本代码为假冒的su,用于捕获以root身份登陆的非授权用户。两刃剑。

/*
* From: CERT Tools
* To: cert-tools@cert.org
* Subject: Quiet list
* Date: Wed, 31 Aug 1994 10:37:16 -0400
*
* Its been quiet, here is something to stir things up a little :-)
*
* - Shawn
* Shawn F. Mckay phone: 617-253-2583
* Dept. of Electrical Eng. & Computer Science email: shawn@eddie.mit.edu
* M.I.T. / room 38-388 / Cambridge, MA 02139 / USA
* ** PGP Key available on request **
*
*/

/*
* Dummy "su" program. Intended to help an intruder who does not
* know the system (many work from "cheat sheets") to trip alarms
* so the rightful sysadmin folks can charge to the rescue.
*
* Author: Shawn F. Mckay (shawn@aradia.uucp)
* Revision Date: 94-08-29
* Version: 1.1
* Copyright (c) 1989-1994 Shawn F. Mckay, All Rights Reserved.
* May not be sold for profit without written concent of author.
* No warranty of ANY KIND is implied, use at your own risk!
*
* Installation Notes:
* a) Create a directory in a secret place mode 770 (group whlcp)
* b) Move your real copy of "su" to this new location
* Make it also group whlcp and mode 4510
* c) Now, install this here su into the old location of your
* systems su program. (mode 4511) (usually /bin or /usr/bin).
* This program needs to be setuid root to be beleived, but as
* you can see, it does NOT run as root, it runs as daemon as
* soon as its run.
* d) Finally, make sure to add yourself to whlcp group as needed.
* e) Act quickly if you detect a violation of any kind
*
* Also note, you will probably need to modify /etc/crontab to
* advise any system shell Ｓcripts where the "real" su went. You
* should probably try and ensure these places are also non-world
* readable.
*
* The above should work for almost ANY UNIX system. As always, use
* your judgement.
*/

#include
#include

char uname[10], tname[20];
extern char *getlogin(), *ttyname();

main (argc, argv)
char **argv;
{
char *key, *t;

/*
* If an intruder is to buy this, we must LOOK like a
* real copy of "/bin/su"
*/

if (geteuid ()) {
fprintf (stderr, "su: not properly installed\n");
exit (1);
} else {
/*
* Become daemon, "Right away!"
*/

setgid (1);
setuid (1);
}

/*
* Discover our uname / location
*/

if ((t = getlogin ()) == NULL)
strcpy (uname, "unknown");
else
strcpy (uname, t);

if ((t = ttyname(2)) == NULL)
strcpy (tname, "unknown");
else
strcpy (tname, t);

/*
* Open log, and gripe!
*/

#ifdef LOG_AUTH
openlog ("su", LOG_PID, LOG_AUTH);
#else
openlog ("su", LOG_PID);
#endif
syslog (LOG_NOTICE, "SU attempt failed by %s on %s\n",
uname, tname);
syslog (LOG_NOTICE, "User tried to become %s using su\n",
(argc > 1 ? argv[1] : "root"));

/*
* Query for a password, to look real
*/

key = (char *)getpass ("Password: ");

/*
* Also, send email here, to add to the "feel" of delay...
*/

sendmail (argc, argv);
(void)crypt (key, "XX");/* Look and feel tactic */

/*
* Of course, we knew this was coming!
*/

printf ("Sorry\n");

exit (1);
}

/*
* sendmail()
* Blast off an email message about this attempt. Quick and sweet
*/

sendmail (argc, argv)
char **argv;
{
FILE *pbuf;
long Clock;

if (access ("/usr/bin/mail", 0))
return (0);

if ((pbuf = popen ("/usr/bin/mail root", "w")) == NULL)
return (0);

time (&Clock);

fprintf (pbuf, "\nSECURITY VIOLATION NOTICE:\n\n");
fprintf (pbuf, "Attempt failed to run su by %s from %s %s",
uname, tname, ctime (&Clock));

fprintf (pbuf, "User tried to become %s using su\n",
(argc > 1 ? argv[1] : "root"));

fprintf (pbuf, "\n.\n");
pclose (pbuf);