[Full-disclosure] Plague Proof of Concept Linux backdoor

[Andrew Farmer]

On 22 Oct 06, at 04:29, hijacker at oldum.net wrote:
> even if they have ssh access, there is still nothing they can do,  
> except
> to create two files in there $HOME directories containing  
> expressions from
> paths.h and sysexits.h ?
>
> Why would that be considered a backdoor?

The awk commands parse out the strings "/etc/passwd" and "/etc/ 
shadow" from
the headers. It's still rather easily detected - most of the rootkit- 
checking
programs will detect an alternate uid0 account very quickly - but it  
does
demonstrate an interesting way of avoiding target strings in the binary.