#!/usr/bin/perl #fbd.pl -> Fake Backdoor v1.1 #Features: #Can 'clone' commands such as: id, uname -a, ls, pwd, /etc/shadow. #Prints attack host, and command which was used back to a log file. #Updates: #Next version will include more cloned commands. #May have a fake password system, to make backdoor seem #more realistic. #coded by: butternuts -> butternuts@hushmail.com #date: 7/7/2002 use IO::Socket; use Net::hostent; $id = `id`; #Enables real print back when cloned command ran. $uname = `uname -a`; #Enables real print back when cloned command ran. $port = "1337"; #Can change to reflect any port $log = "fbdlog.txt"; #Can change to reflect any logfile. #If you wanna keep the log file everytime the fake #backdoor client is started, take out this command. `rm -rf $log`; #Rest needs no change. $socket = IO::Socket::INET->new( Listen => 10, LocalPort => $port, Proto => 'tcp', Reuse => 1); die "Cant bind fake backdoor to $port\n" unless $socket; while ($attacker = $socket->accept()) { open LOGFILE, ">>$log" or die "Cant open $log: $!\n"; $attackinfo = gethostbyaddr($attacker->peeraddr); print $attacker "bash# "; my $in = <$attacker>; if ($in =~ /id/) { print $attacker "$id\n"; } elsif ($in =~ /uname -a/) { print $attacker "$uname\n"; } elsif ($in =~ /\/etc\/shadow/) { #fake password file, decrypted root password is "dumbass" print "root:\$1\$WH9Qpjow\$UF\.lGOcf2TazdKFotoanq1:11785:0:99999:7:::\n"; print "bin:*:11785:0:99999:7:::\n"; print "daemon:*:11785:0:99999:7:::\n"; print "adm:*:11785:0:99999:7:::\n"; print "sync:*:11785:0:99999:7:::\n"; print "shutdown:*:11785:0:99999:7:::\n"; print "halt:*:11785:0:99999:7:::\n"; print "mail:*:11785:0:99999:7:::\n"; print "news:*:11785:0:99999:7:::\n"; print "uucp:*:11785:0:99999:7:::\n"; print "operator:*:11785:0:99999:7:::\n"; print "ftp:*:11785:0:99999:7:::\n"; print "nobody:*:11785:0:99999:7:::\n"; print "nscd:!!:11785:0:99999:7:::\n"; print "mailnull:!!:11785:0:99999:7:::\n"; print "xfs:!!:11785:0:99999:7:::\n"; } elsif ($in =~ /ls/) { print $attacker "bd\n"; print $attacker "bdoor.conf\n"; print $attacker "bdoor.pid\n"; print $attacker "hide\n"; print $attacker "README\n"; } elsif ($in =~ /pwd/) { print $attacker "/home/fred/.bd\n"; } close $attacker; printf LOGFILE "Attacker Hostname: %s\nCommand ran: %s", $attackinfo->name || $attacker->peerhost, $in; close LOGFILE; } #EOF