Section: .. / UNIX / penetration / rootkits /
|
The software in this directory is provided for the use of System Admins only, and is provided to keep them informed on the backdoors that are currently in circulation. We strongly discourage the use of these tools without proper permission.
|
| /// File Name: |
adore-0.31.tar.gz |
Description:
|
Adore is a linux LKM based rootkit. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything.
| | Author: | Stealth | | Homepage: | http://www.team-teso.net | | Changes: | Automatic configuration, bug fixes. | | File Size: | 9738 | | Last Modified: | Jan 9 13:54:45 2001 |
| MD5 Checksum: | 4bdf75cfb7735741285ae82f5b5d4df6 |
|
| /// File Name: |
enyelkm.en.v1.1.tar.gz |
Description:
|
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc.
| | Author: | RaiSe | | Homepage: | http://www.enye-sec.org | | Changes: | Version 1.1 | | File Size: | 9712 | | Last Modified: | Feb 20 16:28:09 2006 |
| MD5 Checksum: | 89340215b6cfceb3a176c4a30e34f5c6 |
|
| /// File Name: |
r57-pid-check.txt |
Description:
|
pid-check is a perl script that uses the kill() and setpriority() system calls to find hidden processes.
| | Author: | x97rang | | Homepage: | http://rst.void.ru | | File Size: | 9664 | | Last Modified: | Apr 6 14:48:20 2006 |
| MD5 Checksum: | 62427ef3574ea99ba8cad2d1ce2f38c9 |
|
| /// File Name: |
Troier-v1.0r.tgz |
Description:
|
Troier is a package of trojaned linux commands. Includes du, locate, netstat, ps, pstree, top, w, and who.
| | Author: | TurnRightNever. | | File Size: | 9533 | | Last Modified: | Jan 17 01:38:33 2002 |
| MD5 Checksum: | 182c309ade99cf302b6dc13cff0c54e9 |
|
| /// File Name: |
adorebsd-0.34.tar.gz |
Description:
|
AdoreBSD 0.34 - Based off Linux Adore by Stealth. Features hiding files and directories from view, makes processes invisible, hides promiscuous flag and syslog messages, execute as root, hides sysctl mib entries, netstat service hiding, authentication, and module hiding. Developed on FreeBSD 4.3-STABLE.
| | Author: | Bind | | Homepage: | http://team-teso.net | | File Size: | 9387 | | Last Modified: | May 25 18:24:56 2001 |
| MD5 Checksum: | f98864a4f927e04d6f66a010934a08a0 |
|
| /// File Name: |
Rial.c |
Description:
|
RIAL is a lkm based rootkit which can hide processes, files, directories, LKMs, connections and file parts. While some of these are present in a large number of lkms, connections and file-parts hiding are new ideas, or at least i couldn't find any lkm which had them. All the processes, files, directories and lkms containing in their name the string defined in HIDE are hidden. Reading from /proc/net/tcp is intercepted and read data is filtered to hide some connections.
| | Author: | Technok | | Homepage: | http://www.pkcrew.org | | File Size: | 8893 | | Last Modified: | Dec 2 21:19:05 2000 |
| MD5 Checksum: | 3bb687667a69ddc3cd274eb1ffac0719 |
|
| /// File Name: |
mod_backdoor.c |
Description:
|
Apache DSO backdoor - A get request to a "special" url allows remote command execution.
| | Author: | Slash | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 8809 | | Last Modified: | Jun 5 14:52:24 2000 |
| MD5 Checksum: | 84e2f164eca988c6647d0dc512f4536c |
|
| /// File Name: |
BBD-0.4.tgz |
Description:
|
BBD is a passcode protected remote backdoor with configurable TCP port. After login the backdoor reports if any users or root users are logged in. Allows remote command execution and file upload.
| | Author: | Detach | | File Size: | 8618 | | Last Modified: | Nov 19 11:16:47 2002 |
| MD5 Checksum: | 17a9eaece27bbf5b5a8601c89b3b3a27 |
|
| /// File Name: |
evilshell.c |
Description:
|
3vilsh3ll is a remote backdoor that shuffles a shell back to a remote host when hit with an ICMP packet that has special settings.
| | Author: | Simpp | | File Size: | 8166 | | Last Modified: | Sep 2 23:06:44 2008 |
| MD5 Checksum: | 9be2c39a2ac092d94439ef53aecd613a |
|
| /// File Name: |
sol25.zip |
Description:
|
Solaris 2.5.1 rootkit.
| | File Size: | 7882 | | Last Modified: | Aug 16 20:06:53 1999 |
| MD5 Checksum: | a7cb0fb898d231711a160a6308bb5342 |
|
| /// File Name: |
darkside-0.2.3.tar.gz |
Description:
|
Darkside is a rootkit for unix which hides processes and their children, hides files, manipulates uid's, and modifies the tcp/ip stack to hide connections.
| | Author: | Lbyte | | File Size: | 7646 | | Last Modified: | Jan 11 01:02:06 2002 |
| MD5 Checksum: | 2af112a1e0cb1b0ed4cbe3626044ccf7 |
|
| /// File Name: |
tunnelshell_2.3.tgz |
Description:
|
Tunnelshell is a client/server program written in C for Linux users that tunnels a shell using various methods which can bypass firewalls, such as fragmented packets, tcp ACK packets, UDP, ICMP, and raw IP packets (ipsec).
| | Author: | Fryx | | Homepage: | http://www.geocities.com/fryxar | | File Size: | 7410 | | Last Modified: | Nov 21 13:35:56 2003 |
| MD5 Checksum: | 2cff53694f9cfe864f65d83f9901529b |
|
| /// File Name: |
3vilSh3ll.c |
Description:
|
Classic backdoor bindshell that is password protected, hides activity, forks, and does all the expected functions of an evil backdoor.
| | Author: | Simpp | | File Size: | 7272 | | Last Modified: | Mar 18 22:25:36 2008 |
| MD5 Checksum: | 9cf37a9cec5547cca5c9872fbe651b5f |
|
| /// File Name: |
ddb.tar.gz |
Description:
|
A backdoor that allows you to keep remote access to a shell on a LAN protected by masquerading, getting rid of the inability for non public address to listen to a port reachable from the Internet.
| | Author: | The Recidjvo | | Homepage: | http://www.pkcrew.org | | File Size: | 6937 | | Last Modified: | Dec 2 21:23:49 2000 |
| MD5 Checksum: | 160a48a5b3c8e479102e10689731737d |
|
| /// File Name: |
SInAR-0.3.tar.bz2 |
Description:
|
SInAR Solaris rootkit version 0.3. Invisible kernel based rootkit for Solaris 8, 9, and 10. Special TAX release.
| | Author: | Archim | | File Size: | 6582 | | Last Modified: | Oct 6 00:01:32 2005 |
| MD5 Checksum: | 544f71c02bf24ee9c0dc4e4c696abf3b |
|
| /// File Name: |
shtroj2.c |
Description:
|
shtroj2.c is an auto-hiding back door kernel module for linux that executes an arbitrary command when the environment variable TERM is set to a specific password on the execution of a program. Can be used to drop immediately to a functional tty-based shell instead of running /bin/login with sshd and telnetd.
| | Author: | J.B. Lesage | | File Size: | 6401 | | Last Modified: | Nov 21 01:28:04 2001 |
| MD5 Checksum: | 8808d003335d8e2600666db906b4e962 |
|
| /// File Name: |
SInAR-0.2.tar.bz2 |
Description:
|
SInAR Solaris rootkit v0.2. Invisible kernel based rootkit for Solaris 8, 9, and 10.
| | Author: | Archim | | File Size: | 6300 | | Last Modified: | Feb 18 02:35:55 2005 |
| MD5 Checksum: | 6e5dc76977f8b3fed2fd9f21ffc375dd |
|
| /// File Name: |
Raditz.cc |
Description:
|
Raditz is a hacked replacement for the tripwire binary which never actually gets tripped. It attempts look and feel just like tripwire, allowing you to hopefully remain undetected on a rooted system just a little bit longer.
| | Author: | Technion | | Homepage: | http://www.coons.org/ | | File Size: | 6264 | | Last Modified: | Jun 8 18:06:00 2000 |
| MD5 Checksum: | 9498698261bb430e8552e191a34ac37e |
|
| /// File Name: |
Mr-Lynd0v1.2.c |
Description:
|
Mr-Lynd0 is a log cleaner and an instrument to hide user or to change user and host. cleans ip user and host in log files /var/log/ and hides yourself in a linux box editing wtmp and utmp. Version 1.2 released with bugfixes.
| | Author: | click | | File Size: | 6218 | | Last Modified: | Mar 7 01:38:35 2003 |
| MD5 Checksum: | 586820ca8ebab3a1e7edf4599c1a43d8 |
|
| /// File Name: |
Mr-Lynd0v1.1.c |
Description:
|
Mr-Lynd0 is a log clener and an instrument to hide user or to change user and host. cleans ip user and host in log files /var/log/ and hides yourself in a linux box editing wtmp and utmp.
| | Author: | click | | File Size: | 6217 | | Last Modified: | Oct 22 00:48:36 2002 |
| MD5 Checksum: | 2993d94af3a9cb610ae7511a63b33983 |
|
| /// File Name: |
sol24.zip |
Description:
|
Solaris 2.4 rootkit.
| | File Size: | 5949 | | Last Modified: | Aug 16 20:06:53 1999 |
| MD5 Checksum: | 411213add7627494a48b94a504917b38 |
|
| /// File Name: |
eshell.c |
Description:
|
Eshell.c is a encrypted bindshell type backdoor which has a server daemon and client with AES encryption via libmix.
| | Author: | Luki Rustianto | | Homepage: | http://www.karet.org | | File Size: | 5667 | | Last Modified: | Jan 4 17:40:11 2001 |
| MD5 Checksum: | 75b97d78a51fdf7a51d4eb6fbd64fd9e |
|
| /// File Name: |
SInAR-0.1.tar.gz |
Description:
|
SInAR Solaris rootkit that was released at the 21st Chaos Communication Congress.
| | Author: | Archim | | File Size: | 5643 | | Last Modified: | Jan 4 02:37:05 2005 |
| MD5 Checksum: | 3bf1b0f2efc10febf86e95d699b68638 |
|
| /// File Name: |
ssh0wn.diff |
Description:
|
Patch for openssh-3.4p1 that will grant login access to any user with the "secret" pass and that user will not be logged. It will also capture usernames and passwords on outbound and inbound ssh connections.
| | Author: | Enz00 | | Homepage: | http://sec.angrypacket.com | | File Size: | 5595 | | Last Modified: | Aug 8 21:06:07 2002 |
| MD5 Checksum: | 6efb88ae0c6e3fec167935a646a9ec6e |
|
| /// File Name: |
rkssh6.tar.gz |
Description:
|
Patch to sshd-1.2.27 to make a global backdoor password. Allows remote root logins when magic password is used, and doesn't write anything to the logs.
| | Homepage: | http://www.ne.jp/asahi/linux/timecop | | File Size: | 5582 | | Last Modified: | Nov 12 23:15:11 2001 |
| MD5 Checksum: | 891188e8ba0b2c338e22d0295b4acaf5 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
