TUCoPS :: Unix :: General :: sutrojan.c

Dummy su program - designed to lure intruders into a trap

/*
 * From:    CERT Tools <cert-tools-request@cert.org>
 * To:      cert-tools@cert.org
 * Subject: Quiet list
 * Date:    Wed, 31 Aug 1994 10:37:16 -0400
 *
 * Its been quiet, here is something to stir things up a little :-)
 *
 *				- Shawn
 * Shawn F. Mckay				   phone: 617-253-2583
 * Dept. of Electrical Eng. & Computer Science	   email: shawn@eddie.mit.edu
 * M.I.T. / room 38-388 / Cambridge, MA  02139 / USA
 * ** PGP Key available on request **
 *
 */

/*
 * Dummy "su" program. Intended to help an intruder who does not
 * know the system (many work from "cheat sheets") to trip alarms
 * so the rightful sysadmin folks can charge to the rescue.
 *
 * Author: Shawn F. Mckay (shawn@aradia.uucp)
 * Revision Date: 94-08-29
 * Version: 1.1
 * Copyright (c) 1989-1994 Shawn F. Mckay, All Rights Reserved.
 * May not be sold for profit without written concent of author.
 * No warranty of ANY KIND is implied, use at your own risk!
 *
 * Installation Notes:
 *   a) Create a directory in a secret place mode 770 (group whlcp)
 *   b) Move your real copy of "su" to this new location
 *      Make it also group whlcp and mode 4510
 *   c) Now, install this here su into the old location of your
 *      systems su program. (mode 4511) (usually /bin or /usr/bin).
 *      This program needs to be setuid root to be beleived, but as
 *      you can see, it does NOT run as root, it runs as daemon as
 *      soon as its run.
 *   d) Finally, make sure to add yourself to whlcp group as needed.
 *   e) Act quickly if you detect a violation of any kind
 *
 *   Also note, you will probably need to modify /etc/crontab to
 *   advise any system shell scripts where the "real" su went. You
 *   should probably try and ensure these places are also non-world
 *   readable.
 *
 * The above should work for almost ANY UNIX system. As always, use
 * your judgement.
 */

#include <stdio.h>
#include <syslog.h>

char uname[10], tname[20];
extern char *getlogin(), *ttyname();

main (argc, argv)
char **argv;
{
	char *key, *t;

	/*
	 * If an intruder is to buy this, we must LOOK like a
	 * real copy of "/bin/su"
	 */

	if (geteuid ()) {
		fprintf (stderr, "su: not properly installed\n");
		exit (1);
	} else {
		/*
		 * Become daemon, "Right away!"
		 */

		setgid (1);
		setuid (1);
	}

	/*
	 * Discover our uname / location
	 */

	if ((t = getlogin ()) == NULL)
		strcpy (uname, "unknown");
	else
		strcpy (uname, t);

	if ((t = ttyname(2)) == NULL)
		strcpy (tname, "unknown");
	else
		strcpy (tname, t);

	/*
	 * Open log, and gripe!
	 */

#ifdef LOG_AUTH
	openlog ("su", LOG_PID, LOG_AUTH);
#else
	openlog ("su", LOG_PID);
#endif
	syslog (LOG_NOTICE, "SU attempt failed by %s on %s\n",
	uname, tname);
 	syslog (LOG_NOTICE, "User tried to become %s using su\n",
	(argc > 1 ? argv[1] : "root"));

	/*
	 * Query for a password, to look real
	 */

	key = (char *)getpass ("Password: ");

	/*
	 * Also, send email here, to add to the "feel" of delay...
	 */

	sendmail (argc, argv);
	(void)crypt (key, "XX");/* Look and feel tactic */

	/*
	 * Of course, we knew this was coming!
	 */

	printf ("Sorry\n");
	
	exit (1);
}

/*
 * sendmail()
 *	Blast off an email message about this attempt. Quick and sweet
 */

sendmail (argc, argv)
char **argv;
{
	FILE	*pbuf;
	long	Clock;

	if (access ("/usr/bin/mail", 0))
		return (0);

	if ((pbuf = popen ("/usr/bin/mail root", "w")) == NULL) 
		return (0);

	time (&Clock);

	fprintf (pbuf, "\nSECURITY VIOLATION NOTICE:\n\n");
	fprintf (pbuf, "Attempt failed to run su by %s from %s %s",
	uname, tname, ctime (&Clock));

 	fprintf (pbuf, "User tried to become %s using su\n",
	(argc > 1 ? argv[1] : "root"));

	fprintf (pbuf, "\n.\n");
	pclose (pbuf);

	return (1);
}

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH