| MD5 Sum | Filename | Description |
|---|---|---|
| 1a9c57979ed70fcd41caec26dd70fba7 | bighole | This appears to be bighole.c compiled |
| 4bf5b0e6d4c540116b3ca7ed4450a404 | bighole.c | This is code for a program to change sush to SUID root |
| 7823c211f547cdede9b0432cd49e6cbe | bindpar.x | Parses a string for exploitable versions of sendmail |
| f64d275b19738aebc92da069ae2ed463 | CrOn | AKKE's simple mail exploit. It calls /tmp/cron_echo every minute (I think) |
| 148ff4debd5b846a9414658c0d3cc2a1 | crontab.x | Another sendmail exploit from AKKE. It echoes a root account into the passwd file |
| f3fc545329fd1d04a89ac6806239ab11 | flare | #!/usr/bin/suidperl print "Nothin can stop me now...\n"; |
| a56ae118dd165cc5b19b035d3bebc42e | kernel.x | This looks like a program that exploits threads to give a root shell |
| 3b1eaaa9c73575da056c7dc36c0bbe22 | mail.x | Sendmail exploit written by Wojciech Purczynski |
| 20324a6bdffe77b00142f965df46d91d | motd | Repeats "You were hacked, you should really learn about security" 100 times |
| ab365efd3c0014ecce29409787e2b141 | perl.x | Creates flare, bighole.c, and sush.c. It makes bighole and sush then starts sush |
| 7df9ef836e85e7d5d6441916c150ecde | prlnx.sh | Older version of mail.x |
| 41b8c649ec1c7dcd9eba85171f076d33 | sush | setuid(0);setgid(0);system("/bin/bash"); |
| MD5 Sum | Filename | Description |
|---|---|---|
| 97788e18f90279d4d0f4b5ea54db20dc | generate | #Generates a list of ip addresses from $1.0.1 to $1.254.254 in file $2 |
| 3e61554860bbcb6d6abf11f1a7951194 | genmass | #Another IP generator |
| 4cfae8c44a6d1ede669d41fc320c7325 | mj2 | #These both look like the 'syn' tool from the TFN toolkit. They just send a spoofed |
| 4cfae8c44a6d1ede669d41fc320c7325 | mj3 | #SYN packet. http://www.sans.org/y2k/TFN_toolkit.htm |
| 949e8314d867f3ef52d7d7693322a48f | process_list | #Helper program. Turns wu-scan.log into ips.wu |
| 3356953fae17d5d89d3d465179cf7293 | root_them | #Runs ./process_list < wu-scan.log > ips.wu then runs ./xploit -h on each line in ips.wu |
| 985493c7847c3388f9cdc25de98183c9 | ssh | #A trojaned ssh daemon |
| bdcf49fb2edabc1d57791f2f4823e284 | suu.tgz | Not a tar but a binary that exploits su on red hat 6.2
Doing's code at http://cert.uni-stuttgart.de/archive/bugtraq/2000/11/msg00373.html |
| d61e3bf9efd12e9a048519bc4d2e5565 | wu-scan | Scans for RedHat 6.2 boxes running wu-2.6.0
Source at http://www.epoxysbox.org/files/programs/scanners/wu-scan.c |
| 1846e746acbca03e1aa7a66a1aeac34f | zxploit | Binary that exploits wu-ftpd 2.6.0 to give you root shell
Source at http://www.securiteam.com/exploits/3V5QGQKQ0C.html |
| 430e2ef18d8152823f64a4a2ae0ac0e6 | ./smrf/smrf5 | A strong DOS tool
(papa)smurf.c v5.0 by TFreak - http://www.rootshell.com |
| cf2081a248b9bbdabcb190dbbd40808d | ./smrf/smurf.ips | A list of 100 ips. |
| MD5 Sum | Filename | Description |
|---|---|---|
| de99b735a63b58baf9d0dc8b01f110a9 | adore.h | header file for the ava rootkit |
| bcb32fcbe8b054e8e35cc73a4902b016 | adr2.tgz | Adore files |
| a5fba8f3da0626ab47379c75267bd9a0 | adr.tgz | Adore files |
| bcf1c8af2be82b08a86d01008cc7209a | Go | Install script for adore and hacked SSHD |
| b0601097a9b8b410c9f7e1619c9aeab3 | ssh.tgz | hacked SSH daemon |
| MD5 Sum | Filename | Description |
|---|---|---|
| c885a0d5cd3897f2f1d1e4a8ee9865c0 | lgstrip | linsniff log parser hdlp2 by JaV http://63.164.121.201/worms/t0rn/tk/t0rnp |
| f24f304a2b6fecf31fb1751148d43bfb | nscd.init | Shell script that starts the hacked sshd, runs stad(loads and hides the ava #module) and hides everything listed in (6) of Go |
| 6e7ea425a86bb36d9fdfde4ad11b3513 | patch | downloads & installs these rpms from redhat site: wu-ftp, bind, imapd, #apache, nfs and sendmail |
| 22c3427789f619297344dcad47417456 | vrssb | log cleaner helper |
| 6c0f96c1e43a23a21264f924ae732273 | vrssnf | sniffer |
| c1cebc64b46d0027bd21bbb7e2776a13 | vrssnk | log cleaner |
Go:
1) killall -9 syslogd and store `pwd` in $pwd
2) checks if tornkit is already installed on this machine
2) checks if the machine is logging to another computer and displays a warning
3) mkdir -p these dirs
| /tmp/.dir1 | touched with /bin |
| /tmp/.dir2 | touched with /usr/X11R6/bin |
| /tmp/.dir3 | touched with /etc/rc.d/rc3.d |
| /usr/X11R6/lib/X11/.~/ | |
| /usr/X11R6/bin/.,/copy/adr/ | |
| /dev/rd/sdc0/ | |
| /usr/info/.t0rn | |
4) copies /bin/bash to /usr/X11R6/bin/.,/copy/zsh, chmods it to 7777 then runs it
5) untars ssh.tgz to $pwd/.t0rn and moves .t0rn/sharsed to /usr/X11R6/bin/.,/copy/adr/nscdx
6) runs .t0rn/shsml $1 (FIND OUT WHAT THIS DOES!!!)
7) moves .t0rn/shhash to /etc/ttyhash
8) moves .t0rn/adr.tgz and .t0rn/tls.tgz to /usr/X11R6/bin/.,/adr/ and then untars them there.
9) moves /usr/X11R6/bin/.,/adr/nscd.init to /dev/rd/nscd.init
10) it then gets a user specified port(24) or defaults to 6666
11) it then moves sharedsed, shhk, shrs, shhk.pub and shsml to /usr/info/.t0rn
12) it then adds /dev/rd/nscd.init to /etc/rc.d/rc3.d/S50inet and runs /usr/X11R6/bin/.,/copy/adr/nscdx -q (quiet, no logging)
13) then it echoes computer info such as IP, hostname, bogomips, alternative IPs, the redhat distro info and some ipchains lines
14) checks if you have make. If you don't, it downloads it for you redhat site rpm-style.
15) it'll then check if you have gcc. If not, it downloads the rpm from the redhat site.
16) the script then installs adore(0.39) rootkit. For anyone not familiar with it, here's the usage:
Usage: adore {h,u,r,R,i,v,U} [file, PID, or dummy (for U)]
h hide file
u unhide file
r execute as root
R remove PID forever
U uninstall adore
i make PID invisible
v make PID visible
17) the script'll then start ava (the frontend to adore) and start a sniffer(vrssnf logging to /usr/X11R6/bin/.,/copy/adr/tcp.log
18) it'll then use ava to hide the following:
/usr/X11R6/bin/.,
/usr/info/.t0rn
/dev/rd/sdc0
/dev/rd/nscd.init
/etc/rc.d/rc3.d/S50inet
/usr/X11R6/lib/X11
19) it then executes a log cleaner, vrssnk
20) it then echos "uucp" into /usr/X11R6/lib/.~/l.no
21) next, it touches /etc/pam.d/ and /etc/pam.d/* with /etc/default
22) it'll then chown uucp.uucp /usr/X11R6/lib/X11/.~/l.no and s.no (I'm not sure where s.no came from)
23) it then runs vrssb login, ftp and dns. This erases lines with the words login, ftp or dns from the /var/log/*(simplified).
24) next, it deletes all the *.c, *.h, *.tgz and other unneeded files.
25) then it kills .bash_history and links it to /dev/null
26) next it reverses the touches it made in step 3, touches /etc with /root and deletes /tmp/.dir*
27) then you're in trouble