EZMal is a Mac OS X Trojan Kit that will attach a persistent bindshell to applications.
ede6c9e28e6281d843450ff08dfd351c31a3be99c34168bd69790f9c74034168
Classic backdoor bindshell that is password protected, hides activity, forks, and does all the expected functions of an evil backdoor.
344dd067c46597172bc90327ee89b098c5816e46349abe086be4e827d488c46c
A little ptrace()-based utility for process argument/name hiding. Works on most Linux 2.6 kernels/configurations (x86/x86-64 architecture).
c8189416cea76ef2b7593e1099350b755174245c2e87c027f52dae3aff4fe941
RatHole is a unix backdoor which compiles cleanly on standard Linux and OpenBSD (probably other BSD flavors also) without additional libraries. It features blowfish encryption, process name hiding and definition of a preferred shell. It spits no error messages (like for sockets already bound) because it is supposed to be stealth. When a client connects to the backdoor a new shell process and two pipe files are created. The I/O of the shell is duped to the pipes and the daemon encrypts the communication.
fbe5c36d731f754dcc4388d276bef0b3b889807efd52695ac4245bf802edad60
Simple connect-back back door for Unix. Sends statistical information regarding the remote server such as uid/gid, uname, etc.
2e1e678ec44e8a8dd04699775555f44b001eb535aa98bfd66e2d7b932893bd3c
New bypass shell for Linux servers. What you don't want to find lying around in your webroot.
406bc0cd44ee8416796f2a5e638f43e920086a09ef3a7eed8c7939e13adc3115
Boxer 0.99 BETA3 appears to be a Linux 2.6 series /dev/mem rootkit binary. This binary has not been tested and should be researched/tested with extreme caution.
573e2154c1af45b89c76906c7781788bce59db3910d3f9b9535468e915d4b829
Mood-NT 2.3 is a linux kernel rootkit for kernels 2.4.x and 2.6 versions below 2.6.20. It can hide processes, files, connections (unix, raw, and ipv6 too), promisc flag and it allows tty sniffing, exec redirection, exec parameters sniffing, has an internal private init script for starting whatever you want on boot. It has a lot of anti-detectors engines and a unique hiding engine hardware based (through the debug registers) that makes it completely stealth on x86 machines. It fully supports vsyscalls and if the kernel changes it automatically reinstall itself on boot.
012a5bab721e46dbce7f6cd37dc53ff79ac5dee9f75ea82a5b9c248d286935b8
This tarball has original source code for FreeBSD binaries such as find, fstat, kldstat, etc along with a script that enables you to easily set how you want them backdoored.
a22c42648d2f553deabe8995e837aaf579299b30c1c7d9668ee0fd365e2c32ee
Backdoored version of OpenSSH 4.5p1 that logs passwords to /var/tmp/sshbug.txt.
9a8ba9bc0a0cb4015271c8d343320c84897ad229fee3c44666e47b7b5162e52d
Mood-NT is a linux kernel rootkit suckit2-like for 2.4.x/2.6.x kernels. It can hide processes, files, connections (unix, raw, and ipv6 too), promisc flag and it allows tty sniffing, exec redirection, exec parameters sniffing, has an internal private init script for starting whatever you want on boot. It has a lot of anti-detectors engines and a unique hiding engine hardware based (through the debug registers) that makes it completely stealth on x86 machines. If the kernel changes it automatically reinstall itself on boot.
b6fdbe271e20c2decd39606ddd7120a97d4342ab43b9ee7ead8e6981a659c90e
loggin.sh is a script written to emulate a Linux login prompt and then record the logins to /tmp/.dump.
25efdb578dca2b158dfb5d8a658aba550bf036075c4bcb2b131f68efe422a7b5
Ping Rootkit executes a root shell by simply executing the well known and "trusted" command with a special argument and a password. Includes the full source code for ping as well as the patch.
c7acdb96649bef8bef829b8576e58a4b7fd44ac4f648b44e4b5698740849a301
m0rtix.c is a simple C linux backdoor which bind a shell to a port with tty fork. The processes are hidden and it contains a kernel version detector which tell you what local root exploit you must use to root the system.
dd97d5b150059d75f024e99f8576e32a171c4a1e79fea55224c739fef7a891e6
wnetstat.pl is a small perl wrapper script to hide IPs from netstat.
02bc906fe5883774a8295c8c29a77175963ce43fbd71869d1fef8126325afe45
SSHeater is a program that infects the OpenSSH daemon in run-time in order to log all future sessions and implement a backdoor where a single password, chosen by the user, can log into all accounts in the system. There's a log parser included in the package that can display authentication information about sessions as well as play the session just like TTYrec/play.
ddc5f0ffbef955cabdf2fb58ed422c04a74622619744e0a7698ca94c6723c5ab
pid-check is a perl script that uses the kill() and setpriority() system calls to find hidden processes.
c84e1506e2f1e46b1bb4e29b75e781654f04b72ae63c91d5917174c5ee8c0182
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc.
35ea2786343f647b5d0d1506a2ce375502622f51df18479aad20afe05b4ce18e
The override Rootkit: A LKM Linux 2.6 rootkit that uses patched systemcalls. Features - Hides pids and automatically hides the pids of child processes - Hides network ports - Hides files which begin with a user-defined prefix - Can show the hidden pids.
04c076c58c76e17bab712708d97f482bcfca9fe65f29cad03d4b68cabbe13393
Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device. Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot.
8d08e36aad4e2f2b6ca724385b7f3fba0f30c6ca89e770a9d239706fa1f4aeba
LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc.
607c945eb9e8b7760b860b7afda9a0934239a23077685c3bdc98f93518e535f0
Unix log cleaner that also checks to see if root is logged in.
5e6f13f781904f0f4c789db79cf90ca99edbd035180408985a46970a0d8b74ce
SucKIT Rootkit v2.0-devel-rc2. Easy-to-use, Linux-i386 kernel-based rootkit. The code stays in memory through /dev/kmem trick, without help of LKM support nor System.map or such things. Everything is done on the fly. It can hide PIDs, files, tcp/udp/raw sockets and sniff TTYs.
7fca632fdea9a39f68498af15c5cf2af2989c26aaccbd99bb62ead37a0eecc69
SInAR Solaris rootkit version 0.3. Invisible kernel based rootkit for Solaris 8, 9, and 10. Special TAX release.
d19a7369d535bfb1d5a9c52d35003d81004f06539310402f8bee2e3b37e4db14
httpbd.pl is a small backdoor written in perl that poses as httpd. It can spawn a shell and transfer files.
4c76e48efa8f53ecefbcc332995f3f43f9bbe6b96ae6069e91f28c6a58d040fb