Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

backhoe.article

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 41 Views

Backhoe is a self-replicating backdoor that creates and deletes rootshells in /tmp periodically.

Code
`backhoe article, by miff  
  
  
  
  
1.) what is it?  
backhoe is a backdoor daemon that copies a rootshell into /tmp  
periodically, then deletes it. You set the frequency that you  
want rootshells to appear, and you set the amount of time that  
they will persist before backhoe deletes them. This gives the   
user who knows what to look for a convenient backdoor without   
having to modify any system binaries or otherwise fuck someone's  
box.   
OK, so what? It puts a rootshell in /tmp every so often, BFD.   
Well, to make things more interesting, it also spawns multiple   
copies of itself, you know, in case root sees some strange process   
or behavior and decides to kill -9 the bitch. The separate copies  
(you pick how many you want) actually monitor each other using   
signals to make sure that all is well with the backdoor. If any   
of the copies of backhoe find that any of the other copies are  
missing or not functioning, backhoe goes into defense mode.  
In defense mode, backhoe kills all root sessions, spawns a  
new set of daemons (in addition to the ones already running), and  
reinitializes all of them. Normal operation continues, with a few  
more instances of backhoe in memory.  
In order to make backhoe harder to kill all at once, I added  
a disguise routine which makes backhoe appear to be one of any   
number of normal processes (at random), or joke processes, if you  
prefer to fuck with the admin.   
  
2.) why?  
Why run backhoe? Well, I suppose it could actually be useful  
for its intended purpose with an inexperienced sysadmin. There  
are some mods you may wish to make (see below) if you really   
want to make it tight, tho. You may also wish to run it just to   
mess with your sysadmin - imagine his confusion when everytime he  
tries to kill a particular process, his session dies? Finally,  
run it just to see how it works, then make improvements. I think  
there's lots of potential for self monitoring, self defending   
daemons to do many things other than just put rootshells in /tmp.  
(use y0 imagination)  
  
3.) where will it run? how can i run it on XXXX?  
At this point, backhoe has only been tested on Linux. I have   
only tested it on slackware (2.0.28 kernel) with perl 5.003.  
It definitely wont run on solaris as it is, mainly because  
of the flags on ps and parsing of the result set. This should  
be easy to fix tho; the code is intended to be easily modifiable.  
Wanna run it on NT or 95? hehe - sure tough guy.  
  
4.) weaknessess  
At this point, there are a few glaring weaknesses in backhoe  
that keep it from being industrial strength. I was gonna fix   
some of these but - bah - to lazy.  
- It's not compiled, and will be hard to insert into system  
startup scripts without being noticed. The obvious answer:  
compile it. (Yes, perl has compilers now.) Or, if you  
prefer, translate it to C.   
- The process numbers are predictable ( I think they increment  
by 2). This would be easy to fix by adding a random dummy  
process generator to spin the ps id counter in between spawns.  
- It's only defense is killing root sessions... (and spawning  
more of itself) There are ways to attack it without having  
a root session show up in ps -jax. Solution: this one is  
more complex, we'll deal with it some other time.  
  
5.) recommendations if yer really gonna use it to make a backdoor  
Well, obviously take note of the weaknesses above and take  
the recommended actons. Pay attention to the user configurable   
variable. Do you want 15 copies? How long do you want the root  
shells to hang out in the wind before they get deleted? What are   
some passable ps names on your system?  
Another minor mod that would make it much more safe to use (in  
terms of other users grabbing yer rootshell) would be to make  
backhoe watch /tmp for a file of a name *you* specify, then chmod  
it 4755. That way you are not providing a backdoor to the other  
users on the system.  
Finally, dont fuck up peoples systems. Dont change the defense  
mode to 'rm -rf /*'. That would be rude. No point in that. The   
point of this code is to *not* fuck up ppls systems, use it for fun.  
Enjoy, and hack the shit out of it, eh?  
  
peace  
  
-miff  
  
shouts to:   
musashi, for early discussions and the process grepping code  
cplusplus, for being the first (unwitting) beta tester, and   
for being generally elite  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
backdoor daemonrootshellself-replicatingsystem binariesdefense modedisguise routinesysadmin confusion
41