WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit, aiming to provide a stealth terminal-like connection over HTTP between client and web server. It is a post exploitation tool capable to maintain access to a compromised web server. WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving a stealth mechanism to execute system commands to the compromised server. The obfuscated communication is accomplished using HTTP header's Cookie fields under valid client HTTP requests and relative web server's responses.
8e6fe6a513916c776350b0cbff29427e8719a4d3095dfe4fdd3b4ad34e3bde2e
WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit, aiming to provide a stealth terminal-like connection over HTTP between client and web server. It is a post exploitation tool capable to maintain access to a compromised web server. WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving a stealth mechanism to execute system commands to the compromised server. The obfuscated communication is accomplished using HTTP header's Cookie fields under valid client HTTP requests and relative web server's responses.
6e46638034d12ee47a4a4955583b5065ffc4d0142d553c15fc90abbf42ca5b89
Jynx Kit is a LD_PRELOAD userland rootkit. Fully undetectable from chkrootkit and rootkithunter. Includes magic packet SSL reverse back connect shell. Solid building block for further LD_PRELOAD rootkits.
bbeb032e2f9929a6af65472aee0188c9962b2569eed6ca4c4d073142f10ab850
This is simply a PHP shell with a bunch of features like spoofing mail, file uploads, and more.
4b62d88653f707028740984998a846bce54234865cd62cec045e7c6dffb125ed
Knull Shell Alpha1 is a PHP shell that has bind, reverse, and backpipe shells.
ad77bcbd30f3d90fdb9ea4fa2d171918170d050e6362eb389985fee2e78fd1ef
Ani-Shell is a simple PHP shell with some unique features like a mass mailer, ddoser, connect-back shell, bind shell, and various other features.
5d436e5e3f0f9049b1f6c13ff1c3e8d6533281bd4fb1495f94866b260b5e0b5a
Turtle rootkit for FreeBSD. This kernel module hooks unlink() so the protected file cannot be deleted, hooks kill() so the protected process cannot be killed, and has various other nice bells and whistles.
5d9c7ea1f5b26a22623fcf4d3cef0c6fe8dce24ab8d206098990fb0f90ad98ce
This post-escalation bash script sanitizes 29 logs, adds a root user, and allows for package installation including hashcat, nmap, and more. Written for Ubuntu.
dbcfe980157abcbf52b90ed25f13f5a5ca5b90bf4ec49c9d58423b69de944a14
This archive has the H4ckcity PHP backdoor script along with a tutorial written in Persian.
8ebfc9a80c59fc7685830768e0b0e61b40167f043d648478e5de84c59a300d6e
SyRiAn Sh3ll is a PHP backdoor that allows for database access, local exploitation of the host, and more.
0e7f6e9c57da41f9316262dc22b4b3227f52c30f15747639a8780ab3c18c4fa8
This is the Viper auto-rooting script that is written for Linux, SunOS, Mac OS X, and FreeBSD.
5c2ab18173e0e9d1c12ceccdd9635d100e00896d535a7816b65d5b030a8c0d1a
Included in this archive is a private rootkit found in the wild that uses libcall hijacking. A detailed research analysis of how it functions has been created and is in the ncom.txt file.
796fea476f1404100a509b2b4c0c463f28d539d1bb611efada016038aad1d7a1
This tarball was discovered on a compromise Debian Lenny host after it was compromised via the recent remote root Exim vulnerability. It includes binaries such as the MIG logcleaner, backdoored versions of top, uptime, free, pgrep and more. Please note that a thorough analysis of these binaries has not been performed and they must be considered unsafe and untrustworthy. Only use the enclosed contents for research purposes. Further details regarding this rootkit can be obtained via the reddit site link.
6a324fcebd39bee3df601a2c0bae779d4238f227c025bef29ca33382ddbcd665
This is a backdoor PHP shell from ITSecTeam. It can execute system commands, bypass various controls, connects to common databases and edits files and directories.
ae3a70be5946b093e55e474cf25408d6390702e587d8d5b24404f442be5ddbd5
Turtle rootkit for FreeBSD. This kernel module hooks unlink() so the protected file cannot be deleted, hooks kill() so the protected process cannot be killed, and has various other nice bells and whistles.
8b8bd3b4567213634fa8d095649b277321095be6c15b34acae704bab66f4b1d5
This is a backdoor PHP shell from ITSecTeam.
428640bd9e6ab10814a7560818cb822084078acd863ae3339c157e9a31c524db
Devshell is a CGI backdoor kit.
e699799c202eec8044569a1867fb88d39c859b87c9907c500f63a15c122997a3
EvilBS is a bindshell for Linux that has AES-256 symmetric encryption, can operate in reverse connect mode, has SOCKS4 proxy support and more.
53782e7dfdb8ce46e8d5cbc85f2c97a2131912e4cb783b0002850349af550897
This is the ZoRBaCK Connect php script that allows for a remote shell on a compromised host.
d5226055e30c86c65d275b843a2bf889713d2e585da4851f73e2b3df09c6c0e8
ISTAR is a set of python code that performs various functions including use of ptrace to simulate a userland rootkit.
3bb7022c0e550e915f5519e4b603de58dd1f094954e4b0c4b1307ece8b015b34
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc. This version of the rootkit is specifically ported to work on Ubuntu 8.04 with the 2.6.24 kernel. No backwards compatibility is provided. The modified rootkit was simply meant as a proof of concept for a book. The documentation was not updated to reflect the changes and this was submitted to the site anonymously. Use are your own risk.
4328023a68a04ed6b7e159bb91a29b0c38de5eb14dda0d149ea8a62073244c4d
This user-land rootkit hijacks the libc accept() call via LD_PRELOAD and yields back a non-interactive shell on the remote host. The .so file is placed under the trusted library path. This has been written to specifically target sshd on Solaris, although other daemons (e.g. bind, sendmail, apached) can also be targeted. It has been tested on Solaris 10. Read the files inside for comments on further shell interaction.
7987443dddeca5ef652aa2a782472ce53514e94d8e6bc5c72c114202001251b2
Hacked version of script that logs everything typed to /tmp/.x11sock. Based heavily on script.c.
ffaedfe839e7a9bcf9b642da14a75df2d7fe351c1b3e44ff9b7c3b251816b3b0
3vilsh3ll is a remote backdoor that shuffles a shell back to a remote host when hit with an ICMP packet that has special settings.
a4a668163c7e61330d54c7d954f4e67c8d4b0cf20bf7c6186e755e7be503d257
The Klueless Klowns Team variant of the c99 php shell.
0fe81b489e390113feb7ba02fccf9f98d277d8a6fe930743d7211895dc8acf41