WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit, aiming to provide a stealth terminal-like connection over HTTP between client and web server. It is a post exploitation tool capable to maintain access to a compromised web server. WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving a stealth mechanism to execute system commands to the compromised server. The obfuscated communication is accomplished using HTTP header's Cookie fields under valid client HTTP requests and relative web server's responses.
b74689916ea156d422177f331fe570c8This is a very small backdoor written in Python.
abf97854fff55fbaf20ea64011da1522log2command is a PHP script that tracks IPs in log files and executes shell commands per each IP. log2command was created as a sort of reverse fail2ban or cheap VPN-firewall: a machine with a closed firewall can be told, by a foreign machine, to accept connections from a specific IP. log2command then keeps track of the webserver log file and watches for inactivity from the user's IP. After an amount of time another command is executed that can remove the user's IP from the firewall, closing down the machine again. The PHP script is a command-line program that can be run in the background.
8e19ae8abd2570913871373fe04844faKBeast (Kernel Beast) 2012 is a Linux rootkit that hides the loadable kernel module, hides files and directories, hides processes, hides sockets and connections, performs keystroke logging, has anti-kill functionality and more.
c8fbf115fdf309273ce23f94d817210fWeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit, aiming to provide a stealth terminal-like connection over HTTP between client and web server. It is a post exploitation tool capable to maintain access to a compromised web server. WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving a stealth mechanism to execute system commands to the compromised server. The obfuscated communication is accomplished using HTTP header's Cookie fields under valid client HTTP requests and relative web server's responses.
f4fbdca27c7a4629314c184bf09461ffWeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit, aiming to provide a stealth terminal-like connection over HTTP between client and web server. It is a post exploitation tool capable to maintain access to a compromised web server. WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving a stealth mechanism to execute system commands to the compromised server. The obfuscated communication is accomplished using HTTP header's Cookie fields under valid client HTTP requests and relative web server's responses.
983c15146c1156bde098d9e81f412157Jynx Kit is a LD_PRELOAD userland rootkit. Fully undetectable from chkrootkit and rootkithunter. Includes magic packet SSL reverse back connect shell. Solid building block for further LD_PRELOAD rootkits.
c4f68fd8a88e336f5630798bde50c913This is simply a PHP shell with a bunch of features like spoofing mail, file uploads, and more.
f18d5418f6eb91321033867fb1fe68c6Knull Shell Alpha1 is a PHP shell that has bind, reverse, and backpipe shells.
1bd6d6835296305ab21cd1ec34ab8627Ani-Shell is a simple PHP shell with some unique features like a mass mailer, ddoser, connect-back shell, bind shell, and various other features.
f789ddc02f9f16fa9f82a31ce2e0f5cfTurtle rootkit for FreeBSD. This kernel module hooks unlink() so the protected file cannot be deleted, hooks kill() so the protected process cannot be killed, and has various other nice bells and whistles.
cf4f4980dd9d360041e530b903ffca53This post-escalation bash script sanitizes 29 logs, adds a root user, and allows for package installation including hashcat, nmap, and more. Written for Ubuntu.
6ce86ef3082d68ab9743dcd313e30a22This archive has the H4ckcity PHP backdoor script along with a tutorial written in Persian.
572ec9cc7fb7f5b6b2e49748ecb5c1afSyRiAn Sh3ll is a PHP backdoor that allows for database access, local exploitation of the host, and more.
14eb6477ac78b0442bf82f160abebc83This is the Viper auto-rooting script that is written for Linux, SunOS, Mac OS X, and FreeBSD.
42b9bf4ca63a0ad78770421d06b6104cIncluded in this archive is a private rootkit found in the wild that uses libcall hijacking. A detailed research analysis of how it functions has been created and is in the ncom.txt file.
f3dedef3547498bf5ba0ff330d86348aThis tarball was discovered on a compromise Debian Lenny host after it was compromised via the recent remote root Exim vulnerability. It includes binaries such as the MIG logcleaner, backdoored versions of top, uptime, free, pgrep and more. Please note that a thorough analysis of these binaries has not been performed and they must be considered unsafe and untrustworthy. Only use the enclosed contents for research purposes. Further details regarding this rootkit can be obtained via the reddit site link.
d0e098de3b0e436f934763810cd31189This is a backdoor PHP shell from ITSecTeam. It can execute system commands, bypass various controls, connects to common databases and edits files and directories.
9391509dbb36057d9a3321f76a864813Turtle rootkit for FreeBSD. This kernel module hooks unlink() so the protected file cannot be deleted, hooks kill() so the protected process cannot be killed, and has various other nice bells and whistles.
475ca0337888d26fa3386bf01720a210This is a backdoor PHP shell from ITSecTeam.
b30055c75b8c68a9c8b8f945ee5aad7cDevshell is a CGI backdoor kit.
39dde46e36900c98808b11eb98aa5fbbEvilBS is a bindshell for Linux that has AES-256 symmetric encryption, can operate in reverse connect mode, has SOCKS4 proxy support and more.
0572f3023b4ad5d3b046810e5442b1d8This is the ZoRBaCK Connect php script that allows for a remote shell on a compromised host.
b860aa3459439b6f1f0deafbe8336aabISTAR is a set of python code that performs various functions including use of ptrace to simulate a userland rootkit.
b23d8c58208f2a403d208e53e8638cd1LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc. This version of the rootkit is specifically ported to work on Ubuntu 8.04 with the 2.6.24 kernel. No backwards compatibility is provided. The modified rootkit was simply meant as a proof of concept for a book. The documentation was not updated to reflect the changes and this was submitted to the site anonymously. Use are your own risk.
a12a5b779ec0ab22fd03e28503ed014d
© 2011 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed