home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Hacking & Misc
/
bundle of exploits.sit
/
bundle of exploits
/
rootkits
/
rootkit
/
rootkit.README
< prev
next >
Wrap
Text File
|
1994-03-01
|
4KB
|
118 lines
------------------
rootkit release 1.
------------------
After spending tons of time having to do all of this by myself,
I finally decided to write a simple makefile to do it for me.
Call me a script cracker, but I'm lazy as hell. You don't want
to use it, you don't have to. Keep in mind it takes me a max
of 40 seconds on a 4/65 to compile and install every program
here. Can you beat that by hand? :-)
Here is how it works:
execute the command: ` make all install '
The following programs will be installed suid root in DESTDIR:
z2: removes entries from utmp, wtmp, and lastlog.
es: rokstar's ethernet sniffer for sun4 based kernels.
fix: try to fake checksums, install with same dates/perms/u/g.
note: if you do not want these files installed suid (the administrator
has a cron to check for suid files, or the like), then type
make cleansuid and the suid bits will be removed.
The following programs will be patched and an attempt at spoofing
the checksums of the files will be made. Also, these files will
be installed with the same dates, permissions, owners, and groups
of the originals.
sl: become root via a magic password sent to login.
ic: modified ifconfig to remove PROMISC flag from output.
ps:
ns:
ls:
du5:
ls5:
Here are some notes on the patch for `ps`:
1.
This doesn't modify the process lists, so your
processes are STILL in memory, but ps just won't
administrator has another copy of ps sitting on
Best to search for SGID kmem programs to be fairly sure.
2.
An example /dev/ptyp file is as follows:
0 0 Strips all processes running under root
1 p0 Strips tty p0
2 sniffer Strips all programs with the name sniffer
3.
Do not leave a NULL string anywhere in the file. During
testing, I often pressed return after my last control
statement. Do not do this as it will cause a meory fault.
Do not use a character as the first line in the control file.
Remember to convert the UID's you wished masked to thier
numerical format.
4.
Programs such as "top" will still show processes running.
This is bad. I'm working on a patch.
Here are some notes on the patch for `netstat`:
1.
This doesn't modify network listings, so your network
connections are STILL in memory, but `netstat` just
won't display them. If another copy of `netstat` is
run on the machine, it will produce accurate results.
Best to search for SGID kmem programs to be fairly sure.
2.
An example /dev/ptyq file is as follows:
0 6667 # Strip all foreign irc network connections
1 23 # Strip all local telnet connections
2 .209.5 # Strip all foreign connections from cert.org
3 .175.9.8 # Strip all local connections to netsys4.netsys.com
3.
Do not leave a NULL string anywhere in the file. It
will cause a memory fault. When stripping addresses,
a string search is used to compare addresses in the
control file with actaul network connections. This
could cause minor problems.
4.
It would probably be better to only strip the address ONCE
for each line in the control file. Adding such commands
is trivial. Check `inet.c` for modifications.
Here are some notes on the patch for `ls` && `du` && `du5` && `ls5`:
1.
ls and du are trojaned and your files will
not be listed unless you issue a / flag.
2.
Example /dev/ptyr
sunsnif # Strip the filename sunsnif
icmpfake # Strip the filename icmpfake
3.
Would be useful if stripping uids, and gids was
included.
----
later eleetz, have fun and don't fuq shit up, all it duz
iz get people put in jail.
werd.