敬业的IT人 互联网 佚名 2007-12-30 11:31:13

　　

　　本代码为假冒的su,用于捕获以root身份登陆的非授权用户。两刃剑。 /** From:

　　CERT Tools* To:

　　cert-tools@cert.org* Subject: Quiet list* Date:

　　Wed, 31 Aug 1994 10:37:16 -0400** Its been quiet, here is something to stir things up a little :-)**

　　- Shawn* Shawn F. Mckay

　　phone: 617-253-2583* Dept. of Electrical Eng. & Computer Science

　　email: shawn@eddie.mit.edu* M.I.T. / room 38-388 / Cambridge, MA

　　02139 / USA* ** PGP Key available on request ****/

　　/** Dummy "su" program. Intended to help an intruder who does not* know the system (many work from "cheat sheets") to trip alarms* so the rightful sysadmin folks can charge to the rescue.** Author: Shawn F. Mckay (shawn@aradia.uucp)* Revision Date: 94-08-29* Version: 1.1* Copyright (c) 1989-1994 Shawn F. Mckay, All Rights Reserved.* May not be sold for profit without written concent of author.* No warranty of ANY KIND is implied, use at your own risk!** Installation Notes:*

　　a) Create a directory in a secret place mode 770 (group whlcp)*

　　b) Move your real copy of "su" to this new location*

　　Make it also group whlcp and mode 4510*

　　c) Now, install this here su into the old location of your*

　　systems su program. (mode 4511) (usually /bin or /usr/bin).*

　　This program needs to be setuid root to be beleived, but as*

　　you can see, it does NOT run as root, it runs as daemon as*

　　soon as its run.*

　　d) Finally, make sure to add yourself to whlcp group as needed.*

　　e) Act quickly if you detect a violation of any kind**

　　Also note, you will probably need to modify /etc/crontab to*

　　advise any system shell Ｓcripts where the "real" su went. You*

　　should probably try and ensure these places are also non-world*

　　readable.** The above should work for almost ANY UNIX system. As always, use* your judgement.*/
　　#include#include

　　char uname[10], tname[20];extern char *getlogin(), *ttyname();

　　main (argc, argv)char **argv;{char *key, *t;

　　/*

　　* If an intruder is to buy this, we must LOOK like a

　　* real copy of "/bin/su"

　　*/

　　if (geteuid ()) {

　　fprintf (stderr, "su: not properly installed

　　");

　　exit (1);} else {

　　/*

　　* Become daemon, "Right away!"

　　*/

　　setgid (1);

　　setuid (1);}

　　/*

　　* Discover our uname / location

　　*/

　　if ((t = getlogin ()) == NULL)

　　strcpy (uname, "unknown");else

　　strcpy (uname, t);

　　if ((t = ttyname(2)) == NULL)

　　strcpy (tname, "unknown");else

　　strcpy (tname, t);

　　/*

　　* Open log, and gripe!

　　*/

　　#ifdef LOG_AUTHopenlog ("su", LOG_PID, LOG_AUTH);#elseopenlog ("su", LOG_PID);#endifsyslog (LOG_NOTICE, "SU attempt failed by %s on %s

　　",uname, tname);

　　syslog (LOG_NOTICE, "User tried to become %s using su

　　",(argc > 1 ? argv[1] : "root"));

　　/*

　　* Query for a password, to look real

　　*/

　　key = (char *)getpass ("Password: ");

　　/*

　　* Also, send email here, to add to the "feel" of delay...

　　*/

　　sendmail (argc, argv);(void)crypt (key, "XX");/* Look and feel tactic */

　　/*

　　* Of course, we knew this was coming!

　　*/

　　printf ("Sorry

　　");

　　exit (1);}

　　/** sendmail()* Blast off an email message about this attempt. Quick and sweet*/
　　sendmail (argc, argv)char **argv;{FILE *pbuf;long Clock;

　　if (access ("/usr/bin/mail", 0))

　　return (0);

　　if ((pbuf = popen ("/usr/bin/mail root", "w")) == NULL)

　　return (0);

　　time (&Clock);

　　fprintf (pbuf, "

　　SECURITY VIOLATION NOTICE:

　　");fprintf (pbuf, "Attempt failed to run su by %s from %s %s",uname, tname, ctime (&Clock));

　　fprintf (pbuf, "User tried to become %s using su

　　",(argc > 1 ? argv[1] : "root"));

　　fprintf (pbuf, "

　　.

　　");pclose (pbuf);

　　return (1);}

最新文章

主机扫描程序实现方法[12-30]

RSA：未来2-3年独立安全厂商将成历史[12-30]

计算机病毒传染的一般过程是怎样的[12-30]

狗年春节长假木马和QQ病毒多发[12-30]

检测屏蔽法轻松搞定蠕虫病毒[12-30]

反病毒软件：下一代蠕虫主要攻击目标？[12-30]

相关文章