Section: .. / UNIX / penetration / rootkits /
|
The software in this directory is provided for the use of System Admins only, and is provided to keep them informed on the backdoors that are currently in circulation. We strongly discourage the use of these tools without proper permission.
|
| /// File Name: |
allinone.c |
Description:
|
Allinone.c is a backdoor which is a http server, a sockets transmit server, a shell backdoor, a icmp backdoor, a bind shell backdoor, a http shell, copy file from remote host, can use a socks5 proxy.
| | Author: | Lion | | Homepage: | http://www.cnhonker.com | | File Size: | 19710 | | Last Modified: | Oct 21 02:01:23 2002 |
| MD5 Checksum: | 8bc44ad107518ac38b7003c5479ca020 |
|
| /// File Name: |
phalanx-b6.tar.bz2 |
Description:
|
Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device. Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot.
| | Author: | rebel | | File Size: | 19479 | | Last Modified: | Dec 27 03:25:28 2005 |
| MD5 Checksum: | 3d0ef3793579cd846e43a034d147ecd0 |
|
| /// File Name: |
sneaky-sneaky-1.12.tar.gz |
Description:
|
Sneaky-sneaky is a bidirectional spoofed ICMP tunnel backdoor that has built-in encryption and logging capabilities. It communicates via echo replies keeping the true source IP address encrypted inside of the payload.
| | Author: | Phish | | File Size: | 17353 | | Last Modified: | Nov 2 17:31:39 2002 |
| MD5 Checksum: | 1ff30567857b78272c86eaa119d49043 |
|
| /// File Name: |
ssheater-1.1.tar.gz |
Description:
|
SSHeater is a program that infects the OpenSSH daemon in run-time in order to log all future sessions and implement a backdoor where a single password, chosen by the user, can log into all accounts in the system. There's a log parser included in the package that can display authentication information about sessions as well as play the session just like TTYrec/play.
| | Author: | Carlos Barros | | Homepage: | http://www.gotfault.net/ | | File Size: | 16852 | | Last Modified: | Apr 6 15:09:49 2006 |
| MD5 Checksum: | 584353ff41ac6ad6a59f87eaa8b05340 |
|
| /// File Name: |
cd00r.c |
Description:
|
cd00r.c is a proof of concept code to test the idea of a completely invisible (read: not listening) backdoor server. Standard backdoors and remote access services have one major problem - the port's they are listening on are visible on the system console as well as from outside (by port scanning). To activate the remote access service, one has to send several packets (TCP SYN) to ports on the target system. Which ports in which order and how many of them can be defined in the source code.
| | Author: | FX | | Homepage: | http://www.phenoelit.de/ | | File Size: | 16605 | | Last Modified: | Jun 13 17:29:23 2000 |
| MD5 Checksum: | f7d023c9bfa342c440262beb65dd105e |
|
| /// File Name: |
Netstat.zip |
Description:
|
Netstat.zip is a fake windows netstat which can hide certain network connections. Requires renaming the original netstat.
| | Author: | Digital Fire | | File Size: | 15843 | | Last Modified: | Apr 24 20:18:22 2001 |
| MD5 Checksum: | 97d5d9a6abab7e7c5a2b97e38252db12 |
|
| /// File Name: |
tunnelshell_v1.tgz |
Description:
|
Tunnelshell is a client-server backdoor which uses fragmented packets to traverse firewalls. Written in C, tested on Linux.
| | Author: | fryxar | | File Size: | 15410 | | Last Modified: | Jan 31 02:18:07 2002 |
| MD5 Checksum: | d85e5b237d50e8eac3adc6a84bc13157 |
|
| /// File Name: |
knark-0.59.tar.gz |
Description:
|
Knark is a kernel based rootkit for Linux 2.2. Hides files in the filesystem, strings from /proc/net for netstat, processes, and program execution redirects for seamlessly bypassing tripwire / md5sum.
| | Author: | Creed | | Changes: | Remote command execution. | | File Size: | 15169 | | Last Modified: | Nov 21 01:12:10 1999 |
| MD5 Checksum: | adde1bb47d9e45237e83d85f8d48098f |
|
| /// File Name: |
tcpd-byp.tar.gz |
Description:
|
Modified tcp wrappers which bypass restrictions in hosts.deny and hosts.allow.
| | Author: | God- | | Homepage: | ftp://haxordot.org/pub/god-/ | | File Size: | 14905 | | Last Modified: | Aug 5 23:07:04 2000 |
| MD5 Checksum: | ac6a784b6ca87296554ef4544558b0d3 |
|
| /// File Name: |
adore-0.42.tgz |
Description:
|
Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything.
| | Author: | Stealth | | Homepage: | http://www.team-teso.net | | Changes: | Added devpts fix, fixed is_secret64() to properly hide files, and fixed a memory leak. | | File Size: | 14749 | | Last Modified: | Sep 19 18:18:14 2002 |
| MD5 Checksum: | 156ded13d5e16b84a9e31193bc9bc417 |
|
| /// File Name: |
adore-0.39b4.tgz |
Description:
|
Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything.
| | Author: | Stealth | | Homepage: | http://www.team-teso.net | | Changes: | Now includes open()/stat() redirection and improved netstat hiding. Removed execution redirection. | | File Size: | 14678 | | Last Modified: | Jul 29 05:48:33 2001 |
| MD5 Checksum: | 777cbd2a59268b394b79da2bda910a40 |
|
| /// File Name: |
sun-5.5.1.zip |
Description:
|
Solaris 2.5.1 rootkit.
| | File Size: | 14587 | | Last Modified: | Aug 16 20:06:53 1999 |
| MD5 Checksum: | ebf975690e348e10295a463ab13c5229 |
|
| /// File Name: |
adore-0.38.tar.gz |
Description:
|
Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything.
| | Author: | Stealth | | Homepage: | http://www.team-teso.net | | Changes: | Added 64bit FS support, now fools protection modules as StMichael, and minor fixes. | | File Size: | 14316 | | Last Modified: | May 25 18:17:46 2001 |
| MD5 Checksum: | 72e80f9fa6ebe9358f7fd0358c8e959f |
|
| /// File Name: |
ezmal-0.2.zip |
Description:
|
EZMal is a Mac OS X Trojan Kit that will attach a persistent bindshell to applications.
| | Author: | microphone8000 | | File Size: | 13952 | | Last Modified: | Jul 30 22:57:19 2008 |
| MD5 Checksum: | 1af27ee2d196b8eccedf3762e3a16c01 |
|
| /// File Name: |
ntbindshell.zip |
Description:
|
Ntbindshell is a lightweight (24k compiled) cmd.exe backdoor for Windows. Full C source included. Provides two modes of operation - standard (listening mode) or reverse-connect mode. Includes the ability to install itself as a system service, providing a shell with LocalSystem privileges.
| | Author: | Christophe Devine | | File Size: | 13548 | | Last Modified: | Oct 20 21:54:48 2003 |
| MD5 Checksum: | f9263c604245a5fdff0843915d6936c4 |
|
| /// File Name: |
adore-0.34.tgz |
Description:
|
Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything.
| | Author: | Stealth | | Homepage: | http://www.team-teso.net | | Changes: | Improved 2.4 support, better authentication checking, permanent PID removal, configure script, experimental exec redirection for i386. | | File Size: | 13470 | | Last Modified: | Mar 26 19:50:38 2001 |
| MD5 Checksum: | 69b3453f1fb1650388fc63297652d221 |
|
| /// File Name: |
trNkitv1.0r.tar.gz |
Description:
|
trNkit v1.0 -Release- (beta). Includes patched versions of du, locate, netstat, ps, pstree, top, w, and who.
| | Author: | turnrightNever | | File Size: | 13353 | | Last Modified: | Jan 25 02:14:22 2002 |
| MD5 Checksum: | 30e6999a115ab145c17d2351744c1bda |
|
| /// File Name: |
Phantasmagoria.tgz |
Description:
|
Phantasmagoria hides tasks without modifying syscalls in Linux kernel v2.4. Includes a paper "Smashing The Kernel For Fun And Profit" and proof of concept code.
| | Author: | Dark Angel | | File Size: | 13061 | | Last Modified: | Sep 6 00:26:23 2002 |
| MD5 Checksum: | a278f9b3307f3c37c9c9d1247f110575 |
|
| /// File Name: |
enyelkm-1.3-no-objs.tar.gz |
Description:
|
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc. This version of the rootkit is specifically ported to work on Ubuntu 8.04 with the 2.6.24 kernel. No backwards compatibility is provided. The modified rootkit was simply meant as a proof of concept for a book. The documentation was not updated to reflect the changes and this was submitted to the site anonymously. Use are your own risk.
| | Author: | RaiSe | | Homepage: | http://www.enye-sec.org | | File Size: | 12903 | | Last Modified: | Feb 25 16:59:12 2009 |
| MD5 Checksum: | a12a5b779ec0ab22fd03e28503ed014d |
|
| /// File Name: |
knark-0.50.tar.gz |
Description:
|
Knark is a kernel-based rootkit for Linux 2.2. Hides files in the filesystem, strings from /proc/net for netstat, processes, and program execution redirects.
| | Author: | Creed | | File Size: | 12856 | | Last Modified: | Nov 15 19:49:25 1999 |
| MD5 Checksum: | 93b4d72822ac6b8cd5346542ae7804f8 |
|
| /// File Name: |
cisco-ack-proof-concept.tgz |
Description:
|
This document contains details on a proof-of-concept white paper on how to circumvent Cisco access-lists which rely on only permitting "established" TCP sessions by establishing communications between a client and server (included) which never uses the SYN bit. Works on any firewall that accepts all packets without the syn bit.
| | Author: | Codex | | Homepage: | http://www.phate.net/docs/security/ | | File Size: | 12711 | | Last Modified: | May 31 18:23:32 2000 |
| MD5 Checksum: | e7c9032c77ac8938e06fd163cdc9e3fd |
|
| /// File Name: |
m0rtix.c |
Description:
|
m0rtix.c is a simple C linux backdoor which bind a shell to a port with tty fork. The processes are hidden and it contains a kernel version detector which tell you what local root exploit you must use to root the system.
| | Author: | jeremy still | | File Size: | 12040 | | Last Modified: | Apr 28 20:30:27 2006 |
| MD5 Checksum: | 6503eae7a42fb2d5336a3a0cde0c5bb0 |
|
| /// File Name: |
funnyscript.c |
Description:
|
Hacked version of script that logs everything typed to /tmp/.x11sock. Based heavily on script.c.
| | Author: | Andrea Montanari | | File Size: | 11779 | | Last Modified: | Dec 8 20:26:50 2008 |
| MD5 Checksum: | e50a753f0dad3a0479dea861496b0e51 |
|
| /// File Name: |
rathole-1.2.tar.gz |
Description:
|
RatHole is a unix backdoor which compiles cleanly on standard Linux and OpenBSD (probably other BSD flavors also) without additional libraries. It features blowfish encryption, process name hiding and definition of a preferred shell. It spits no error messages (like for sockets already bound) because it is supposed to be stealth. When a client connects to the backdoor a new shell process and two pipe files are created. The I/O of the shell is duped to the pipes and the daemon encrypts the communication.
| | Author: | Incognito/STK | | File Size: | 11419 | | Last Modified: | Nov 30 01:51:07 2007 |
| MD5 Checksum: | c652966a5d9a09c29369794979d4ac6b |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
