Section: .. / UNIX / penetration / rootkits /
|
The software in this directory is provided for the use of System Admins only, and is provided to keep them informed on the backdoors that are currently in circulation. We strongly discourage the use of these tools without proper permission.
|
| /// File Name: |
devshell.zip |
Description:
|
Devshell is a CGI backdoor kit.
| | Author: | b374k | | File Size: | 242887 | | Last Modified: | Jun 19 17:59:24 2010 |
| MD5 Checksum: | 39dde46e36900c98808b11eb98aa5fbb |
|
| /// File Name: |
evilbs.tar.gz |
Description:
|
EvilBS is a bindshell for Linux that has AES-256 symmetric encryption, can operate in reverse connect mode, has SOCKS4 proxy support and more.
| | Author: | gat3way | | File Size: | 28882 | | Last Modified: | Feb 20 12:45:15 2010 |
| MD5 Checksum: | 0572f3023b4ad5d3b046810e5442b1d8 |
|
| /// File Name: |
connect-back.php.txt |
Description:
|
This is the ZoRBaCK Connect php script that allows for a remote shell on a compromised host.
| | Author: | ZoRLu | | File Size: | 1460 | | Last Modified: | Nov 23 17:52:36 2009 |
| MD5 Checksum: | b860aa3459439b6f1f0deafbe8336aab |
|
| /// File Name: |
enyelkm-1.3-no-objs.tar.gz |
Description:
|
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc. This version of the rootkit is specifically ported to work on Ubuntu 8.04 with the 2.6.24 kernel. No backwards compatibility is provided. The modified rootkit was simply meant as a proof of concept for a book. The documentation was not updated to reflect the changes and this was submitted to the site anonymously. Use are your own risk.
| | Author: | RaiSe | | Homepage: | http://www.enye-sec.org | | File Size: | 12903 | | Last Modified: | Feb 25 16:59:12 2009 |
| MD5 Checksum: | a12a5b779ec0ab22fd03e28503ed014d |
|
| /// File Name: |
solaris-sshd.tar.gz |
Description:
|
This user-land rootkit hijacks the libc accept() call via LD_PRELOAD and yields back a non-interactive shell on the remote host. The .so file is placed under the trusted library path. This has been written to specifically target sshd on Solaris, although other daemons (e.g. bind, sendmail, apached) can also be targeted. It has been tested on Solaris 10. Read the files inside for comments on further shell interaction.
| | Author: | C Papathanasiou,Subere | | File Size: | 2056 | | Last Modified: | Feb 24 19:36:41 2009 |
| MD5 Checksum: | 0dab00507d3dfcc24d413cffa63f9143 |
|
| /// File Name: |
funnyscript.c |
Description:
|
Hacked version of script that logs everything typed to /tmp/.x11sock. Based heavily on script.c.
| | Author: | Andrea Montanari | | File Size: | 11779 | | Last Modified: | Dec 8 20:26:50 2008 |
| MD5 Checksum: | e50a753f0dad3a0479dea861496b0e51 |
|
| /// File Name: |
evilshell.c |
Description:
|
3vilsh3ll is a remote backdoor that shuffles a shell back to a remote host when hit with an ICMP packet that has special settings.
| | Author: | Simpp | | File Size: | 8166 | | Last Modified: | Sep 2 23:06:44 2008 |
| MD5 Checksum: | 9be2c39a2ac092d94439ef53aecd613a |
|
| /// File Name: |
c99.tgz |
Description:
|
The Klueless Klowns Team variant of the c99 php shell.
| | Author: | Kristo Pher | | Homepage: | http://www.kkteam.co.uk/ | | File Size: | 42359 | | Last Modified: | Aug 18 20:18:25 2008 |
| MD5 Checksum: | d6506a5108aaebac55098b3e56a15083 |
|
| /// File Name: |
ezmal-0.2.zip |
Description:
|
EZMal is a Mac OS X Trojan Kit that will attach a persistent bindshell to applications.
| | Author: | microphone8000 | | File Size: | 13952 | | Last Modified: | Jul 30 22:57:19 2008 |
| MD5 Checksum: | 1af27ee2d196b8eccedf3762e3a16c01 |
|
| /// File Name: |
3vilSh3ll.c |
Description:
|
Classic backdoor bindshell that is password protected, hides activity, forks, and does all the expected functions of an evil backdoor.
| | Author: | Simpp | | File Size: | 7272 | | Last Modified: | Mar 18 22:25:36 2008 |
| MD5 Checksum: | 9cf37a9cec5547cca5c9872fbe651b5f |
|
| /// File Name: |
m_rev-0.2.c |
Description:
|
A little ptrace()-based utility for process argument/name hiding. Works on most Linux 2.6 kernels/configurations (x86/x86-64 architecture).
| | Author: | ernie@ernie | | File Size: | 20129 | | Last Modified: | Jan 29 21:49:07 2008 |
| MD5 Checksum: | 2e8bb365b19a752d7bde5b88a1045089 |
|
| /// File Name: |
rathole-1.2.tar.gz |
Description:
|
RatHole is a unix backdoor which compiles cleanly on standard Linux and OpenBSD (probably other BSD flavors also) without additional libraries. It features blowfish encryption, process name hiding and definition of a preferred shell. It spits no error messages (like for sockets already bound) because it is supposed to be stealth. When a client connects to the backdoor a new shell process and two pipe files are created. The I/O of the shell is duped to the pipes and the daemon encrypts the communication.
| | Author: | Incognito/STK | | File Size: | 11419 | | Last Modified: | Nov 30 01:51:07 2007 |
| MD5 Checksum: | c652966a5d9a09c29369794979d4ac6b |
|
| /// File Name: |
rcbd.c |
Description:
|
Simple connect-back back door for Unix. Sends statistical information regarding the remote server such as uid/gid, uname, etc.
| | Author: | St0rM-MaN | | File Size: | 3047 | | Last Modified: | Oct 10 01:44:45 2007 |
| MD5 Checksum: | c59b4de790f54bbf3e6e647fc4dc9fd8 |
|
| /// File Name: |
erne.txt |
Description:
|
New bypass shell for Linux servers. What you don't want to find lying around in your webroot.
| | Author: | Erne | | Homepage: | http://www.biyosecurity.net/ | | File Size: | 44624 | | Last Modified: | Sep 24 23:57:40 2007 |
| MD5 Checksum: | bf610ba81441e60aee255f2286010400 |
|
| /// File Name: |
rel.tar.gz |
Description:
|
Boxer 0.99 BETA3 appears to be a Linux 2.6 series /dev/mem rootkit binary. This binary has not been tested and should be researched/tested with extreme caution.
| | File Size: | 640357 | | Last Modified: | Jul 11 21:50:51 2007 |
| MD5 Checksum: | 4015e13f814c5c33153ab49b196acd81 |
|
| /// File Name: |
mood-nt_2.3.tgz |
Description:
|
Mood-NT 2.3 is a linux kernel rootkit for kernels 2.4.x and 2.6 versions below 2.6.20. It can hide processes, files, connections (unix, raw, and ipv6 too), promisc flag and it allows tty sniffing, exec redirection, exec parameters sniffing, has an internal private init script for starting whatever you want on boot. It has a lot of anti-detectors engines and a unique hiding engine hardware based (through the debug registers) that makes it completely stealth on x86 machines. It fully supports vsyscalls and if the kernel changes it automatically reinstall itself on boot.
| | Author: | darkangel | | Homepage: | http://darkangel.antifork.org | | File Size: | 36881 | | Last Modified: | Jun 6 18:38:28 2007 |
| MD5 Checksum: | c22f5dbb5757237be40c621f487ae8e2 |
|
| /// File Name: |
backdoor.tar.gz |
Description:
|
This tarball has original source code for FreeBSD binaries such as find, fstat, kldstat, etc along with a script that enables you to easily set how you want them backdoored.
| | Author: | Dark.iNiTro | | Homepage: | http://ccb.0x48k.cc/index.php?module=files | | File Size: | 245330 | | Last Modified: | May 2 20:06:51 2007 |
| MD5 Checksum: | 3046022b733bd0ccc37165e34a2db7ad |
|
| /// File Name: |
openssh-4.6p1-backdored.tar.gz |
Description:
|
The backdoored version of OpenSSH 4.6p1. It logs passwords to /tmp/.sshell and also has the typical magic password.
| | Author: | ShadOS | | File Size: | 982882 | | Last Modified: | Apr 17 12:14:44 2007 |
| MD5 Checksum: | 082ab530608f02982dfcd57a28017ab3 |
|
| /// File Name: |
openssh-4.5p1_backdoored.tar.gz |
Description:
|
Backdoored version of OpenSSH 4.5p1 that logs passwords to /var/tmp/sshbug.txt.
| | Author: | santabug | | File Size: | 1005183 | | Last Modified: | Nov 16 12:22:39 2006 |
| MD5 Checksum: | 98c87de1cf5683f9400828281e3f0769 |
|
| /// File Name: |
mood-nt.tgz |
Description:
|
Mood-NT is a linux kernel rootkit suckit2-like for 2.4.x/2.6.x kernels. It can hide processes, files, connections (unix, raw, and ipv6 too), promisc flag and it allows tty sniffing, exec redirection, exec parameters sniffing, has an internal private init script for starting whatever you want on boot. It has a lot of anti-detectors engines and a unique hiding engine hardware based (through the debug registers) that makes it completely stealth on x86 machines. If the kernel changes it automatically reinstall itself on boot.
| | Author: | darkangel | | Homepage: | http://darkangel.antifork.org | | File Size: | 35005 | | Last Modified: | Oct 24 17:12:23 2006 |
| MD5 Checksum: | c046c7882ca919d595b8491be609d149 |
|
| /// File Name: |
logginsh.txt |
Description:
|
loggin.sh is a script written to emulate a Linux login prompt and then record the logins to /tmp/.dump.
| | Author: | Pranav Joshi,Deepak Kaul | | File Size: | 1266 | | Last Modified: | Jun 5 04:40:02 2006 |
| MD5 Checksum: | 59b000733a8ab35f124a73afcd31bf40 |
|
| /// File Name: |
pingrootkit.tar.bz2 |
Description:
|
Ping Rootkit executes a root shell by simply executing the well known and "trusted" command with a special argument and a password. Includes the full source code for ping as well as the patch.
| | Author: | Herrumbre | | Homepage: | http://www.gnuler.com.ar | | File Size: | 33902 | | Last Modified: | May 29 01:48:54 2006 |
| MD5 Checksum: | e19afeeeb6309c2e3b7f6dc750ce11b2 |
|
| /// File Name: |
m0rtix.c |
Description:
|
m0rtix.c is a simple C linux backdoor which bind a shell to a port with tty fork. The processes are hidden and it contains a kernel version detector which tell you what local root exploit you must use to root the system.
| | Author: | jeremy still | | File Size: | 12040 | | Last Modified: | Apr 28 20:30:27 2006 |
| MD5 Checksum: | 6503eae7a42fb2d5336a3a0cde0c5bb0 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
