#!/usr/bin/perl
#fbd.pl -> Fake Backdoor v1.2
#Updates:
#Added new cloned commands: ps -aux, df, ls -l
#Added line to print back to attacker if you want to.
#Fixed stupid error on /etc/shadow matching string.
#Features:
#Can 'clone' commands such as: id, uname -a, ls, pwd, /etc/shadow.
#Prints attack host, and command which was used back to a log file.
#coded by: butternuts -> butternuts@hushmail.com
#date: 7/14/2002


use IO::Socket;
use Net::hostent;

$id = `id`; #Enables real print back when cloned command ran.
$uname = `uname -a`; #Enables real print back when cloned command ran.


$port = "1337"; #Can change to reflect any port
$log = "fbdlog.txt"; #Can change to reflect any logfile.

#If you wanna keep the log file everytime the fake
#backdoor client is started, take out this command.
`rm -rf $log`;
#Rest needs no change.

$socket = IO::Socket::INET->new(
     Listen => 10,
     LocalPort => $port,
     Proto => 'tcp',
     Reuse => 1);
die "Cant bind fake backdoor to $port\n" unless $socket;


while ($attacker = $socket->accept()) {
     open LOGFILE, ">>$log" or die "Cant open $log: $!\n";
  $attackinfo = gethostbyaddr($attacker->peeraddr);
print $attacker "bash# ";
my $in = <$attacker>;

if ($in =~ /id/) {
     print $attacker "$id\n";
} elsif ($in =~ /uname -a/) {
     print $attacker "$uname\n";
} elsif ($in =~ /\/etc\/shadow/) {
#fake password file, decrypted root password is "dumbass"

     print $attacker "root:\$1\$WH9Qpjow\$UF\.lGOcf2TazdKFotoanq1:11785:0:99999:7:::\n";
     print $attacker "bin:*:11785:0:99999:7:::\n";
     print $attacker "daemon:*:11785:0:99999:7:::\n";
     print $attacker "adm:*:11785:0:99999:7:::\n";
     print $attacker "sync:*:11785:0:99999:7:::\n";
     print $attacker "shutdown:*:11785:0:99999:7:::\n";
     print $attacker "halt:*:11785:0:99999:7:::\n";
     print $attacker "mail:*:11785:0:99999:7:::\n";
     print $attacker "news:*:11785:0:99999:7:::\n";
     print $attacker "uucp:*:11785:0:99999:7:::\n";
     print $attacker "operator:*:11785:0:99999:7:::\n";
     print $attacker "ftp:*:11785:0:99999:7:::\n";
     print $attacker "nobody:*:11785:0:99999:7:::\n";
     print $attacker "nscd:!!:11785:0:99999:7:::\n";
     print $attacker "mailnull:!!:11785:0:99999:7:::\n";
     print $attacker "xfs:!!:11785:0:99999:7:::\n";
}elsif ($in =~ /ls -l/) {
     print $attacker "total 14\n";
     print $attacker "-rwsr-sr-x     1 root     root       365 Apr 12 13:11 bd\n";
     print $attacker "-rwsr-sr-x     1 root     root       577 Apr 12 13:11 bdoor.conf\n";
     print $attacker "-rw-r--r--     1 root     root       119 Apr 12 13:11 bdoor.pid\n";
     print $attacker "-rwxr-xr-x     1 root     root      1329 Apr 12 13:11 hide\n";
     print $attacker "-rw-r--r--     1 root     root       602 Apr 12 13:11 README\n";
} elsif ($in =~ /ls/) {
     print $attacker "bd\n";
     print $attacker "bdoor.conf\n";
     print $attacker "bdoor.pid\n";
     print $attacker "hide\n";
     print $attacker "README\n";
} elsif ($in =~ /pwd/) {
     print $attacker "/home/fred/.bd\n";
} elsif ($in =~ /ps -aux/) {
     print $attacker "apache   14105  0.0  1.0 11304 3920 ?        S    Jul01   0:35 /usr/local/apache\n";
     print $attacker "apache   31278  0.0  1.7 13576 6544 ?        S    Jul01   0:36 /usr/local/apache\n";
     print $attacker "apache   18127  0.0  1.0 13096 4216 ?        S    Jul01   0:38 /usr/local/apache\n";
     print $attacker "apache   23400  0.0  1.1 13088 4276 ?        S    Jul01   0:31 /usr/local/apache\n";
     print $attacker "apache   19610  0.0  0.9 11728 3792 ?        S    Jul01   0:31 /usr/local/apache\n";
     print $attacker "apache   25326  0.0  0.9 12060 3688 ?        S    Jul01   0:31 /usr/local/apache\n";
     print $attacker "apache   20672  0.0  1.6 13252 6228 ?        S    Jul01   0:35 /usr/local/apache\n";
     print $attacker "apache   29335  0.0  1.5 12908 5792 ?        S    Jul01   0:30 /usr/local/apache\n";
     print $attacker "apache   13891  0.0  1.6 13312 6292 ?        S    Jul02   0:26 /usr/local/apache\n";
     print $attacker "apache   11730  0.0  1.0 13192 4052 ?        S    Jul02   0:26 /usr/local/apache\n";
     print $attacker "apache   20114  0.0  1.2 12256 4772 ?        S    Jul02   0:27 /usr/local/apache\n";
     print $attacker "root      5016  0.0  0.4  6520 1804 ?        S    Jul08   0:00 /usr/sbin/sshd\n";
     print $attacker "fred      7123  0.0  0.5  6564 1948 ?        S    Jul08   0:00 /usr/sbin/sshd\n";
     print $attacker "fred     32520  0.0  0.3  2444 1316 pts/0    S    Jul08   0:00 -bash\n";
     print $attacker "root     23869  0.0  0.2  2340 1028 pts/0    S    Jul08   0:00 su -\n";
     print $attacker "root     22874  0.0  0.3  2508 1368 pts/0    S    Jul08   0:00 -bash\n";
     print $attacker "root     27149  0.7  0.4  4912 1644 ?        S    23:28   0:00 /usr/sbin/sshd\n";
     print $attacker "sshd     13056  0.0  0.3  4652 1472 ?        S    23:28   0:00 /usr/sbin/sshd\n"
} elsif ($in =~ /df/) {
print $attacker "Filesystem           1k-blocks      Used Available Use% Mounted on\n";
print $attacker "/dev/hda3             11080488   7296874   2472193  74% /\n";
print $attacker "/dev/hda5               869620    844004         0 100% /backup\n";
print $attacker "/dev/hda1               101089      9453     86417  10% /boot\n";
print $attacker "none                    196256         0    192256   0% /dev/shm\n";
print $attacker "/dev/hdb1             38438340   6017716  30492720  17% /home\n";
}

#uncomment line below to print sentence to attacker
#print $attacker "Thx for the logs dumbass.\n";

close $attacker;

print LOGFILE "---------------------------------------------------------\n";
printf LOGFILE "Attacker Hostname: %s\nCommand ran: %s", $attackinfo->name || $attacker->peerhost, $in;
print LOGFILE "---------------------------------------------------------\n";

close LOGFILE;
}

#EOF