Section: .. / UNIX / penetration / rootkits /
|
The software in this directory is provided for the use of System Admins only, and is provided to keep them informed on the backdoors that are currently in circulation. We strongly discourage the use of these tools without proper permission.
|
| /// File Name: |
3vilSh3ll.c |
Description:
|
Classic backdoor bindshell that is password protected, hides activity, forks, and does all the expected functions of an evil backdoor.
| | Author: | Simpp | | File Size: | 7272 | | Last Modified: | Mar 18 22:25:36 2008 |
| MD5 Checksum: | 9cf37a9cec5547cca5c9872fbe651b5f |
|
| /// File Name: |
m_rev-0.2.c |
Description:
|
A little ptrace()-based utility for process argument/name hiding. Works on most Linux 2.6 kernels/configurations (x86/x86-64 architecture).
| | Author: | ernie@ernie | | File Size: | 20129 | | Last Modified: | Jan 29 21:49:07 2008 |
| MD5 Checksum: | 2e8bb365b19a752d7bde5b88a1045089 |
|
| /// File Name: |
rathole-1.2.tar.gz |
Description:
|
RatHole is a unix backdoor which compiles cleanly on standard Linux and OpenBSD (probably other BSD flavors also) without additional libraries. It features blowfish encryption, process name hiding and definition of a preferred shell. It spits no error messages (like for sockets already bound) because it is supposed to be stealth. When a client connects to the backdoor a new shell process and two pipe files are created. The I/O of the shell is duped to the pipes and the daemon encrypts the communication.
| | Author: | Incognito/STK | | File Size: | 11419 | | Last Modified: | Nov 30 01:51:07 2007 |
| MD5 Checksum: | c652966a5d9a09c29369794979d4ac6b |
|
| /// File Name: |
rcbd.c |
Description:
|
Simple connect-back back door for Unix. Sends statistical information regarding the remote server such as uid/gid, uname, etc.
| | Author: | St0rM-MaN | | File Size: | 3047 | | Last Modified: | Oct 10 01:44:45 2007 |
| MD5 Checksum: | c59b4de790f54bbf3e6e647fc4dc9fd8 |
|
| /// File Name: |
erne.txt |
Description:
|
New bypass shell for Linux servers. What you don't want to find lying around in your webroot.
| | Author: | Erne | | Homepage: | http://www.biyosecurity.net/ | | File Size: | 44624 | | Last Modified: | Sep 24 23:57:40 2007 |
| MD5 Checksum: | bf610ba81441e60aee255f2286010400 |
|
| /// File Name: |
rel.tar.gz |
Description:
|
Boxer 0.99 BETA3 appears to be a Linux 2.6 series /dev/mem rootkit binary. This binary has not been tested and should be researched/tested with extreme caution.
| | File Size: | 640357 | | Last Modified: | Jul 11 21:50:51 2007 |
| MD5 Checksum: | 4015e13f814c5c33153ab49b196acd81 |
|
| /// File Name: |
mood-nt_2.3.tgz |
Description:
|
Mood-NT 2.3 is a linux kernel rootkit for kernels 2.4.x and 2.6 versions below 2.6.20. It can hide processes, files, connections (unix, raw, and ipv6 too), promisc flag and it allows tty sniffing, exec redirection, exec parameters sniffing, has an internal private init script for starting whatever you want on boot. It has a lot of anti-detectors engines and a unique hiding engine hardware based (through the debug registers) that makes it completely stealth on x86 machines. It fully supports vsyscalls and if the kernel changes it automatically reinstall itself on boot.
| | Author: | darkangel | | Homepage: | http://darkangel.antifork.org | | File Size: | 36881 | | Last Modified: | Jun 6 18:38:28 2007 |
| MD5 Checksum: | c22f5dbb5757237be40c621f487ae8e2 |
|
| /// File Name: |
backdoor.tar.gz |
Description:
|
This tarball has original source code for FreeBSD binaries such as find, fstat, kldstat, etc along with a script that enables you to easily set how you want them backdoored.
| | Author: | Dark.iNiTro | | Homepage: | http://ccb.0x48k.cc/index.php?module=files | | File Size: | 245330 | | Last Modified: | May 2 20:06:51 2007 |
| MD5 Checksum: | 3046022b733bd0ccc37165e34a2db7ad |
|
| /// File Name: |
openssh-4.6p1-backdored.tar.gz |
Description:
|
The backdoored version of OpenSSH 4.6p1. It logs passwords to /tmp/.sshell and also has the typical magic password.
| | Author: | ShadOS | | File Size: | 982882 | | Last Modified: | Apr 17 12:14:44 2007 |
| MD5 Checksum: | 082ab530608f02982dfcd57a28017ab3 |
|
| /// File Name: |
openssh-4.5p1_backdoored.tar.gz |
Description:
|
Backdoored version of OpenSSH 4.5p1 that logs passwords to /var/tmp/sshbug.txt.
| | Author: | santabug | | File Size: | 1005183 | | Last Modified: | Nov 16 12:22:39 2006 |
| MD5 Checksum: | 98c87de1cf5683f9400828281e3f0769 |
|
| /// File Name: |
mood-nt.tgz |
Description:
|
Mood-NT is a linux kernel rootkit suckit2-like for 2.4.x/2.6.x kernels. It can hide processes, files, connections (unix, raw, and ipv6 too), promisc flag and it allows tty sniffing, exec redirection, exec parameters sniffing, has an internal private init script for starting whatever you want on boot. It has a lot of anti-detectors engines and a unique hiding engine hardware based (through the debug registers) that makes it completely stealth on x86 machines. If the kernel changes it automatically reinstall itself on boot.
| | Author: | darkangel | | Homepage: | http://darkangel.antifork.org | | File Size: | 35005 | | Last Modified: | Oct 24 17:12:23 2006 |
| MD5 Checksum: | c046c7882ca919d595b8491be609d149 |
|
| /// File Name: |
logginsh.txt |
Description:
|
loggin.sh is a script written to emulate a Linux login prompt and then record the logins to /tmp/.dump.
| | Author: | Pranav Joshi, Deepak Kaul | | File Size: | 1266 | | Last Modified: | Jun 5 04:40:02 2006 |
| MD5 Checksum: | 59b000733a8ab35f124a73afcd31bf40 |
|
| /// File Name: |
pingrootkit.tar.bz2 |
Description:
|
Ping Rootkit executes a root shell by simply executing the well known and "trusted" command with a special argument and a password. Includes the full source code for ping as well as the patch.
| | Author: | Herrumbre | | Homepage: | http://www.gnuler.com.ar | | File Size: | 33902 | | Last Modified: | May 29 01:48:54 2006 |
| MD5 Checksum: | e19afeeeb6309c2e3b7f6dc750ce11b2 |
|
| /// File Name: |
m0rtix.c |
Description:
|
m0rtix.c is a simple C linux backdoor which bind a shell to a port with tty fork. The processes are hidden and it contains a kernel version detector which tell you what local root exploit you must use to root the system.
| | Author: | jeremy still | | File Size: | 12040 | | Last Modified: | Apr 28 20:30:27 2006 |
| MD5 Checksum: | 6503eae7a42fb2d5336a3a0cde0c5bb0 |
|
| /// File Name: |
wnetstat.pl |
Description:
|
wnetstat.pl is a small perl wrapper script to hide IPs from netstat.
| | Author: | bunker | | Homepage: | http://rawlab.altervista.org | | File Size: | 543 | | Last Modified: | Apr 28 20:02:48 2006 |
| MD5 Checksum: | 8f3a29040d5ca112c203aeb2f9c2d3ac |
|
| /// File Name: |
ssheater-1.1.tar.gz |
Description:
|
SSHeater is a program that infects the OpenSSH daemon in run-time in order to log all future sessions and implement a backdoor where a single password, chosen by the user, can log into all accounts in the system. There's a log parser included in the package that can display authentication information about sessions as well as play the session just like TTYrec/play.
| | Author: | Barros | | Homepage: | http://www.gotfault.net/ | | File Size: | 16852 | | Last Modified: | Apr 6 15:09:49 2006 |
| MD5 Checksum: | 584353ff41ac6ad6a59f87eaa8b05340 |
|
| /// File Name: |
r57-pid-check.txt |
Description:
|
pid-check is a perl script that uses the kill() and setpriority() system calls to find hidden processes.
| | Author: | x97rang | | Homepage: | http://rst.void.ru | | File Size: | 9664 | | Last Modified: | Apr 6 14:48:20 2006 |
| MD5 Checksum: | 62427ef3574ea99ba8cad2d1ce2f38c9 |
|
| /// File Name: |
enyelkm.en.v1.1.tar.gz |
Description:
|
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc.
| | Author: | RaiSe | | Homepage: | http://www.enye-sec.org | | Changes: | Version 1.1 | | File Size: | 9712 | | Last Modified: | Feb 20 16:28:09 2006 |
| MD5 Checksum: | 89340215b6cfceb3a176c4a30e34f5c6 |
|
| /// File Name: |
override.tar.bz |
Description:
|
The override Rootkit: A LKM Linux 2.6 rootkit that uses patched systemcalls. Features - Hides pids and automatically hides the pids of child processes - Hides network ports - Hides files which begin with a user-defined prefix - Can show the hidden pids.
| | Author: | Amir Alsbih | | Homepage: | http://www.informatik.uni-freiburg.de/~alsbiha/ | | File Size: | 3883 | | Last Modified: | Jan 27 14:12:33 2006 |
| MD5 Checksum: | 31a9eb52f4907924ba9fb22287b44996 |
|
| /// File Name: |
override.tar.gz |
Description:
|
Unavailable.
| | File Size: | 3918 | | Last Modified: | Jan 26 05:04:39 2006 |
| MD5 Checksum: | ebd24e8673c12b43c1ac08a1c341075c |
|
| /// File Name: |
phalanx-b6.tar.bz2 |
Description:
|
Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device. Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot.
| | Author: | rebel | | File Size: | 19479 | | Last Modified: | Dec 27 03:25:28 2005 |
| MD5 Checksum: | 3d0ef3793579cd846e43a034d147ecd0 |
|
| /// File Name: |
enyelkm.en.v1.0.tar.gz |
Description:
|
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc.
| | Author: | RaiSe | | Homepage: | http://www.enye-sec.org | | File Size: | 9907 | | Last Modified: | Nov 30 14:14:40 2005 |
| MD5 Checksum: | 5896fe3e8a333c4e1e52daedc3422363 |
|
| /// File Name: |
rsh-v2.c |
Description:
|
Unix log cleaner that also checks to see if root is logged in.
| | Author: | rotor | | Homepage: | http://www.c1zc0.com | | File Size: | 3149 | | Last Modified: | Oct 30 19:19:11 2005 |
| MD5 Checksum: | e2e7e8f9bb27e7b5dd66041ebd4d3766 |
|
| /// File Name: |
suckit2priv.tar.gz |
Description:
|
SucKIT Rootkit v2.0-devel-rc2. Easy-to-use, Linux-i386 kernel-based rootkit. The code stays in memory through /dev/kmem trick, without help of LKM support nor System.map or such things. Everything is done on the fly. It can hide PIDs, files, tcp/udp/raw sockets and sniff TTYs.
| | Author: | sd | | Homepage: | http://sd.g-art.nl | | File Size: | 465502 | | Last Modified: | Oct 13 02:06:53 2005 |
| MD5 Checksum: | 3bb82c1fddcc47456efee6f3687e4f51 |
|
| /// File Name: |
SInAR-0.3.tar.bz2 |
Description:
|
SInAR Solaris rootkit version 0.3. Invisible kernel based rootkit for Solaris 8, 9, and 10. Special TAX release.
| | Author: | Archim | | File Size: | 6582 | | Last Modified: | Oct 6 00:01:32 2005 |
| MD5 Checksum: | 544f71c02bf24ee9c0dc4e4c696abf3b |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
