1 files changed, 163 insertions, 0 deletions

diff --git a/other/adore-ng/README b/other/adore-ng/README
new file mode 100644
index 0000000..7a5ebee
--- /dev/null
+++ b/other/adore-ng/README
@@ -0,0 +1,163 @@
+Please read this! It is important. Otherwise you maybe crash your kernel!
+=========================================================================
+
+
+0. Intro
+--------
+
+Only *YOU* are responsible for your own actions. So if you are
+dumb enough to own machines and install this software on it,
+only you can be blamed for it.
+
+Do not say you have not been warned!
+
+
+1. Install by hand
+------------------
+
+You can skip this section if you want to use the "configure"
+script. This section might be important if the configure
+script does not run somehow or produces wrong output.
+
+Edit Makefile and set proper values.
+
+Everyone should choose an own ADORE_KEY to make it impossible to scan
+for installed adore. Also ELITE_UID and ELITE_GID should be
+changed to own values.
+When commenting in the MODVERSIONS-switch, adore will be compiled
+for modversioned kernels. Modversioned kernels have a /proc/ksyms file
+that looks like
+
+...
+foo_barR12345678
+...
+
+where normal kernels would look like
+
+...
+foo_bar
+...
+
+On some systems it can't find modversions.h. Try disabling MODVERSIONS even
+when you see the symbols are version-ed. It seems to me that using MODVERSIONS
+isn't necessary on newer kernels.
+
+
+Hidden ports (adore-ng.h) go decimal, i.e. '2222' hides everything which belongs to port
+2222.
+The tcp-hiding has been redesigned completely. It uses a technique similar to
+the one described by palmers in phrack (http://www.phrack.org/show.php?p=58&a=6)
+By default 2222 and 7350 are hidden. Only IPv4 (tcp4) stuff is hidden.
+
+It is now very hard for adore-scanners to find a running adore because
+it is not longer possible to chdir() or stat() PID-dirs in /proc
+if PID is hidden. It is completely invisible, except to processes which
+are hidden them self.
+Files are now hidden using both, a ELITE_UID and a ELITE_GID which are chosen
+randomly upon 'configure'. So we have 2**64 possible values which is
+impossible to brute-force and thus checking for hidden files by brute-forcing
+uid/gid.
+
+Older Linux systems have a width of 16 bit for UID's and GID's, newer systems
+have 32 bit. Adore supports both. Either give 4 (for 32 bit) or 2 (for 16 bit)
+as argument to configure e.g. 'configure 4'. The default is 4.
+
+
+Make sure SMP is enabled when it is in kernel.
+Don't forget to recompile when you changed Makefile.
+Two 'makes' may produce two different adore's that maybe can't
+interact (i.e. further hidden-files are visible now due to UID-change).
+For this reason, the Makefiles are backed-up to allow a restore.
+
+
+
+2. Install by script
+--------------------
+
+Run configure-script.
+Script should give you some messages which uid's are used etc.
+View Makefile to see if everything is fine. Edit adore-ng.h to meet
+with your services you want to hide. Defaults to port 2222 and 7350.
+Do 'make'.
+"insmod ./adore.o" as root.
+Use "ava" to hide files, processes and so on then.
+
+When ava responds, there is no adore, but you are sure there is,
+then you maybe compiled adore.o and ava with different ADORE_KEY's.
+Do 'make clean; make' to put it in sync.
+
+"insmod ./cleaner.o; rmmod cleaner" to hide the adore LKM from lsmod.
+Or use "startadore" script. Use "relink" script to relink adore-ng
+into one of the LKMs already available on the system, so it is
+automatically loaded during reboot.
+
+3. libinvisible
+---------------
+
+libinvisible was written to have a layer between adore and ava.
+Since there are other OS's which may be targeted by adore-like modules,
+ava.c could easily ported, if one writes the proper library-calls.
+libinvisible maybe also used from within sysop-written hidden logdeamons
+as easy API to adore.
+
+
+Adore was written for EDUCATIONAL PURPOSES, for testing on honey-pot 
+boxens (watching suspicious "broken" accounts) and intrusion testings.
+If you need more help watching broken accounts, you may also use
+EoE to watch what is executed.
+
+
+4. Use 'R' with care
+--------------------
+
+'R' switch of ava isn't well researched. It may crash your machine.
+'R'emoving current shell isn't good idea.
+
+
+5. A word on detecting root-kits
+-------------------------------
+
+Adore has quite good anti-detection measurements in version 0.5 and better.
+Since we use the new proc technique we completely control what user-space
+programs see. It isn't even longer possible to detect hidden processes
+by walking through the task-list and checking for PF_INVISBLE flag
+because adore now uses a different approach to check for hidden procs.
+I know of tools which read the disk raw by accessing /dev/hdXY and comparing
+getdents() result with it. Thats the only thing where someone may detect
+adore yet, but only if there are hidden files! It is not necessary to hide
+files in all cases. Plus, modern systems support file-systems which are located
+completely in-memory. This technique will fail here.
+
+Child-processes of hidden processes are hidden automatically.
+
+
+6. Troubleshooting
+------------------
+
+In case gcc can't find modversions.h try to disable
+MODVERSIONS flag in Makefile.
+
+
+7. SMP primer
+-------------
+
+Adore-ng was successfully tested on UP and SMP systems.
+
+
+
+8. etc
+-------
+
+You can also control adore-ng by hand via echo & cat, look at adore-ng.c
+to see how.
+You can specify an optional FS where files can be hidden.
+Only use this switch ("insmod adore-ng.o opt_fs=/opt" for example)
+when you are sure that / and (your particular) /opt have a different
+FS, for example ext3 on / and reiser on /opt. otherwise you will
+get FS inconsistencies for sure. The opt_fs argument should not
+be needed in most cases anyway. Mounts of other partitions with the same
+FS will be affected by adore too. So if / and /opt both have ext3, you
+dont need to worry. Adore will handle both without a opt_fs switch.
+
+Stealth
+