Section: .. / UNIX / penetration / rootkits /
|
The software in this directory is provided for the use of System Admins only, and is provided to keep them informed on the backdoors that are currently in circulation. We strongly discourage the use of these tools without proper permission.
|
| /// File Name: |
suckit2priv.tar.gz |
Description:
|
SucKIT Rootkit v2.0-devel-rc2. Easy-to-use, Linux-i386 kernel-based rootkit. The code stays in memory through /dev/kmem trick, without help of LKM support nor System.map or such things. Everything is done on the fly. It can hide PIDs, files, tcp/udp/raw sockets and sniff TTYs.
| | Author: | sd | | Homepage: | http://sd.g-art.nl | | File Size: | 465502 | | Last Modified: | Oct 13 02:06:53 2005 |
| MD5 Checksum: | 3bb82c1fddcc47456efee6f3687e4f51 |
|
| /// File Name: |
SInAR-0.3.tar.bz2 |
Description:
|
SInAR Solaris rootkit version 0.3. Invisible kernel based rootkit for Solaris 8, 9, and 10. Special TAX release.
| | Author: | Archim | | File Size: | 6582 | | Last Modified: | Oct 6 00:01:32 2005 |
| MD5 Checksum: | 544f71c02bf24ee9c0dc4e4c696abf3b |
|
| /// File Name: |
httpbd.pl.txt |
Description:
|
httpbd.pl is a small backdoor written in perl that poses as httpd. It can spawn a shell and transfer files.
| | Author: | rav3n | | File Size: | 3016 | | Last Modified: | Sep 23 02:34:02 2005 |
| MD5 Checksum: | e96c0debb82cfb8f22165e943001f0ba |
|
| /// File Name: |
doorman-0.81.tgz |
Description:
|
The Doorman is a port-knocking listener daemon which helps users secure private servers. It allows a Unix server to run invisibly, with all TCP ports closed.
| | Author: | Bruce Ward | | Homepage: | http://doorman.sourceforge.net/ | | Changes: | Fixed the silent doorman problem. | | File Size: | 140643 | | Last Modified: | Sep 7 04:35:58 2005 |
| MD5 Checksum: | f0f30132a541122fa46f4d6d321260d9 |
|
| /// File Name: |
silentdoor.tar.gz |
Description:
|
SilentDoor is a connectionless, PCAP-based backdoor for linux that uses packet sniffing to bypass netfilter. It sniffs for UDP packets on port 53, runs each packet against a decryption scheme, if the packet validates than it runs a command. Can be masked to look like any other process. Remote command utility included.
| | Author: | doctor raid | | File Size: | 10310 | | Last Modified: | Mar 17 02:43:57 2005 |
| MD5 Checksum: | 5a8f02eb1e1d7ca1ff8e7a30603286a3 |
|
| /// File Name: |
backd00r.c |
Description:
|
Unix bindshell backdoor that acts as psybnc if the password fails.
| | Author: | darkXside | | File Size: | 2948 | | Last Modified: | Mar 15 00:00:58 2005 |
| MD5 Checksum: | fd338c62f08e87b4b033bc88a47f9b9c |
|
| /// File Name: |
SInAR-0.2.tar.bz2 |
Description:
|
SInAR Solaris rootkit v0.2. Invisible kernel based rootkit for Solaris 8, 9, and 10.
| | Author: | Archim | | File Size: | 6300 | | Last Modified: | Feb 18 02:35:55 2005 |
| MD5 Checksum: | 6e5dc76977f8b3fed2fd9f21ffc375dd |
|
| /// File Name: |
SInAR-0.1.tar.gz |
Description:
|
SInAR Solaris rootkit that was released at the 21st Chaos Communication Congress.
| | Author: | Archim | | File Size: | 5643 | | Last Modified: | Jan 4 02:37:05 2005 |
| MD5 Checksum: | 3bf1b0f2efc10febf86e95d699b68638 |
|
| /// File Name: |
wX.tar.gz |
Description:
|
WeaponX is a kernel based rootkit for Mac OSX which is roughly based on adore. It runs as a kernel extension, similar to a LKM. Requires Xcode. Readme available here.
| | Author: | Nemo | | Homepage: | http://neil.slampt.net/files/Projects/weaponX/ | | File Size: | 271409 | | Last Modified: | Nov 4 18:22:59 2004 |
| MD5 Checksum: | 12fa6fb5faf460fce717f8d298625bd0 |
|
| /// File Name: |
wx-01.tar.gz |
Description:
|
New Macintosh OS-X rootkit that is roughly based off of adore. It hides itself from kextstat, netstat, utmp and wtmp. Further revisions to include a reverse shell triggered by ARP and DNS packets.
| | Author: | nemo | | Homepage: | http://neil.slampt.net/ | | File Size: | 263191 | | Last Modified: | Oct 27 02:49:35 2004 |
| MD5 Checksum: | 57d1312f1e101f52b9b08e4d557a2f99 |
|
| /// File Name: |
n-du.tgz |
Description:
|
N-du is a Unix backdoor which does not have any open ports. It waits for a special UDP or TCP packet, then opens a tcp port backdoor.
| | Author: | Serguei | | File Size: | 5252 | | Last Modified: | Sep 29 23:39:17 2004 |
| MD5 Checksum: | a18fef559fcfc16db6beadd02924cde6 |
|
| /// File Name: |
pizzaicmp.c |
Description:
|
ICMP-based triggered Linux kernel module that executes a local binary upon successful use.
| | Author: | Evil | | Homepage: | http://www.eviltime.com | | File Size: | 3898 | | Last Modified: | Sep 14 20:59:10 2004 |
| MD5 Checksum: | c9c063dae420499bd575306c2176694b |
|
| /// File Name: |
osxrk-0.2.1.tbz |
Description:
|
MAC OS-X rootkit that has a lot of standard tools included, adds a TCP backdoor via inetd, does data recon, and more.
| | Author: | gapple | | File Size: | 86449 | | Last Modified: | Sep 10 12:35:27 2004 |
| MD5 Checksum: | 4d88ce2a44718703f5de06a26c26349a |
|
| /// File Name: |
nx_back.c |
Description:
|
Simple unix-based backdoor that is very compact and provides a bindshell.
| | Author: | nitr0x | | Homepage: | http://www.nitrox.xt.pl | | File Size: | 2150 | | Last Modified: | Sep 10 01:21:52 2004 |
| MD5 Checksum: | b102aed4733efae0cd8de45938b514bc |
|
| /// File Name: |
cheetah.c |
Description:
|
Cheetah version 1.0 is a remote Linux/BSD backdoor that offer low CPU usage, Port/Backlog selection, a remote shell, user/password protection, and process faking.
| | Author: | Tal0n | | File Size: | 4034 | | Last Modified: | Aug 26 15:43:31 2004 |
| MD5 Checksum: | 4b2b6b1061976b608ba5bebff00c4445 |
|
| /// File Name: |
doorman-0.8.tgz |
Description:
|
The Doorman is a port-knocking listener daemon which helps users secure private servers. It allows a Unix server to run invisibly, with all TCP ports closed.
| | Author: | Bruce Ward | | Homepage: | http://doorman.sourceforge.net/ | | Changes: | Fixed several bugs. | | File Size: | 139950 | | Last Modified: | Aug 5 02:55:27 2004 |
| MD5 Checksum: | 44a495d06bf81ac9a824380612035672 |
|
| /// File Name: |
lyceum-2.46.tar.gz |
Description:
|
Lyceum is an advance stealthed client/server backdoor that uses encrypted spoofed UDP packets to administer the server and the two built-in ICMP backdoors. Each ICMP backdoor exploits a different feature of the protocol, the first creating a bi-directionally spoofed ICMP tunnel and the second uses passive nodes as zombies to relay ICMP backdoor traffic.
| | Author: | phish | | File Size: | 53720 | | Last Modified: | Jul 23 21:43:29 2004 |
| MD5 Checksum: | 2fe58f1103cb072dd24f1be121814dfb |
|
| /// File Name: |
doorman-0.7.tgz |
Description:
|
The Doorman is a port-knocking listener daemon which helps users secure private servers. It allows a Unix server to run invisibly, with all TCP ports closed.
| | Author: | Bruce Ward | | Homepage: | http://doorman.sourceforge.net/ | | File Size: | 645120 | | Last Modified: | Jul 22 18:54:28 2004 |
| MD5 Checksum: | 882db90b5b3df7e9ce4aae6f1914bbfb |
|
| /// File Name: |
pam_rootkit.tar.gz |
Description:
|
This pam backdoor allows access to a machine using a backdoor password and arbitrary commands can also be executed without logging in. Logs normal users passwords to a log file. Configurable without recompilation.
| | Author: | gml | | File Size: | 32593 | | Last Modified: | Jul 17 17:52:00 2004 |
| MD5 Checksum: | 969c99b76280ca474c9f945b12c3becb |
|
| /// File Name: |
mix.c |
Description:
|
Simple generic backdoor protected by a password encrypted with an MD5 hash. Gets added into inittab.
| | Author: | Serial Killah | | File Size: | 5244 | | Last Modified: | May 20 17:56:09 2004 |
| MD5 Checksum: | 472a0b9ee3932c0c401d7f1c6c043625 |
|
| /// File Name: |
tumbler.tar.gz |
Description:
|
tumbler is a protocol that enables a client piece of software to securely tell a server process on a remote machine to execute a predetermined command. tumbler is similar to port knocking and is designed so that a remote user can securely and stealthily enable and disable server processes, or open and close firewall holes on a computer connected to the Internet.
| | Author: | John Graham-Cumming | | Homepage: | http://tumbler.sourceforge.net/ | | File Size: | 10240 | | Last Modified: | Apr 18 20:45:00 2004 |
| MD5 Checksum: | b76000ec994e66526b964d7c579646ba |
|
| /// File Name: |
toolkit.tgz |
Description:
|
The R3dstorm Toolkit is a rootkit like utility which hides processes and files and was tested on Red Hat 9.0.
| | Author: | r3dstorm | | File Size: | 1870878 | | Last Modified: | Jan 6 03:17:32 2004 |
| MD5 Checksum: | b8d3e1b38213fa172890f41e30411dab |
|
| /// File Name: |
SAdoor-20031217.tgz |
Description:
|
SADoor is a non-listening remote administration tool for Unix systems. It sets up a listener in non-promiscuous mode for a specific sequence of packets arriving to the interface before allowing command mode. The commands are sent Blowfish encoded in the TCP payload and decoded and passed on to system(3).
| | Author: | CMN | | Homepage: | http://cmn.listprojects.darklab.org/ | | Changes: | Added a new client side application to edit database files. First release of winserver, a version of SADoor for Microsoft Windows. | | File Size: | 472315 | | Last Modified: | Dec 18 17:31:08 2003 |
| MD5 Checksum: | dbf4d2850da1c3d1d1849075725a7487 |
|
| /// File Name: |
mybindshell2.c |
Description:
|
Bindshell which has a password and defaults to tcp port 1348. Includes the ability to only allow certain IP's.
| | Author: | Konewka | | Homepage: | http://www.olek.org/code | | File Size: | 2157 | | Last Modified: | Dec 14 22:25:49 2003 |
| MD5 Checksum: | ced8adcc43ee20caf12d6b514bcc2b45 |
|
| /// File Name: |
tunnelshell_2.3.tgz |
Description:
|
Tunnelshell is a client/server program written in C for Linux users that tunnels a shell using various methods which can bypass firewalls, such as fragmented packets, tcp ACK packets, UDP, ICMP, and raw IP packets (ipsec).
| | Author: | Fryx | | Homepage: | http://www.geocities.com/fryxar | | File Size: | 7410 | | Last Modified: | Nov 21 13:35:56 2003 |
| MD5 Checksum: | 2cff53694f9cfe864f65d83f9901529b |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
