本代码为假冒的su,用于捕获以root身份登陆的非授权用户。两刃剑。 /** From:
CERT Tools* To:
cert-tools@cert.org* Subject: Quiet list* Date:
Wed, 31 Aug 1994 10:37:16 -0400** Its been quiet, here is something to stir things up a little :-)**
- Shawn* Shawn F. Mckay
phone: 617-253-2583* Dept. of Electrical Eng. & Computer Science
email: shawn@eddie.mit.edu* M.I.T. / room 38-388 / Cambridge, MA
02139 / USA* ** PGP Key available on request ****/
/** Dummy "su" program. Intended to help an intruder who does not* know the system (many work from "cheat sheets") to trip alarms* so the rightful sysadmin folks can charge to the rescue.** Author: Shawn F. Mckay (shawn@aradia.uucp)* Revision Date: 94-08-29* Version: 1.1* Copyright (c) 1989-1994 Shawn F. Mckay, All Rights Reserved.* May not be sold for profit without written concent of author.* No warranty of ANY KIND is implied, use at your own risk!** Installation Notes:*
a) Create a directory in a secret place mode 770 (group whlcp)*
b) Move your real copy of "su" to this new location*
Make it also group whlcp and mode 4510*
c) Now, install this here su into the old location of your*
systems su program. (mode 4511) (usually /bin or /usr/bin).*
This program needs to be setuid root to be beleived, but as*
you can see, it does NOT run as root, it runs as daemon as*
soon as its run.*
d) Finally, make sure to add yourself to whlcp group as needed.*
e) Act quickly if you detect a violation of any kind**
Also note, you will probably need to modify /etc/crontab to*
advise any system shell Scripts where the "real" su went. You*
should probably try and ensure these places are also non-world*
readable.** The above should work for almost ANY UNIX system. As always, use* your judgement.*/
#include#include
char uname[10], tname[20];extern char *getlogin(), *ttyname();
main (argc, argv)char **argv;{char *key, *t;
/*
* If an intruder is to buy this, we must LOOK like a
* real copy of "/bin/su"
*/
if (geteuid ()) {
fprintf (stderr, "su: not properly installed
");
exit (1);} else {
/*
* Become daemon, "Right away!"
*/
setgid (1);
setuid (1);}
/*
* Discover our uname / location
*/
if ((t = getlogin ()) == NULL)
strcpy (uname, "unknown");else
strcpy (uname, t);
if ((t = ttyname(2)) == NULL)
strcpy (tname, "unknown");else
strcpy (tname, t);
/*
* Open log, and gripe!
*/
#ifdef LOG_AUTHopenlog ("su", LOG_PID, LOG_AUTH);#elseopenlog ("su", LOG_PID);#endifsyslog (LOG_NOTICE, "SU attempt failed by %s on %s
",uname, tname);
syslog (LOG_NOTICE, "User tried to become %s using su
",(argc > 1 ? argv[1] : "root"));
/*
* Query for a password, to look real
*/
key = (char *)getpass ("Password: ");
/*
* Also, send email here, to add to the "feel" of delay...
*/
sendmail (argc, argv);(void)crypt (key, "XX");/* Look and feel tactic */
/*
* Of course, we knew this was coming!
*/
printf ("Sorry
");
exit (1);}
/** sendmail()* Blast off an email message about this attempt. Quick and sweet*/
sendmail (argc, argv)char **argv;{FILE *pbuf;long Clock;
if (access ("/usr/bin/mail", 0))
return (0);
if ((pbuf = popen ("/usr/bin/mail root", "w")) == NULL)
return (0);
time (&Clock);
fprintf (pbuf, "
SECURITY VIOLATION NOTICE:
");fprintf (pbuf, "Attempt failed to run su by %s from %s %s",uname, tname, ctime (&Clock));
fprintf (pbuf, "User tried to become %s using su
",(argc > 1 ? argv[1] : "root"));
fprintf (pbuf, "
.
");pclose (pbuf);
return (1);}
