Section: .. / UNIX / penetration / rootkits /
|
The software in this directory is provided for the use of System Admins only, and is provided to keep them informed on the backdoors that are currently in circulation. We strongly discourage the use of these tools without proper permission.
|
| /// File Name: |
r57-pid-check.txt |
Description:
|
pid-check is a perl script that uses the kill() and setpriority() system calls to find hidden processes.
| | Author: | x97Rang | | Homepage: | http://rst.void.ru | | File Size: | 9664 | | Last Modified: | Apr 6 14:48:20 2006 |
| MD5 Checksum: | 62427ef3574ea99ba8cad2d1ce2f38c9 |
|
| /// File Name: |
enyelkm.en.v1.1.tar.gz |
Description:
|
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc.
| | Author: | RaiSe | | Homepage: | http://www.enye-sec.org | | Changes: | Version 1.1 | | File Size: | 9712 | | Last Modified: | Feb 20 16:28:09 2006 |
| MD5 Checksum: | 89340215b6cfceb3a176c4a30e34f5c6 |
|
| /// File Name: |
override.tar.bz |
Description:
|
The override Rootkit: A LKM Linux 2.6 rootkit that uses patched systemcalls. Features - Hides pids and automatically hides the pids of child processes - Hides network ports - Hides files which begin with a user-defined prefix - Can show the hidden pids.
| | Author: | Amir Alsbih | | Homepage: | http://www.informatik.uni-freiburg.de/~alsbiha/ | | File Size: | 3883 | | Last Modified: | Jan 27 14:12:33 2006 |
| MD5 Checksum: | 31a9eb52f4907924ba9fb22287b44996 |
|
| /// File Name: |
override.tar.gz |
Description:
|
Unavailable.
| | File Size: | 3918 | | Last Modified: | Jan 26 05:04:39 2006 |
| MD5 Checksum: | ebd24e8673c12b43c1ac08a1c341075c |
|
| /// File Name: |
phalanx-b6.tar.bz2 |
Description:
|
Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device. Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot.
| | Author: | rebel | | File Size: | 19479 | | Last Modified: | Dec 27 03:25:28 2005 |
| MD5 Checksum: | 3d0ef3793579cd846e43a034d147ecd0 |
|
| /// File Name: |
enyelkm.en.v1.0.tar.gz |
Description:
|
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc.
| | Author: | RaiSe | | Homepage: | http://www.enye-sec.org | | File Size: | 9907 | | Last Modified: | Nov 30 14:14:40 2005 |
| MD5 Checksum: | 5896fe3e8a333c4e1e52daedc3422363 |
|
| /// File Name: |
rsh-v2.c |
Description:
|
Unix log cleaner that also checks to see if root is logged in.
| | Author: | rotor | | Homepage: | http://www.c1zc0.com | | File Size: | 3149 | | Last Modified: | Oct 30 19:19:11 2005 |
| MD5 Checksum: | e2e7e8f9bb27e7b5dd66041ebd4d3766 |
|
| /// File Name: |
suckit2priv.tar.gz |
Description:
|
SucKIT Rootkit v2.0-devel-rc2. Easy-to-use, Linux-i386 kernel-based rootkit. The code stays in memory through /dev/kmem trick, without help of LKM support nor System.map or such things. Everything is done on the fly. It can hide PIDs, files, tcp/udp/raw sockets and sniff TTYs.
| | Author: | sd | | Homepage: | http://sd.g-art.nl | | File Size: | 465502 | | Last Modified: | Oct 13 02:06:53 2005 |
| MD5 Checksum: | 3bb82c1fddcc47456efee6f3687e4f51 |
|
| /// File Name: |
SInAR-0.3.tar.bz2 |
Description:
|
SInAR Solaris rootkit version 0.3. Invisible kernel based rootkit for Solaris 8, 9, and 10. Special TAX release.
| | Author: | Archim | | File Size: | 6582 | | Last Modified: | Oct 6 00:01:32 2005 |
| MD5 Checksum: | 544f71c02bf24ee9c0dc4e4c696abf3b |
|
| /// File Name: |
httpbd.pl.txt |
Description:
|
httpbd.pl is a small backdoor written in perl that poses as httpd. It can spawn a shell and transfer files.
| | Author: | rav3n | | File Size: | 3016 | | Last Modified: | Sep 23 02:34:02 2005 |
| MD5 Checksum: | e96c0debb82cfb8f22165e943001f0ba |
|
| /// File Name: |
doorman-0.81.tgz |
Description:
|
The Doorman is a port-knocking listener daemon which helps users secure private servers. It allows a Unix server to run invisibly, with all TCP ports closed.
| | Author: | Bruce Ward | | Homepage: | http://doorman.sourceforge.net/ | | Changes: | Fixed the silent doorman problem. | | File Size: | 140643 | | Last Modified: | Sep 7 04:35:58 2005 |
| MD5 Checksum: | f0f30132a541122fa46f4d6d321260d9 |
|
| /// File Name: |
silentdoor.tar.gz |
Description:
|
SilentDoor is a connectionless, PCAP-based backdoor for linux that uses packet sniffing to bypass netfilter. It sniffs for UDP packets on port 53, runs each packet against a decryption scheme, if the packet validates than it runs a command. Can be masked to look like any other process. Remote command utility included.
| | Author: | doctor raid | | File Size: | 10310 | | Last Modified: | Mar 17 02:43:57 2005 |
| MD5 Checksum: | 5a8f02eb1e1d7ca1ff8e7a30603286a3 |
|
| /// File Name: |
backd00r.c |
Description:
|
Unix bindshell backdoor that acts as psybnc if the password fails.
| | Author: | darkXside | | File Size: | 2948 | | Last Modified: | Mar 15 00:00:58 2005 |
| MD5 Checksum: | fd338c62f08e87b4b033bc88a47f9b9c |
|
| /// File Name: |
SInAR-0.2.tar.bz2 |
Description:
|
SInAR Solaris rootkit v0.2. Invisible kernel based rootkit for Solaris 8, 9, and 10.
| | Author: | Archim | | File Size: | 6300 | | Last Modified: | Feb 18 02:35:55 2005 |
| MD5 Checksum: | 6e5dc76977f8b3fed2fd9f21ffc375dd |
|
| /// File Name: |
SInAR-0.1.tar.gz |
Description:
|
SInAR Solaris rootkit that was released at the 21st Chaos Communication Congress.
| | Author: | Archim | | File Size: | 5643 | | Last Modified: | Jan 4 02:37:05 2005 |
| MD5 Checksum: | 3bf1b0f2efc10febf86e95d699b68638 |
|
| /// File Name: |
wX.tar.gz |
Description:
|
WeaponX is a kernel based rootkit for Mac OSX which is roughly based on adore. It runs as a kernel extension, similar to a LKM. Requires Xcode. Readme available here.
| | Author: | Nemo | | Homepage: | http://neil.slampt.net/files/Projects/weaponX/ | | File Size: | 271409 | | Last Modified: | Nov 4 18:22:59 2004 |
| MD5 Checksum: | 12fa6fb5faf460fce717f8d298625bd0 |
|
| /// File Name: |
wx-01.tar.gz |
Description:
|
New Macintosh OS-X rootkit that is roughly based off of adore. It hides itself from kextstat, netstat, utmp and wtmp. Further revisions to include a reverse shell triggered by ARP and DNS packets.
| | Author: | nemo | | Homepage: | http://neil.slampt.net/ | | File Size: | 263191 | | Last Modified: | Oct 27 02:49:35 2004 |
| MD5 Checksum: | 57d1312f1e101f52b9b08e4d557a2f99 |
|
| /// File Name: |
n-du.tgz |
Description:
|
N-du is a Unix backdoor which does not have any open ports. It waits for a special UDP or TCP packet, then opens a tcp port backdoor.
| | Author: | Serguei | | File Size: | 5252 | | Last Modified: | Sep 29 23:39:17 2004 |
| MD5 Checksum: | a18fef559fcfc16db6beadd02924cde6 |
|
| /// File Name: |
pizzaicmp.c |
Description:
|
ICMP-based triggered Linux kernel module that executes a local binary upon successful use.
| | Author: | Evil | | Homepage: | http://www.eviltime.com | | File Size: | 3898 | | Last Modified: | Sep 14 20:59:10 2004 |
| MD5 Checksum: | c9c063dae420499bd575306c2176694b |
|
| /// File Name: |
osxrk-0.2.1.tbz |
Description:
|
MAC OS-X rootkit that has a lot of standard tools included, adds a TCP backdoor via inetd, does data recon, and more.
| | Author: | gapple | | File Size: | 86449 | | Last Modified: | Sep 10 12:35:27 2004 |
| MD5 Checksum: | 4d88ce2a44718703f5de06a26c26349a |
|
| /// File Name: |
nx_back.c |
Description:
|
Simple unix-based backdoor that is very compact and provides a bindshell.
| | Author: | nitr0x | | Homepage: | http://www.nitrox.xt.pl | | File Size: | 2150 | | Last Modified: | Sep 10 01:21:52 2004 |
| MD5 Checksum: | b102aed4733efae0cd8de45938b514bc |
|
| /// File Name: |
cheetah.c |
Description:
|
Cheetah version 1.0 is a remote Linux/BSD backdoor that offer low CPU usage, Port/Backlog selection, a remote shell, user/password protection, and process faking.
| | Author: | Tal0n | | File Size: | 4034 | | Last Modified: | Aug 26 15:43:31 2004 |
| MD5 Checksum: | 4b2b6b1061976b608ba5bebff00c4445 |
|
| /// File Name: |
doorman-0.8.tgz |
Description:
|
The Doorman is a port-knocking listener daemon which helps users secure private servers. It allows a Unix server to run invisibly, with all TCP ports closed.
| | Author: | Bruce Ward | | Homepage: | http://doorman.sourceforge.net/ | | Changes: | Fixed several bugs. | | File Size: | 139950 | | Last Modified: | Aug 5 02:55:27 2004 |
| MD5 Checksum: | 44a495d06bf81ac9a824380612035672 |
|
| /// File Name: |
lyceum-2.46.tar.gz |
Description:
|
Lyceum is an advance stealthed client/server backdoor that uses encrypted spoofed UDP packets to administer the server and the two built-in ICMP backdoors. Each ICMP backdoor exploits a different feature of the protocol, the first creating a bi-directionally spoofed ICMP tunnel and the second uses passive nodes as zombies to relay ICMP backdoor traffic.
| | Author: | phish | | File Size: | 53720 | | Last Modified: | Jul 23 21:43:29 2004 |
| MD5 Checksum: | 2fe58f1103cb072dd24f1be121814dfb |
|
| /// File Name: |
doorman-0.7.tgz |
Description:
|
The Doorman is a port-knocking listener daemon which helps users secure private servers. It allows a Unix server to run invisibly, with all TCP ports closed.
| | Author: | Bruce Ward | | Homepage: | http://doorman.sourceforge.net/ | | File Size: | 645120 | | Last Modified: | Jul 22 18:54:28 2004 |
| MD5 Checksum: | 882db90b5b3df7e9ce4aae6f1914bbfb |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
