Fake Backdoor System v1.1 - Binds to a port and waits for a connection. When attacker runs a command known to the backdoor, it will print a cloned response back to trick the user, and then disconnect the user from the host. Will save to a log file of choice (default is fbdlog.txt) which includes the Hostname and Command used by the attacker.
dbd58862ea6f2115690fadce0f1a6542f4250e2cdde34847da748b3f1cacca98#!/usr/bin/perl
#fbd.pl -> Fake Backdoor v1.2
#Updates:
#Added new cloned commands: ps -aux, df, ls -l
#Added line to print back to attacker if you want to.
#Fixed stupid error on /etc/shadow matching string.
#Features:
#Can 'clone' commands such as: id, uname -a, ls, pwd, /etc/shadow.
#Prints attack host, and command which was used back to a log file.
#coded by: butternuts -> butternuts@hushmail.com
#date: 7/14/2002
use IO::Socket;
use Net::hostent;
$id = `id`; #Enables real print back when cloned command ran.
$uname = `uname -a`; #Enables real print back when cloned command ran.
$port = "1337"; #Can change to reflect any port
$log = "fbdlog.txt"; #Can change to reflect any logfile.
#If you wanna keep the log file everytime the fake
#backdoor client is started, take out this command.
`rm -rf $log`;
#Rest needs no change.
$socket = IO::Socket::INET->new(
Listen => 10,
LocalPort => $port,
Proto => 'tcp',
Reuse => 1);
die "Cant bind fake backdoor to $port\n" unless $socket;
while ($attacker = $socket->accept()) {
open LOGFILE, ">>$log" or die "Cant open $log: $!\n";
$attackinfo = gethostbyaddr($attacker->peeraddr);
print $attacker "bash# ";
my $in = <$attacker>;
if ($in =~ /id/) {
print $attacker "$id\n";
} elsif ($in =~ /uname -a/) {
print $attacker "$uname\n";
} elsif ($in =~ /\/etc\/shadow/) {
#fake password file, decrypted root password is "dumbass"
print $attacker "root:\$1\$WH9Qpjow\$UF\.lGOcf2TazdKFotoanq1:11785:0:99999:7:::\n";
print $attacker "bin:*:11785:0:99999:7:::\n";
print $attacker "daemon:*:11785:0:99999:7:::\n";
print $attacker "adm:*:11785:0:99999:7:::\n";
print $attacker "sync:*:11785:0:99999:7:::\n";
print $attacker "shutdown:*:11785:0:99999:7:::\n";
print $attacker "halt:*:11785:0:99999:7:::\n";
print $attacker "mail:*:11785:0:99999:7:::\n";
print $attacker "news:*:11785:0:99999:7:::\n";
print $attacker "uucp:*:11785:0:99999:7:::\n";
print $attacker "operator:*:11785:0:99999:7:::\n";
print $attacker "ftp:*:11785:0:99999:7:::\n";
print $attacker "nobody:*:11785:0:99999:7:::\n";
print $attacker "nscd:!!:11785:0:99999:7:::\n";
print $attacker "mailnull:!!:11785:0:99999:7:::\n";
print $attacker "xfs:!!:11785:0:99999:7:::\n";
}elsif ($in =~ /ls -l/) {
print $attacker "total 14\n";
print $attacker "-rwsr-sr-x 1 root root 365 Apr 12 13:11 bd\n";
print $attacker "-rwsr-sr-x 1 root root 577 Apr 12 13:11 bdoor.conf\n";
print $attacker "-rw-r--r-- 1 root root 119 Apr 12 13:11 bdoor.pid\n";
print $attacker "-rwxr-xr-x 1 root root 1329 Apr 12 13:11 hide\n";
print $attacker "-rw-r--r-- 1 root root 602 Apr 12 13:11 README\n";
} elsif ($in =~ /ls/) {
print $attacker "bd\n";
print $attacker "bdoor.conf\n";
print $attacker "bdoor.pid\n";
print $attacker "hide\n";
print $attacker "README\n";
} elsif ($in =~ /pwd/) {
print $attacker "/home/fred/.bd\n";
} elsif ($in =~ /ps -aux/) {
print $attacker "apache 14105 0.0 1.0 11304 3920 ? S Jul01 0:35 /usr/local/apache\n";
print $attacker "apache 31278 0.0 1.7 13576 6544 ? S Jul01 0:36 /usr/local/apache\n";
print $attacker "apache 18127 0.0 1.0 13096 4216 ? S Jul01 0:38 /usr/local/apache\n";
print $attacker "apache 23400 0.0 1.1 13088 4276 ? S Jul01 0:31 /usr/local/apache\n";
print $attacker "apache 19610 0.0 0.9 11728 3792 ? S Jul01 0:31 /usr/local/apache\n";
print $attacker "apache 25326 0.0 0.9 12060 3688 ? S Jul01 0:31 /usr/local/apache\n";
print $attacker "apache 20672 0.0 1.6 13252 6228 ? S Jul01 0:35 /usr/local/apache\n";
print $attacker "apache 29335 0.0 1.5 12908 5792 ? S Jul01 0:30 /usr/local/apache\n";
print $attacker "apache 13891 0.0 1.6 13312 6292 ? S Jul02 0:26 /usr/local/apache\n";
print $attacker "apache 11730 0.0 1.0 13192 4052 ? S Jul02 0:26 /usr/local/apache\n";
print $attacker "apache 20114 0.0 1.2 12256 4772 ? S Jul02 0:27 /usr/local/apache\n";
print $attacker "root 5016 0.0 0.4 6520 1804 ? S Jul08 0:00 /usr/sbin/sshd\n";
print $attacker "fred 7123 0.0 0.5 6564 1948 ? S Jul08 0:00 /usr/sbin/sshd\n";
print $attacker "fred 32520 0.0 0.3 2444 1316 pts/0 S Jul08 0:00 -bash\n";
print $attacker "root 23869 0.0 0.2 2340 1028 pts/0 S Jul08 0:00 su -\n";
print $attacker "root 22874 0.0 0.3 2508 1368 pts/0 S Jul08 0:00 -bash\n";
print $attacker "root 27149 0.7 0.4 4912 1644 ? S 23:28 0:00 /usr/sbin/sshd\n";
print $attacker "sshd 13056 0.0 0.3 4652 1472 ? S 23:28 0:00 /usr/sbin/sshd\n"
} elsif ($in =~ /df/) {
print $attacker "Filesystem 1k-blocks Used Available Use% Mounted on\n";
print $attacker "/dev/hda3 11080488 7296874 2472193 74% /\n";
print $attacker "/dev/hda5 869620 844004 0 100% /backup\n";
print $attacker "/dev/hda1 101089 9453 86417 10% /boot\n";
print $attacker "none 196256 0 192256 0% /dev/shm\n";
print $attacker "/dev/hdb1 38438340 6017716 30492720 17% /home\n";
}
#uncomment line below to print sentence to attacker
#print $attacker "Thx for the logs dumbass.\n";
close $attacker;
print LOGFILE "---------------------------------------------------------\n";
printf LOGFILE "Attacker Hostname: %s\nCommand ran: %s", $attackinfo->name || $attacker->peerhost, $in;
print LOGFILE "---------------------------------------------------------\n";
close LOGFILE;
}
#EOF
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed