Section: .. / UNIX / penetration / rootkits /
|
The software in this directory is provided for the use of System Admins only, and is provided to keep them informed on the backdoors that are currently in circulation. We strongly discourage the use of these tools without proper permission.
|
| /// File Name: |
icmp-backdoor.tar.gz |
Description:
|
Small ICMP backdoor which works under BSD, Linux, and Solaris. Because you can define the icmp_code to use it is able simulate an echo_request <-> echo_reply conversation so it looks like a normal ping with bigger packets. It also includes a session_id to detect the right packets (which is also done by certain icmp_id's).
| | Author: | Martin J. Muench | | Homepage: | http://www.codito.de | | File Size: | 5118 | | Last Modified: | May 30 01:49:11 2002 |
| MD5 Checksum: | d77f547863617b69e6206eb72c90fce2 |
|
| /// File Name: |
trojodaemon.c |
Description:
|
Trojodaemon is a simple tool which allows you to start a process at boot.
| | Author: | Dev | | File Size: | 2214 | | Last Modified: | May 29 02:00:44 2002 |
| MD5 Checksum: | 4ee3bb29be054cab63922eb934cfec60 |
|
| /// File Name: |
psf.c |
Description:
|
Psf (Process Stack Faker) attempts "hide" UN*X processes (those seen by "ps auwx" & "top") without having root. Tested on FreeBSD 4.3, Linux 2.4, NetBSD 1.5, Solaris 2.7.
| | Homepage: | http://sysdlabs.hypermart.net/proj/index.html#psf | | File Size: | 10641 | | Last Modified: | May 20 01:01:11 2002 |
| MD5 Checksum: | 9201bd94e640580b7fab70294ff169b6 |
|
| /// File Name: |
linspy2beta2.tgz |
Description:
|
Linspy is keystroke logger for linux kernels v2.2 and 2.4 which records TTY activity. Based on Halflife's article from Phrack 50.
| | Author: | Xian | | File Size: | 4524 | | Last Modified: | Apr 17 02:35:56 2002 |
| MD5 Checksum: | 0099f4b8f9f3268dbea495ee6168b78a |
|
| /// File Name: |
fbsd.tgz |
Description:
|
FreeBSD rootkit precompiled binaries for 4.2-RELEASE.
| | Author: | Nyo,Jade | | File Size: | 1201232 | | Last Modified: | Mar 20 01:48:13 2002 |
| MD5 Checksum: | 3ba84e13541e99d8356dd119efc33c1e |
|
| /// File Name: |
login.tgz |
Description:
|
login package for linux - backdoored.
| | Author: | TheFinn | | Homepage: | http://circuit4.net/~thefinn | | File Size: | 32632 | | Last Modified: | Mar 18 00:09:58 2002 |
| MD5 Checksum: | e9ead72cdd327d67c6cf4baf41610ee4 |
|
| /// File Name: |
udp_backdoor.tar.gz |
Description:
|
UDP backdoor which uses raw sockets. It spoofs the packets origin address when communicating with the server end of the backdoor. It also uses encryption, and has several methods of security through obscurity.
| | Author: | Plastek | | File Size: | 3380 | | Last Modified: | Feb 22 02:06:24 2002 |
| MD5 Checksum: | e631d34f6472356f7a8695a2650e6197 |
|
| /// File Name: |
tunnelshell_v1.tgz |
Description:
|
Tunnelshell is a client-server backdoor which uses fragmented packets to traverse firewalls. Written in C, tested on Linux.
| | Author: | Fryx | | File Size: | 15410 | | Last Modified: | Jan 31 02:18:07 2002 |
| MD5 Checksum: | d85e5b237d50e8eac3adc6a84bc13157 |
|
| /// File Name: |
kernel.keylogger.txt |
Description:
|
Kernel Based Keystroke Loggers for Linux - This paper describes the basic concepts and techniques used for recording keystroke activity under linux. Includes proof of concept LKM which is stealthy, works with recent distributions, and is capable of logging local logins and ssh sessions to and from the host. Tested on Slackware v8.0 with kernel v2.4.5.
| | Author: | Mercenary | | Homepage: | http://www.phreedom.org/article.php?id=28 | | File Size: | 20270 | | Last Modified: | Jan 26 15:24:34 2002 |
| MD5 Checksum: | a9615f10eaef0364e7e748a96c2fb1c1 |
|
| /// File Name: |
trNkitv1.0r.tar.gz |
Description:
|
trNkit v1.0 -Release- (beta). Includes patched versions of du, locate, netstat, ps, pstree, top, w, and who.
| | Author: | turnrightNever | | File Size: | 13353 | | Last Modified: | Jan 25 02:14:22 2002 |
| MD5 Checksum: | 30e6999a115ab145c17d2351744c1bda |
|
| /// File Name: |
Troier-v1.0r.tgz |
Description:
|
Troier is a package of trojaned linux commands. Includes du, locate, netstat, ps, pstree, top, w, and who.
| | Author: | TurnRightNever. | | File Size: | 9533 | | Last Modified: | Jan 17 01:38:33 2002 |
| MD5 Checksum: | 182c309ade99cf302b6dc13cff0c54e9 |
|
| /// File Name: |
darkside-0.2.3.tar.gz |
Description:
|
Darkside is a rootkit for unix which hides processes and their children, hides files, manipulates uid's, and modifies the tcp/ip stack to hide connections.
| | Author: | Lbyte | | File Size: | 7646 | | Last Modified: | Jan 11 01:02:06 2002 |
| MD5 Checksum: | 2af112a1e0cb1b0ed4cbe3626044ccf7 |
|
| /// File Name: |
openssh-2.9p2.patch |
Description:
|
Openssh-2.9p2 patch which logs the username, remote host, and password when outbound connections are made.
| | File Size: | 3608 | | Last Modified: | Dec 8 22:42:10 2001 |
| MD5 Checksum: | 506df08051bf9a4a4e83c6b57873c242 |
|
| /// File Name: |
vexed.sh |
Description:
|
Backdoor shell script to be run from cron monthly.
| | Author: | Sil | | File Size: | 3109 | | Last Modified: | Nov 22 04:28:40 2001 |
| MD5 Checksum: | 0793fc12f1e7d665299d8bcc965302b0 |
|
| /// File Name: |
shtroj2.c |
Description:
|
shtroj2.c is an auto-hiding back door kernel module for linux that executes an arbitrary command when the environment variable TERM is set to a specific password on the execution of a program. Can be used to drop immediately to a functional tty-based shell instead of running /bin/login with sshd and telnetd.
| | Author: | J.B. Lesage | | File Size: | 6401 | | Last Modified: | Nov 21 01:28:04 2001 |
| MD5 Checksum: | 8808d003335d8e2600666db906b4e962 |
|
| /// File Name: |
rkssh6.tar.gz |
Description:
|
Patch to sshd-1.2.27 to make a global backdoor password. Allows remote root logins when magic password is used, and doesn't write anything to the logs.
| | Homepage: | http://www.ne.jp/asahi/linux/timecop | | File Size: | 5582 | | Last Modified: | Nov 12 23:15:11 2001 |
| MD5 Checksum: | 891188e8ba0b2c338e22d0295b4acaf5 |
|
| /// File Name: |
fbrk1-imps.tar.gz |
Description:
|
FreeBSD rootkit. Patches ls, du, find, locate, ps, top, strings, ifconfig, netstat, login, and ftpd. Includes backdoor sysback and sniffer zxsniff.
| | Author: | Nyo | | File Size: | 267168 | | Last Modified: | Nov 5 22:40:21 2001 |
| MD5 Checksum: | aabf3bc70afc09f16e0015272e8b2baa |
|
| /// File Name: |
SAdoor.0.2.beta.tgz |
Description:
|
SADoor is a non-listening remote admin tool for UN*X systems. It sets up a listener in non-promiscuous mode for a specific sequence of packets arriving to the interface before allowing command mode. The commands are sent MIME64 encoded in the TCP payload and decoded and passed on to system(3).
| | Author: | CMN | | Homepage: | http://www.mdstud.chalmers.se/~md0claes | | File Size: | 32640 | | Last Modified: | Sep 21 00:25:44 2001 |
| MD5 Checksum: | cd5507c7d2cdebc30a30ee19977bb14c |
|
| /// File Name: |
adore-0.39b4.tgz |
Description:
|
Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything.
| | Author: | Stealth | | Homepage: | http://www.team-teso.net | | Changes: | Now includes open()/stat() redirection and improved netstat hiding. Removed execution redirection. | | File Size: | 14678 | | Last Modified: | Jul 29 05:48:33 2001 |
| MD5 Checksum: | 777cbd2a59268b394b79da2bda910a40 |
|
| /// File Name: |
_root_040.zip |
Description:
|
Windows NT Rootkit v0.04 alpha - Hides processes, files, directories, has k-mode shell using TCP/IP - you can telnet into rootkit from remote. Hides registry keys - (keyboard patch disabled in this build.) Includes execution redirection.
| | Homepage: | http://www.rootkit.com | | File Size: | 107713 | | Last Modified: | Jul 29 05:16:28 2001 |
| MD5 Checksum: | 12487fc88e78176f582cbbdbd45f2575 |
|
| /// File Name: |
kis-0.9.tar.gz |
Description:
|
KIS is the Kernel Intrusion System, a powerful client / server LKM based rootkit.
| | Author: | Optyx | | Homepage: | http://www.uberhax0r.net/kis | | File Size: | 87860 | | Last Modified: | Jul 19 19:57:12 2001 |
| MD5 Checksum: | 55fa64d52771873a841e22a59b00bb42 |
|
| /// File Name: |
kbdv3.c |
Description:
|
Kbd v3.0 is a Linux loadable kernel module backdoor. Allows root access by modifying the SYS_utime and SYS_getuid32 system calls. Can be used in conjunction with cleaner.c from the adore root for stealth capability.
| | Author: | Spaceork | | File Size: | 3047 | | Last Modified: | Jul 19 19:49:47 2001 |
| MD5 Checksum: | 35bb7a88521f2c65ff8d88fa486a7d07 |
|
| /// File Name: |
tnet-tools-1.55.tar.gz |
Description:
|
Ifconfig and Netstat trojan - reads interfaces (sit0, eth0, eth0:1) from a file , defined in a char[] array and hides it.
| | Author: | Twiz | | Homepage: | http://www.twlc.net | | File Size: | 99011 | | Last Modified: | Jul 18 21:31:51 2001 |
| MD5 Checksum: | 66e7b041c4913304d281ae0701d9b059 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
