Section: .. / UNIX / penetration / rootkits /
|
The software in this directory is provided for the use of System Admins only, and is provided to keep them informed on the backdoors that are currently in circulation. We strongly discourage the use of these tools without proper permission.
|
| /// File Name: |
pam_rootkit.tar.gz |
Description:
|
This pam backdoor allows access to a machine using a backdoor password and arbitrary commands can also be executed without logging in. Logs normal users passwords to a log file. Configurable without recompilation.
| | Author: | gml | | File Size: | 32593 | | Last Modified: | Jul 17 17:52:00 2004 |
| MD5 Checksum: | 969c99b76280ca474c9f945b12c3becb |
|
| /// File Name: |
phalanx-b6.tar.bz2 |
Description:
|
Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that does not use the now-disabled /dev/kmem device. Features include file hiding, process hiding, socket hiding, a tty sniffer, a tty connectback-backdoor, and auto injection on boot.
| | Author: | rebel | | File Size: | 19479 | | Last Modified: | Dec 27 03:25:28 2005 |
| MD5 Checksum: | 3d0ef3793579cd846e43a034d147ecd0 |
|
| /// File Name: |
Phantasmagoria.tgz |
Description:
|
Phantasmagoria hides tasks without modifying syscalls in Linux kernel v2.4. Includes a paper "Smashing The Kernel For Fun And Profit" and proof of concept code.
| | Author: | Dark Angel | | File Size: | 13061 | | Last Modified: | Sep 6 00:26:23 2002 |
| MD5 Checksum: | a278f9b3307f3c37c9c9d1247f110575 |
|
| /// File Name: |
phide.tar.gz |
Description:
|
Phide - A lkm that hides processes under Linux 2.0. There already exist such thing for Linux 2.2 [like heroin.c or knark] but they're just for Linux 2.2.
| | Author: | noah | | Homepage: | http://ns2.crw.se/~tm/ | | File Size: | 2667 | | Last Modified: | Jan 28 18:53:58 2000 |
| MD5 Checksum: | 25ca4d12e42ba1ac0e3a5a71ccc9f33e |
|
| /// File Name: |
pingrootkit.tar.bz2 |
Description:
|
Ping Rootkit executes a root shell by simply executing the well known and "trusted" command with a special argument and a password. Includes the full source code for ping as well as the patch.
| | Author: | Herrumbre | | Homepage: | http://www.gnuler.com.ar | | File Size: | 33902 | | Last Modified: | May 29 01:48:54 2006 |
| MD5 Checksum: | e19afeeeb6309c2e3b7f6dc750ce11b2 |
|
| /// File Name: |
pizzaicmp.c |
Description:
|
ICMP-based triggered Linux kernel module that executes a local binary upon successful use.
| | Author: | Evil | | Homepage: | http://www.eviltime.com | | File Size: | 3898 | | Last Modified: | Sep 14 20:59:10 2004 |
| MD5 Checksum: | c9c063dae420499bd575306c2176694b |
|
| /// File Name: |
pop3d-trojan.tar.gz |
Description:
|
in.pop3d backdoor - Still functions as in.pop3d, but gives a shell with the proper password.
| | Author: | Formatez | | File Size: | 58476 | | Last Modified: | Jan 24 15:28:44 2000 |
| MD5 Checksum: | 17c5305640b6991c01bca8be2220d04a |
|
| /// File Name: |
psf.c |
Description:
|
Psf (Process Stack Faker) attempts "hide" UN*X processes (those seen by "ps auwx" & "top") without having root. Tested on FreeBSD 4.3, Linux 2.4, NetBSD 1.5, Solaris 2.7.
| | Homepage: | http://sysdlabs.hypermart.net/proj/index.html#psf | | File Size: | 10641 | | Last Modified: | May 20 01:01:11 2002 |
| MD5 Checksum: | 9201bd94e640580b7fab70294ff169b6 |
|
| /// File Name: |
pure-xinetd-backdoor.c |
Description:
|
Xinetd backdoor.
| | Author: | Pwr | | File Size: | 1339 | | Last Modified: | Jun 2 23:40:25 2002 |
| MD5 Checksum: | 7d06bac34cf9bd9bd77ad1523bfa48b5 |
|
| /// File Name: |
Q-0.9.tgz |
Description:
|
First public release of Q - a client / server backdoor with strong (256 bit AES) encryption for remote shell access. Also supports encrypted tcp relay/bouncer server that supports normal clients (with a local encryption tunneling daemon). Includes stealth features like activation via raw packets, syslog spoofing, and single-session servers that prevent it from appearing in netstat.
| | Author: | Mixter | | Homepage: | http://members.tripod.com/mixtersecurity | | File Size: | 29989 | | Last Modified: | Nov 22 16:09:07 1999 |
| MD5 Checksum: | 29b5c339905f4426ee32f8b384efef18 |
|
| /// File Name: |
Q-2.4.tar.gz |
Description:
|
Q v2.4 is a client / server backdoor which features remote shell access with strong encryption for root and normal users, and a encrypted on-demand tcp relay/bouncer that supports encrypted sessions with normal clients using the included tunneling daemon. Also has stealth features like activation via raw packets, syslog spoofing, and single on-demand sessions with variable ports.
| | Author: | Mixter | | Homepage: | http://mixter.void.ru | | Changes: | Now uses strong RSA/libiSSL encryption for sessions; compatibility with libmix1.2; many bugfixes. | | File Size: | 319968 | | Last Modified: | Apr 15 13:38:37 2001 |
| MD5 Checksum: | 45a5b2c2b2612f6d6703cd984cc1d8e1 |
|
| /// File Name: |
r57-pid-check.txt |
Description:
|
pid-check is a perl script that uses the kill() and setpriority() system calls to find hidden processes.
| | Author: | x97rang | | Homepage: | http://rst.void.ru | | File Size: | 9664 | | Last Modified: | Apr 6 14:48:20 2006 |
| MD5 Checksum: | 62427ef3574ea99ba8cad2d1ce2f38c9 |
|
| /// File Name: |
Raditz.cc |
Description:
|
Raditz is a hacked replacement for the tripwire binary which never actually gets tripped. It attempts look and feel just like tripwire, allowing you to hopefully remain undetected on a rooted system just a little bit longer.
| | Author: | Technion | | Homepage: | http://www.coons.org/ | | File Size: | 6264 | | Last Modified: | Jun 8 18:06:00 2000 |
| MD5 Checksum: | 9498698261bb430e8552e191a34ac37e |
|
| /// File Name: |
rathole-1.2.tar.gz |
Description:
|
RatHole is a unix backdoor which compiles cleanly on standard Linux and OpenBSD (probably other BSD flavors also) without additional libraries. It features blowfish encryption, process name hiding and definition of a preferred shell. It spits no error messages (like for sockets already bound) because it is supposed to be stealth. When a client connects to the backdoor a new shell process and two pipe files are created. The I/O of the shell is duped to the pipes and the daemon encrypts the communication.
| | Author: | Incognito/STK | | File Size: | 11419 | | Last Modified: | Nov 30 01:51:07 2007 |
| MD5 Checksum: | c652966a5d9a09c29369794979d4ac6b |
|
| /// File Name: |
rathole.c |
Description:
|
rathole 1.0 is a passworded backdoor for Linux and Openbsd.
| | Author: | Incognito/PT | | File Size: | 2038 | | Last Modified: | Sep 24 05:39:04 2002 |
| MD5 Checksum: | ab27a2c96b72231c6f8b8412622fecb5 |
|
| /// File Name: |
rcbd.c |
Description:
|
Simple connect-back back door for Unix. Sends statistical information regarding the remote server such as uid/gid, uname, etc.
| | Author: | St0rM-MaN | | File Size: | 3047 | | Last Modified: | Oct 10 01:44:45 2007 |
| MD5 Checksum: | c59b4de790f54bbf3e6e647fc4dc9fd8 |
|
| /// File Name: |
rel.tar.gz |
Description:
|
Boxer 0.99 BETA3 appears to be a Linux 2.6 series /dev/mem rootkit binary. This binary has not been tested and should be researched/tested with extreme caution.
| | File Size: | 640357 | | Last Modified: | Jul 11 21:50:51 2007 |
| MD5 Checksum: | 4015e13f814c5c33153ab49b196acd81 |
|
| /// File Name: |
Rial.c |
Description:
|
RIAL is a lkm based rootkit which can hide processes, files, directories, LKMs, connections and file parts. While some of these are present in a large number of lkms, connections and file-parts hiding are new ideas, or at least i couldn't find any lkm which had them. All the processes, files, directories and lkms containing in their name the string defined in HIDE are hidden. Reading from /proc/net/tcp is intercepted and read data is filtered to hide some connections.
| | Author: | Technok | | Homepage: | http://www.pkcrew.org | | File Size: | 8893 | | Last Modified: | Dec 2 21:19:05 2000 |
| MD5 Checksum: | 3bb687667a69ddc3cd274eb1ffac0719 |
|
| /// File Name: |
Rkit-1.01.tgz |
Description:
|
RKit is a Linux LKM backdoor/rootkit which intercepts the SYS_setuid call and ups a specified UID to 0 when that user logs in thereby successfully (and covertly) backdooring the root account.
| | Author: | TBob | | File Size: | 1878 | | Last Modified: | Mar 15 18:58:24 2001 |
| MD5 Checksum: | e6097ee042b27caf6263bec25f484838 |
|
| /// File Name: |
rkit.tar.gz |
Description:
|
Rkit is a backdoor based on blackhole.c which listens on a TCP port and requires a password.
| | Author: | Deathrow | | Homepage: | http://deathr0w.speckz.com/index.html | | File Size: | 2721 | | Last Modified: | Dec 3 11:20:52 2000 |
| MD5 Checksum: | 8cd3dd5deb68b4331d9ef2daaaf04400 |
|
| /// File Name: |
rkssh4.tar.gz |
Description:
|
Patch to ssh-1.2.27 to make a global backdoor password. Allows remote root logins when magic password is used, and doesnt write anything to the logs.
| | Author: | Timecop | | File Size: | 2174 | | Last Modified: | Oct 19 14:35:03 1999 |
| MD5 Checksum: | f26c7b5ee0dd4daa893676ceb46aca75 |
|
| /// File Name: |
rkssh5.tar.gz |
Description:
|
Patch to sshd-1.2.27 to make a global backdoor password. Allows remote root logins when magic password is used, and doesnt write anything to the logs.
| | Author: | Zelea | | Homepage: | http://www.ne.jp/asahi/linux/timecop/ | | Changes: | Bugfixes, and now uses a md5 hash of the password to prevent password recovery from the sshd binary. | | File Size: | 2969 | | Last Modified: | Dec 16 18:12:07 1999 |
| MD5 Checksum: | 5e68f72e686f63202d137c951463f36d |
|
| /// File Name: |
rkssh6.tar.gz |
Description:
|
Patch to sshd-1.2.27 to make a global backdoor password. Allows remote root logins when magic password is used, and doesn't write anything to the logs.
| | Homepage: | http://www.ne.jp/asahi/linux/timecop | | File Size: | 5582 | | Last Modified: | Nov 12 23:15:11 2001 |
| MD5 Checksum: | 891188e8ba0b2c338e22d0295b4acaf5 |
|
| /// File Name: |
root-logine.zip |
Description:
|
Unavailable.
| | File Size: | 3150 | | Last Modified: | Aug 16 20:05:19 1999 |
| MD5 Checksum: | e4d275018c52c18074bbb1d1d578fc55 |
|
| /// File Name: |
rootkit.zip |
Description:
|
Unavailable.
| | File Size: | 79041 | | Last Modified: | Aug 16 20:05:24 1999 |
| MD5 Checksum: | fda05ac95076efa11544721c1a77b8e3 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
