BACKDOOR ACCOUNTS
     Backdoors are better than Windows ;-)
To create "backdoor accounts" you must have root. That is an entirely
different subject on how to get, I will go over it in another post.
This is written for Linux, the syntax MAY be slightly different for other
OS's such as Solaris and BSD. Anyone feel free to correct something in here
for those systems.
Once you have root, it's a good idea to ensure that you keep it if you
intend on maintaining a presense on that site.
1: The user who's password you cracked/sniffed/stole may change their
password.
2: Root may discover you and change or delete the account you used.
To create additional accounts, look in /etc/passwd. 
[Sample]
joe:86dcl9dN9Enec:503:504:Joe Howard:/home/joe:/bin/bash
dave:86StovcoBp/pM:504:505:Dave Jacobs:/home/dave:/bin/bash
chris:5mn1EG.hoASfU:505:506:Chris Smith:/home/chris:/bin/bash
jimmy:aIUOV5caGuyuI:507:508:Jimmy Tomas:/home/jimmy:/bin/bash
duff:vK5CXrYp/o3aU:508:509:Duff Garstecki:/home/duff:/bin/bash
linda:iv9Wec897rfRM:509:510:Linda Johnson:/home/linda:/bin/bash
user name : encrypted password : user id : group id : real name : home
directory : default shell
[Sample]
	This is just a small section of the password file. First you need to
find a user id (uid) that is not taken. If you create a user that has a uid
of an existing user, strange things can happen. In this imaginary example,
506 is open, perhaps a user was removed. We can create our account there. 
DON'T screw anything up, because if you accidently corrupt the file, change
a users password, or something along that lines you will probably tip off
the admin something is wrong.
Add the following line to /etc/passwd
tom::506:507:Tom David:/home/tom:/bin/bash
Add the following line to /etc/group
tom::507:tom		
The format is group name, group password, group id, and people in group
	Right now this account is passwordless. You can log in without one.
However, this is extreamly noticible. So as root type "passwd tom" and
change his password to something you'll remember.
	Now setup a home directory for tom. mkdir /home/tom and copy all the
default files to it such as .bashrc .bash_profile, and whatever other .?????
configuration files the other users have. Perhaps copy some other garbage
files to make it appear the account has some usage, if you are really
paranoid. 
	But this directory is owned by root, not tom. 
	chown --recursive tom:tom /home/tom 
	Chown changes ownership and the group of a file/directory, the
recursive will change every file in that directory as well. 
	
	Someone suggested that the creation of this account could be
determined by examining the creation date of the users home directory. That
is very true.
drwxr-xr-x   2 tom     tom         1024 Mar  6 23:50 tom
	Pretty obvious tom was created today, huh.
drwxr-xr-x   5 dave     dave         1024 Sep  7  1997 dave
	But look, dave was created a long time ago.
	Type "touch -r /home/dave /home/tom"
drwxrwxr-x   3 tom     tom         1024 Sep  7  1997 tom
	So was Tom! Go through and change all the files in his directory
this way too. Touch allows you to change the timestamp of a file, or if you
try to touch a file that doesn't exist will create a 0 byte file with the
current time and date. It's generally advised not to touch yourself while
hacking though.
	Once you've done all this, you now have an account that looks fairly
legit, that you can log into at a future date, and won't be noticed.
	If the password file is shadowed, make the entry in /etc/passwd but
put whatever symbol is used for shadowing in the password field, usually
"*". Then edit /etc/shadow and copy one of the other user lines, changing
the login name. Password shadowing is different depending on what shadow
utility they used, most of the time the other fields are unimportant, being
"-9999" or something like that. Some systems do have information in the
shadow file, so use your best judgement and interpret the fields.
	Some other ways to provide access to a system are to run and install
one of the many programs that bind to a port and will provide a shell if you
telnet to that port. There are many names for these types of programs, and
there are many variants. Search any code archive. Some will simply present
you with a shell if you connect to the port, others will ask for a password,
others will just sit there until you enter the password. This is noticible
if the Sysadmin port scans his system, however. You can add the program in
/etc/rc.d so it will load if the system is rebooted. Keep in mind, again, if
the sysadmin has a clue, if he encounters this he will know he has been
hacked.
	Or you could install one of the many rootkits out there today. These
replace binaries such as login and su and provide backdoor features. For
instance, a backdoored login could dump you to a root shell if given the
user name "letmein". A backdoored su could instantly make you root when you
attempt to 'su 31337'. Several kernel modules out there today will give you
root if you type 'kill -31337'. However, rootkits are more complex to
install and require a working knowledge of the operating system. If you
screw up, you could make the system unusable. That's bad, and will alert the
owner that something is up. 
	Any errors? Please correct me, or post additional information.