backhoe article, by miff 1.) what is it? backhoe is a backdoor daemon that copies a rootshell into /tmp periodically, then deletes it. You set the frequency that you want rootshells to appear, and you set the amount of time that they will persist before backhoe deletes them. This gives the user who knows what to look for a convenient backdoor without having to modify any system binaries or otherwise fuck someone's box. OK, so what? It puts a rootshell in /tmp every so often, BFD. Well, to make things more interesting, it also spawns multiple copies of itself, you know, in case root sees some strange process or behavior and decides to kill -9 the bitch. The separate copies (you pick how many you want) actually monitor each other using signals to make sure that all is well with the backdoor. If any of the copies of backhoe find that any of the other copies are missing or not functioning, backhoe goes into defense mode. In defense mode, backhoe kills all root sessions, spawns a new set of daemons (in addition to the ones already running), and reinitializes all of them. Normal operation continues, with a few more instances of backhoe in memory. In order to make backhoe harder to kill all at once, I added a disguise routine which makes backhoe appear to be one of any number of normal processes (at random), or joke processes, if you prefer to fuck with the admin. 2.) why? Why run backhoe? Well, I suppose it could actually be useful for its intended purpose with an inexperienced sysadmin. There are some mods you may wish to make (see below) if you really want to make it tight, tho. You may also wish to run it just to mess with your sysadmin - imagine his confusion when everytime he tries to kill a particular process, his session dies? Finally, run it just to see how it works, then make improvements. I think there's lots of potential for self monitoring, self defending daemons to do many things other than just put rootshells in /tmp. (use y0 imagination) 3.) where will it run? how can i run it on XXXX? At this point, backhoe has only been tested on Linux. I have only tested it on slackware (2.0.28 kernel) with perl 5.003. It definitely wont run on solaris as it is, mainly because of the flags on ps and parsing of the result set. This should be easy to fix tho; the code is intended to be easily modifiable. Wanna run it on NT or 95? hehe - sure tough guy. 4.) weaknessess At this point, there are a few glaring weaknesses in backhoe that keep it from being industrial strength. I was gonna fix some of these but - bah - to lazy. - It's not compiled, and will be hard to insert into system startup scripts without being noticed. The obvious answer: compile it. (Yes, perl has compilers now.) Or, if you prefer, translate it to C. - The process numbers are predictable ( I think they increment by 2). This would be easy to fix by adding a random dummy process generator to spin the ps id counter in between spawns. - It's only defense is killing root sessions... (and spawning more of itself) There are ways to attack it without having a root session show up in ps -jax. Solution: this one is more complex, we'll deal with it some other time. 5.) recommendations if yer really gonna use it to make a backdoor Well, obviously take note of the weaknesses above and take the recommended actons. Pay attention to the user configurable variable. Do you want 15 copies? How long do you want the root shells to hang out in the wind before they get deleted? What are some passable ps names on your system? Another minor mod that would make it much more safe to use (in terms of other users grabbing yer rootshell) would be to make backhoe watch /tmp for a file of a name *you* specify, then chmod it 4755. That way you are not providing a backdoor to the other users on the system. Finally, dont fuck up peoples systems. Dont change the defense mode to 'rm -rf /*'. That would be rude. No point in that. The point of this code is to *not* fuck up ppls systems, use it for fun. Enjoy, and hack the shit out of it, eh? peace -miff shouts to: musashi, for early discussions and the process grepping code cplusplus, for being the first (unwitting) beta tester, and for being generally elite