This README is NOT part of the rootkit.  This README 
was created by Lance Spitzner <lance@spitzner.net> 
to explain the contents of the 'sun2' rootkit.  All 
other files listed here are native to the rootkit 'sun2'.

<Disclaimer>
This toolkit is being distributed to the security community
for learning purposes only. We make no warranty of the
usability nor integrity of these files.  No reverse
engineering was attempted, use these files at your own
risk.
</Disclaimer>


SUMMARY
-------
This rootkit was used by the black-hat to setup 
and secure the system.  Once he gaind access, he executed 
setup.sh, then secure.sh.  He then launched the bot.  See
the keystrokes.txt file for detailed actions.


FILES  (all files found in sun2 rootkit)
----------------------------------------
bd2		Trojan 'rpcbind' binary. Allows black-hat to run a command or send an xterm out
bot2		bot configuration file
check		
emech233.users	Configuration file
find		Trojan 'find' binary.  Config file found at /var/log/.recent/.find_filter
fix		Used to reset size on binaries
idrun		Bourne shell script to spoof ident (run from /usr/lib/lpsys $1)
idsol		Spoofed ident binary, copied to and ran as /usr/lib/lpsys
l0gin.kit	Trojan 'login' binary. Part of the rootkit.
l0gin.new	Another version of l0gin, first downloaded, then actually used.
le		
log		Another variant of login.c Trojan, not appeared to be used.
ls		Trojan 'ls' binary.  Config file can be found at /var/log/.recent/.files
m		Packet flooding tool, "MIlK.C bY MIlKWeEd! fEeR mE"
me		Actual bot binary.
mech.levels
mech.pid
mech.session
netstat		Trojan 'netstat' binary.  Config file found at /var/log/.recent/.netstat_filter
pico		Our elite hackers install pico, so much for 'vi'.
ps		Trojan 'ps' binary.  Config file found at /dev/ttyp
sec		Additional file modifications, doesn't look to have been used.
secure.sh
setup.sh
sl4		Another variant of login.c Trojan, not appeared to be used.
snif		
sniff-100mb
sniff-10mb
sys222		Irc Proxy v2.6.4 GNU project (C) 1998-99 Coded by James Seter
sys222.conf	sys222 configuration file
tcpd		Trojan 'tcpd' binary.  Config file found at /var/log/.recent/.tcpd
zap3		Used by setup.sh to clean log files

DIRECTORIES
-----------
packet		Smurf directory.  Contains various smurf utilities, including
		'blist' or broadcastlist.  These 'blist' files were found containing
		over 2,500 broadcast networks that could be used as Smurf amplifiers.
		These files were forwarded to CERT.  The files contained in this kit
		have been sanitized for the security of the Internet community.
