | Last Modified: | Nov 4 01:40:45 1999 |
| MD5 Checksum: | e96d9e18cde693eab2f572e3e8676304 |
|
| /// File Name: |
ssh0wn.diff |
Description:
|
Patch for openssh-3.4p1 that will grant login access to any user with the "secret" pass and that user will not be logged. It will also capture usernames and passwords on outbound and inbound ssh connections.
| | Author: | Enz00 | | Homepage: | http://sec.angrypacket.com | | File Size: | 5595 | | Last Modified: | Aug 8 21:06:07 2002 |
| MD5 Checksum: | 6efb88ae0c6e3fec167935a646a9ec6e |
|
| /// File Name: |
sshd.c.diff-1.2.27 |
Description:
|
A small patch to sshd v1.2.27 which accepts a magic password to authenticate, and does not log to utmp/wtmp or syslog.
| | Author: | Ajax | | Homepage: | http://users.dhp.com/~ajax/projects | | File Size: | 1992 | | Last Modified: | Nov 29 19:59:45 1999 |
| MD5 Checksum: | 4dcfe52ec799e78df496516afd7b9c29 |
|
| /// File Name: |
ssheater-1.1.tar.gz |
Description:
|
SSHeater is a program that infects the OpenSSH daemon in run-time in order to log all future sessions and implement a backdoor where a single password, chosen by the user, can log into all accounts in the system. There's a log parser included in the package that can display authentication information about sessions as well as play the session just like TTYrec/play.
| | Author: | Carlos Barros | | Homepage: | http://www.gotfault.net/ | | File Size: | 16852 | | Last Modified: | Apr 6 15:09:49 2006 |
| MD5 Checksum: | 584353ff41ac6ad6a59f87eaa8b05340 |
|
| /// File Name: |
suckit2priv.tar.gz |
Description:
|
SucKIT Rootkit v2.0-devel-rc2. Easy-to-use, Linux-i386 kernel-based rootkit. The code stays in memory through /dev/kmem trick, without help of LKM support nor System.map or such things. Everything is done on the fly. It can hide PIDs, files, tcp/udp/raw sockets and sniff TTYs.
| | Author: | sd | | Homepage: | http://sd.g-art.nl | | File Size: | 465502 | | Last Modified: | Oct 13 02:06:53 2005 |
| MD5 Checksum: | 3bb82c1fddcc47456efee6f3687e4f51 |
|
| /// File Name: |
sun-5.5.1.zip |
Description:
|
Solaris 2.5.1 rootkit.
| | File Size: | 14587 | | Last Modified: | Aug 16 20:06:53 1999 |
| MD5 Checksum: | ebf975690e348e10295a463ab13c5229 |
|
| /// File Name: |
superkit.tar.gz |
Description:
|
Superkit is an extremely user-friendly rootkit that hides files, processes, and connections. It provides a password protected remote access connect-back shell initiated by a spoofed packet. It is loaded via /dev/kmem, without support for loadable modules required, and cannot be detected by checking the syscall table, because it redirects the kernel entry point to a private copy of the syscall table. A couple of backdoors are included.
| | Author: | mostarac | | File Size: | 49939 | | Last Modified: | Nov 13 21:24:05 2003 |
| MD5 Checksum: | 9b98867b4b10b9461c06b82f42d2e9b0 |
|
| /// File Name: |
Synapsys-lkm.tar.gz |
Description:
|
Synapsis is a LKM rootkit for Linux which features file hiding, process hiding, user hiding, magic UID, and netstat hiding.
| | Author: | Berserker | | Homepage: | http://www.neural-collapse.org | | File Size: | 5298 | | Last Modified: | Mar 16 17:27:35 2001 |
| MD5 Checksum: | aa9aeedd64b1d79407698c5703d358fc |
|
| /// File Name: |
taskigt.tar.gz |
Description:
|
Taskigt - A lkm that gives root to a process that read a special file in /proc.
| | Author: | Noah | | Homepage: | http://ns2.crw.se/~tm/ | | File Size: | 1286 | | Last Modified: | Jan 28 18:54:48 2000 |
| MD5 Checksum: | b4d52ecb3a6914d9836ecfea34237649 |
|
| /// File Name: |
tcpd-byp.tar.gz |
Description:
|
Modified tcp wrappers which bypass restrictions in hosts.deny and hosts.allow.
| | Author: | God- | | Homepage: | ftp://haxordot.org/pub/god-/ | | File Size: | 14905 | | Last Modified: | Aug 5 23:07:04 2000 |
| MD5 Checksum: | ac6a784b6ca87296554ef4544558b0d3 |
|
| /// File Name: |
thclinbd.tar.gz |
Description:
|
THC Backdoor for Linux - This is a simple but useful backdoor for Linux based on a FreeBSD lkm by pragmatic/THC.
| | Author: | bELFaghor | | Homepage: | http://www.s0ftpj.org | | File Size: | 997 | | Last Modified: | Jan 4 19:39:14 2001 |
| MD5 Checksum: | 7855b79979217cd5813788e01a0e1b83 |
|
| /// File Name: |
thcobsdbd.tar.gz |
Description:
|
THC Backdoor ported to OpenBSD - This is a simple but useful backdoor for OpenBSD based on a FreeBSD lkm by pragmatic/THC.
| | Author: | Pigpen | | Homepage: | http://www.s0ftpj.org | | File Size: | 1582 | | Last Modified: | Jan 4 19:37:46 2001 |
| MD5 Checksum: | 11ada1cc8831dc0a793e5b9c3a2c9b78 |
|
| /// File Name: |
tk.tgz |
Description:
|
Torn Kit is a linux rootkit which has been optimized for linux/x86 mass installation. It is the first rootkit which uses precompiled binaries yet still allows a user defined password. This code is being widely used to automatically compromise hosts which have the wu.ftpd and rpc.statd vulnerabilities, and was mentioned in CERT's recent Incident Note IN-2000-10 advisory.
| | Author: | Johnny7 | | File Size: | 343567 | | Last Modified: | Sep 18 19:44:39 2000 |
| MD5 Checksum: | 2332de2af78eca68542fa30fb2d37283 |
|
| /// File Name: |
tl0gin.c |
Description:
|
Trojan /bin/login.
| | Author: | m4rc3l0 | | File Size: | 2164 | | Last Modified: | Dec 16 10:23:14 2002 |
| MD5 Checksum: | c4467dfbf32a55282b92eaaa055652a9 |
|
| /// File Name: |
tnet-tools-1.55.tar.gz |
Description:
|
Ifconfig and Netstat trojan - reads interfaces (sit0, eth0, eth0:1) from a file , defined in a char[] array and hides it.
| | Author: | Twiz | | Homepage: | http://www.twlc.net | | File Size: | 99011 | | Last Modified: | Jul 18 21:31:51 2001 |
| MD5 Checksum: | 66e7b041c4913304d281ae0701d9b059 |
|
| /// File Name: |
toolkit.tgz |
Description:
|
The R3dstorm Toolkit is a rootkit like utility which hides processes and files and was tested on Red Hat 9.0.
| | Author: | r3dstorm | | File Size: | 1870878 | | Last Modified: | Jan 6 03:17:32 2004 |
| MD5 Checksum: | b8d3e1b38213fa172890f41e30411dab |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
