Section: .. / UNIX / penetration / rootkits /
|
The software in this directory is provided for the use of System Admins only, and is provided to keep them informed on the backdoors that are currently in circulation. We strongly discourage the use of these tools without proper permission.
|
| /// File Name: |
mix.c |
Description:
|
Simple generic backdoor protected by a password encrypted with an MD5 hash. Gets added into inittab.
| | Author: | Serial Killah | | File Size: | 5244 | | Last Modified: | May 20 17:56:09 2004 |
| MD5 Checksum: | 472a0b9ee3932c0c401d7f1c6c043625 |
|
| /// File Name: |
mod_backdoor.c |
Description:
|
Apache DSO backdoor - A get request to a "special" url allows remote command execution.
| | Author: | Slash | | Homepage: | http://b0f.freebsd.lublin.pl | | File Size: | 8809 | | Last Modified: | Jun 5 14:52:24 2000 |
| MD5 Checksum: | 84e2f164eca988c6647d0dc512f4536c |
|
| /// File Name: |
modhide1.c |
Description:
|
Modhide1.c demonstrates a new method of hiding kernel modules which does not trigger any normal detection techniques because it does not change lsmod or the system call table. Instead it hacks the kernel's memory to make it "forget" the module.
| | Author: | J.B. LeSage | | File Size: | 4296 | | Last Modified: | May 23 19:59:32 2001 |
| MD5 Checksum: | 38fc557e5f938e246db103109f457d4e |
|
| /// File Name: |
mood-nt.tgz |
Description:
|
Mood-NT is a linux kernel rootkit suckit2-like for 2.4.x/2.6.x kernels. It can hide processes, files, connections (unix, raw, and ipv6 too), promisc flag and it allows tty sniffing, exec redirection, exec parameters sniffing, has an internal private init script for starting whatever you want on boot. It has a lot of anti-detectors engines and a unique hiding engine hardware based (through the debug registers) that makes it completely stealth on x86 machines. If the kernel changes it automatically reinstall itself on boot.
| | Author: | darkangel | | Homepage: | http://darkangel.antifork.org | | File Size: | 35005 | | Last Modified: | Oct 24 17:12:23 2006 |
| MD5 Checksum: | c046c7882ca919d595b8491be609d149 |
|
| /// File Name: |
mood-nt_2.3.tgz |
Description:
|
Mood-NT 2.3 is a linux kernel rootkit for kernels 2.4.x and 2.6 versions below 2.6.20. It can hide processes, files, connections (unix, raw, and ipv6 too), promisc flag and it allows tty sniffing, exec redirection, exec parameters sniffing, has an internal private init script for starting whatever you want on boot. It has a lot of anti-detectors engines and a unique hiding engine hardware based (through the debug registers) that makes it completely stealth on x86 machines. It fully supports vsyscalls and if the kernel changes it automatically reinstall itself on boot.
| | Author: | darkangel | | Homepage: | http://darkangel.antifork.org | | File Size: | 36881 | | Last Modified: | Jun 6 18:38:28 2007 |
| MD5 Checksum: | c22f5dbb5757237be40c621f487ae8e2 |
|
| /// File Name: |
Mr-Lynd0v1.1.c |
Description:
|
Mr-Lynd0 is a log clener and an instrument to hide user or to change user and host. cleans ip user and host in log files /var/log/ and hides yourself in a linux box editing wtmp and utmp.
| | Author: | click | | File Size: | 6217 | | Last Modified: | Oct 22 00:48:36 2002 |
| MD5 Checksum: | 2993d94af3a9cb610ae7511a63b33983 |
|
| /// File Name: |
Mr-Lynd0v1.2.c |
Description:
|
Mr-Lynd0 is a log cleaner and an instrument to hide user or to change user and host. cleans ip user and host in log files /var/log/ and hides yourself in a linux box editing wtmp and utmp. Version 1.2 released with bugfixes.
| | Author: | click | | File Size: | 6218 | | Last Modified: | Mar 7 01:38:35 2003 |
| MD5 Checksum: | 586820ca8ebab3a1e7edf4599c1a43d8 |
|
| /// File Name: |
mybindshell.c |
Description:
|
Bindshell which has a password and defaults to tcp port 1348.
| | Author: | Kafar | | Homepage: | http://www.olek.org/code | | File Size: | 1305 | | Last Modified: | Oct 15 16:14:24 2003 |
| MD5 Checksum: | acb885a3faa8b9468e8197811d7f280f |
|
| /// File Name: |
mybindshell2.c |
Description:
|
Bindshell which has a password and defaults to tcp port 1348. Includes the ability to only allow certain IP's.
| | Author: | Konewka | | Homepage: | http://www.olek.org/code | | File Size: | 2157 | | Last Modified: | Dec 14 22:25:49 2003 |
| MD5 Checksum: | ced8adcc43ee20caf12d6b514bcc2b45 |
|
| /// File Name: |
n-du.tgz |
Description:
|
N-du is a Unix backdoor which does not have any open ports. It waits for a special UDP or TCP packet, then opens a tcp port backdoor.
| | Author: | Serguei | | File Size: | 5252 | | Last Modified: | Sep 29 23:39:17 2004 |
| MD5 Checksum: | a18fef559fcfc16db6beadd02924cde6 |
|
| /// File Name: |
netstat.sh |
Description:
|
Netstat.sh is a shell script which compiles a C wrapper around /bin/netstat which hides a class B address space.
| | Author: | God- | | Homepage: | ftp://haxordot.org/pub/god-/ | | File Size: | 1125 | | Last Modified: | Aug 5 23:01:47 2000 |
| MD5 Checksum: | 1aaeb2723b4dba0eb612ef3fbfea415f |
|
| /// File Name: |
Netstat.zip |
Description:
|
Netstat.zip is a fake windows netstat which can hide certain network connections. Requires renaming the original netstat.
| | Author: | Digital Fire | | File Size: | 15843 | | Last Modified: | Apr 24 20:18:22 2001 |
| MD5 Checksum: | 97d5d9a6abab7e7c5a2b97e38252db12 |
|
| /// File Name: |
ntbindshell.zip |
Description:
|
Ntbindshell is a lightweight (24k compiled) cmd.exe backdoor for Windows. Full C source included. Provides two modes of operation - standard (listening mode) or reverse-connect mode. Includes the ability to install itself as a system service, providing a shell with LocalSystem privileges.
| | Author: | Christophe Devine | | File Size: | 13548 | | Last Modified: | Oct 20 21:54:48 2003 |
| MD5 Checksum: | f9263c604245a5fdff0843915d6936c4 |
|
| /// File Name: |
nx_back.c |
Description:
|
Simple unix-based backdoor that is very compact and provides a bindshell.
| | Author: | nitr0x | | Homepage: | http://www.nitrox.xt.pl | | File Size: | 2150 | | Last Modified: | Sep 10 01:21:52 2004 |
| MD5 Checksum: | b102aed4733efae0cd8de45938b514bc |
|
| /// File Name: |
openssh-2.9p2.patch |
Description:
|
Openssh-2.9p2 patch which logs the username, remote host, and password when outbound connections are made.
| | File Size: | 3608 | | Last Modified: | Dec 8 22:42:10 2001 |
| MD5 Checksum: | 506df08051bf9a4a4e83c6b57873c242 |
|
| /// File Name: |
openssh-3.6p2-bd.diff |
Description:
|
OpenSSH 3.6p2 backdoor that logs all logins and passwords to a file. Original backdoor ported for 3.6p2 by ajax
| | File Size: | 5471 | | Last Modified: | May 28 05:13:29 2003 |
| MD5 Checksum: | ed31a68cc3dc02ff8414481e41aa096e |
|
| /// File Name: |
openssh-4.5p1_backdoored.tar.gz |
Description:
|
Backdoored version of OpenSSH 4.5p1 that logs passwords to /var/tmp/sshbug.txt.
| | Author: | santabug | | File Size: | 1005183 | | Last Modified: | Nov 16 12:22:39 2006 |
| MD5 Checksum: | 98c87de1cf5683f9400828281e3f0769 |
|
| /// File Name: |
openssh-4.6p1-backdored.tar.gz |
Description:
|
The backdoored version of OpenSSH 4.6p1. It logs passwords to /tmp/.sshell and also has the typical magic password.
| | Author: | ShadOS | | File Size: | 982882 | | Last Modified: | Apr 17 12:14:44 2007 |
| MD5 Checksum: | 082ab530608f02982dfcd57a28017ab3 |
|
| /// File Name: |
osxrk-0.2.1.tbz |
Description:
|
MAC OS-X rootkit that has a lot of standard tools included, adds a TCP backdoor via inetd, does data recon, and more.
| | Author: | gapple | | File Size: | 86449 | | Last Modified: | Sep 10 12:35:27 2004 |
| MD5 Checksum: | 4d88ce2a44718703f5de06a26c26349a |
|
| /// File Name: |
ovas0n.c |
Description:
|
Opens a password protected backdoor and lets you execute commands, and then hides in the background. Based on gs.c.
| | Author: | misteri0 | | File Size: | 4160 | | Last Modified: | Jan 10 01:45:19 2000 |
| MD5 Checksum: | 43ff0cfc1b7dce9d3e4729fe7d1659a3 |
|
| /// File Name: |
override.tar.bz |
Description:
|
The override Rootkit: A LKM Linux 2.6 rootkit that uses patched systemcalls. Features - Hides pids and automatically hides the pids of child processes - Hides network ports - Hides files which begin with a user-defined prefix - Can show the hidden pids.
| | Author: | Amir Alsbih | | Homepage: | http://www.informatik.uni-freiburg.de/~alsbiha/ | | File Size: | 3883 | | Last Modified: | Jan 27 14:12:33 2006 |
| MD5 Checksum: | 31a9eb52f4907924ba9fb22287b44996 |
|
| /// File Name: |
override.tar.gz |
Description:
|
Unavailable.
| | File Size: | 3918 | | Last Modified: | Jan 26 05:04:39 2006 |
| MD5 Checksum: | ebd24e8673c12b43c1ac08a1c341075c |
|
| /// File Name: |
ownit-0.1.tar.gz |
Description:
|
Ownit is a script that installs libnet, libnids, and dsniff on a system.
| | Author: | CowDog. | | File Size: | 367936 | | Last Modified: | Nov 19 11:15:27 2002 |
| MD5 Checksum: | 16ed3989ac5deb8be2ec6ca4812a28a6 |
|
| /// File Name: |
pam_backdoor.tar.gz |
Description:
|
Proof of concept PAM backdoor for Linux and FreeBSD that adds a magic password.
| | Author: | gml | | File Size: | 464988 | | Last Modified: | Nov 5 00:26:13 2003 |
| MD5 Checksum: | 52400e00f20a11515b0e1e1bf7ee367b |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
