BackDoorEndpoint Class Reference

#include <BackDoor.h>

Inheritance diagram for BackDoorEndpoint:

[legend]Collaboration diagram for BackDoorEndpoint:

[legend]List of all members.

Public Member Functions
	BackDoorEndpoint (TCP_Endpoint *e)
int	DataSent (double t, int seq, int len, int caplen, const u_char *data, const IP_Hdr *ip, const struct tcphdr *tp)
RecordVal *	BuildStats ()
void	FinalCheckForRlogin ()
Protected Member Functions
void	CheckForRlogin (int seq, int len, const u_char *data)
void	RloginSignatureFound (int len)
void	CheckForTelnet (int seq, int len, const u_char *data)
void	TelnetSignatureFound (int len)
void	CheckForSSH (int seq, int len, const u_char *data)
void	CheckForFTP (int seq, int len, const u_char *data)
void	CheckForRootBackdoor (int seq, int len, const u_char *data)
void	CheckForNapster (int seq, int len, const u_char *data)
void	CheckForGnutella (int seq, int len, const u_char *data)
void	CheckForKazaa (int seq, int len, const u_char *data)
void	CheckForHTTP (int seq, int len, const u_char *data)
void	CheckForHTTPProxy (int seq, int len, const u_char *data)
void	CheckForSMTP (int seq, int len, const u_char *data)
void	CheckForIRC (int seq, int len, const u_char *data)
void	CheckForGaoBot (int seq, int len, const u_char *data)
void	SignatureFound (EventHandlerPtr e, int do_orig=0)
int	CheckForStrings (const char **strs, const u_char *data, int len)
int	CheckForString (const char *str, const u_char *data, int len)
Protected Attributes
int	is_partial
int	max_top_seq
int	rlogin_checking_done
int	rlogin_num_null
int	rlogin_string_separator_pos
int	rlogin_slash_seen
uint32	num_pkts
uint32	num_8k4_pkts
uint32	num_8k0_pkts
uint32	num_lines
uint32	num_normal_lines
uint32	num_bytes
uint32	num_7bit_ascii

---

Constructor & Destructor Documentation

BackDoorEndpoint::BackDoorEndpoint (  TCP_Endpoint *  e  )

Definition at line 29 of file BackDoor.cc. References is_partial, max_top_seq, num_7bit_ascii, num_8k0_pkts, num_8k4_pkts, num_bytes, num_lines, num_normal_lines, num_pkts, rlogin_checking_done, rlogin_num_null, rlogin_slash_seen, and rlogin_string_separator_pos. : TCP_EndpointAnalyzer(e) { is_partial = 0; max_top_seq = 0; rlogin_checking_done = 0; rlogin_string_separator_pos = 0; rlogin_num_null = 0; rlogin_slash_seen = 0; num_pkts = num_8k0_pkts = num_8k4_pkts = num_lines = num_normal_lines = num_bytes = num_7bit_ascii = 0; }

---

Member Function Documentation

RecordVal * BackDoorEndpoint::BuildStats (   )

Definition at line 126 of file BackDoor.cc. References RecordVal::Assign(), backdoor_endp_stats, is_partial, num_7bit_ascii, num_8k0_pkts, num_8k4_pkts, num_bytes, num_lines, num_normal_lines, num_pkts, TYPE_BOOL, TYPE_COUNT, and Val. Referenced by BackDoorAnalyzer::StatEvent(). { RecordVal* stats = new RecordVal(backdoor_endp_stats); stats->Assign(0, new Val(is_partial, TYPE_BOOL)); stats->Assign(1, new Val(num_pkts, TYPE_COUNT)); stats->Assign(2, new Val(num_8k0_pkts, TYPE_COUNT)); stats->Assign(3, new Val(num_8k4_pkts, TYPE_COUNT)); stats->Assign(4, new Val(num_lines, TYPE_COUNT)); stats->Assign(5, new Val(num_normal_lines, TYPE_COUNT)); stats->Assign(6, new Val(num_bytes, TYPE_COUNT)); stats->Assign(7, new Val(num_7bit_ascii, TYPE_COUNT)); return stats; }

void BackDoorEndpoint::CheckForFTP (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 415 of file BackDoor.cc. References CheckForString(), TCP_EndpointAnalyzer::Endpoint(), TCP_Endpoint::IsOrig(), len, and SignatureFound(). Referenced by DataSent(). { // Check for FTP signature // // Currently, the signatures include: "220 ", "220-" // // For a day's worth of LBNL FTP activity (7,229 connections), // the distribution of the code in the first line returned by // the server (the lines always began with a code) is: // // 220: 6685 // 421: 535 // 226: 7 // 426: 1 // 200: 1 // // The 421's are all "host does not have access" or "timeout" of // some form, so it's not big deal with we miss them (if that helps // keep down the false positives). if ( seq != 1 || Endpoint()->IsOrig() || len < 4 ) return; if ( CheckForString("220", data, len) && (data[3] == ' ' || data[3] == '-') ) SignatureFound(ftp_signature_found); else if ( CheckForString("421", data, len) && (data[3] == '-' || data[3] == ' ') ) SignatureFound(ftp_signature_found); }

void BackDoorEndpoint::CheckForGaoBot (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 518 of file BackDoor.cc. References CheckForString(), len, and SignatureFound(). Referenced by DataSent(). { if ( seq == 1 && CheckForString("220 Bot Server (Win32)", data, len) ) SignatureFound(gaobot_signature_found); }

void BackDoorEndpoint::CheckForGnutella (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 501 of file BackDoor.cc. References CheckForString(), len, and SignatureFound(). Referenced by DataSent(). { // After connecting to the server, the connecting client says: // // GNUTELLA CONNECT/<version>\n\n // // The accepting server responds: // // GNUTELLA OK\n\n // // We find checking the first 8 bytes suffices, and that will // also catch variants that use something other than "CONNECT". if ( seq == 1 && CheckForString("GNUTELLA ", data, len) ) SignatureFound(gnutella_signature_found); }

void BackDoorEndpoint::CheckForHTTP (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 591 of file BackDoor.cc. References CheckForHTTPProxy(), is_http_whitespace(), len, SignatureFound(), and skip_http_whitespace(). Referenced by DataSent(). { // According to the RFC, we should look for // '<method> SP <url> SP HTTP/<version> CR LF' // where: // // <method> = GET | HEAD | POST // // (i.e., HTTP 1.1 methods are ignored for now) // <version> = 1.0 | 1.1. // // However, this is probably too restrictive to catch 'non-standard' // requests. Instead, we look for certain methods only in the first // line of the first packet only. // // "The method is case-sensitive." -- RFC 2616 const char* http_method[] = { "GET", "HEAD", "POST", 0 }; if ( seq != 1 ) return; // first packet only // Pick up the method. int pos = skip_http_whitespace (data, len, 0); if ( pos < 0 ) return; int method; for ( method = 0; http_method[method]; ++method ) { const char* s = http_method[method]; int i; for ( i = pos; i < len; ++i, ++s ) if ( data[i] != *s ) break; if ( *s == '\0' ) { pos = i; break; } } if ( ! http_method[method] ) return; if ( pos >= len || ! is_http_whitespace(data[pos]) ) return; if ( http_signature_found ) SignatureFound(http_signature_found); if ( http_proxy_signature_found ) { const u_char* rest = data + pos; int rest_len = len - pos; pos = skip_http_whitespace(rest, rest_len, rest_len); if ( pos >= 0 ) CheckForHTTPProxy(seq, rest_len - pos, rest + pos); } }

void BackDoorEndpoint::CheckForHTTPProxy (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 655 of file BackDoor.cc. References is_absolute_url(), len, and SignatureFound(). Referenced by CheckForHTTP(). { // Proxy ONLY accepts absolute URI's: "The absoluteURI form is // REQUIRED when the request is being made to a proxy." -- RFC 2616 if ( is_absolute_url(data, len) ) SignatureFound(http_proxy_signature_found); }

void BackDoorEndpoint::CheckForIRC (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 478 of file BackDoor.cc. References CheckForStrings(), len, num_pkts, and SignatureFound(). Referenced by DataSent(). { // Look for any of the following exchange in the initial (15) packets // of a connection. // // WHO : (C->S) client query for name // PING : (S->C) test for presence of client at other end // PONG : (C->S) reply to PING message // MODE : (C->S) // IRCX : (C->S) ?? Not in RFC // NICK : (C->S) user nickname const char* irc_indicator[] = { "WHO", "PING", "PONG", "NODE", "IRCX", "NICK", 0 }; if ( num_pkts > 15 || len < 5 ) return; if ( CheckForStrings(irc_indicator, data, len) ) SignatureFound(irc_signature_found); }

void BackDoorEndpoint::CheckForKazaa (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 524 of file BackDoor.cc. References CheckForString(), len, and SignatureFound(). Referenced by DataSent(). { // *Some*, though not all, KaZaa connections begin with: // // GIVE<space> if ( seq == 1 && CheckForString("GIVE ", data, len) ) SignatureFound(kazaa_signature_found); }

void BackDoorEndpoint::CheckForNapster (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 447 of file BackDoor.cc. References CheckForString(), TCP_EndpointAnalyzer::Endpoint(), TCP_Endpoint::IsOrig(), len, and SignatureFound(). Referenced by DataSent(). { // Check for Napster signature "GETfoobar" or "SENDfoobar" where // "foobar" is the Napster handle associated with the request // (so pretty much any arbitrary identifier, but sent adjacent // to the GET or SEND with no intervening whitespace; but also // sent in a separate packet. if ( seq != 1 || ! Endpoint()->IsOrig() ) return; if ( len == 3 && CheckForString("GET", data, len) ) // GETfoobar. SignatureFound(napster_signature_found); else if ( len == 4 && CheckForString("SEND", data, len) ) // SENDfoobar. SignatureFound(napster_signature_found); }

void BackDoorEndpoint::CheckForRlogin (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 142 of file BackDoor.cc. References TCP_EndpointAnalyzer::Endpoint(), TCP_Endpoint::IsOrig(), len, max_top_seq, rlogin_checking_done, RLOGIN_MAX_SIGNATURE_LENGTH, rlogin_num_null, rlogin_slash_seen, rlogin_string_separator_pos, and RloginSignatureFound(). Referenced by DataSent(). { if ( rlogin_checking_done ) return; // Looking for pattern: // <null>string<null>string<null>string/string<null> // where all string's are non-empty 7-bit-ascii string // // To avoid having to reassemble, we keep testing each byte until // one of the following happens: // // - A gap in sequence number occurs // - Four null's have been found // - The number of bytes we examined reaches RLOGIN_MAX_SIGNATURE_LENGTH // - An empty or non-7-bit-ascii string is found // if ( seq == 1 ) { // Check if first byte is a NUL. if ( data[0] == 0 ) { rlogin_num_null = 1; if ( ! Endpoint()->IsOrig() ) { RloginSignatureFound(len); return; } rlogin_string_separator_pos = 1; ++seq; // move past the byte ++data; --len; } else { rlogin_checking_done = 1; return; } } if ( seq > max_top_seq && max_top_seq != 0 ) { // A gap! Since we don't reassemble things, stop now. RloginSignatureFound(0); return; } if ( seq + len <= max_top_seq ) return; // nothing new if ( seq < max_top_seq ) { // trim to just the new data int delta = max_top_seq - seq; seq += delta; data += delta; len -= delta; } // Search for rlogin signature. for ( int i = 0; i < len && rlogin_num_null < 4; ++i ) { if ( data[i] == 0 ) { if ( i + seq == rlogin_string_separator_pos + 1 ) { // Empty string found. rlogin_checking_done = 1; return; } else { rlogin_string_separator_pos = i + seq; ++rlogin_num_null; } } else if ( data[i] == '/' ) { if ( rlogin_num_null == 3 ) { if ( i + seq == rlogin_string_separator_pos + 1 ) { // Empty terminal type. rlogin_checking_done = 1; return; } rlogin_string_separator_pos = i + seq; rlogin_slash_seen = 1; } } else if ( data[i] >= 128 ) { // Non-7-bit-ascii rlogin_checking_done = 1; return; } } if ( rlogin_num_null == 4 ) { if ( rlogin_slash_seen ) RloginSignatureFound(0); else rlogin_checking_done = 1; return; } if ( seq + len > RLOGIN_MAX_SIGNATURE_LENGTH ) { // We've waited for too long RloginSignatureFound(0); return; } }

void BackDoorEndpoint::CheckForRootBackdoor (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 406 of file BackDoor.cc. References TCP_EndpointAnalyzer::Endpoint(), TCP_Endpoint::IsOrig(), len, and SignatureFound(). Referenced by DataSent(). { // Check for root backdoor signature: an initial payload of // exactly "# ". if ( seq == 1 && len == 2 && ! Endpoint()->IsOrig() && data[0] == '#' && data[1] == ' ' ) SignatureFound(root_backdoor_signature_found); }

void BackDoorEndpoint::CheckForSMTP (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 467 of file BackDoor.cc. References CheckForStrings(), len, and SignatureFound(). Referenced by DataSent(). { const char* smtp_handshake[] = { "HELO", "EHLO", 0 }; if ( seq != 1 ) return; if ( CheckForStrings(smtp_handshake, data, len) ) SignatureFound(smtp_signature_found); }

void BackDoorEndpoint::CheckForSSH (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 364 of file BackDoor.cc. References CheckForString(), DEFAULT_MTU, int, len, max_top_seq, num_8k0_pkts, num_8k4_pkts, num_pkts, and SignatureFound(). Referenced by DataSent(). { if ( seq == 1 && CheckForString("SSH-", data, len) && len > 4 && (data[4] == '1' || data[4] == '2') ) { SignatureFound(ssh_signature_found, 1); return; } // Check for length pattern. if ( seq < max_top_seq || max_top_seq == 0 ) // Retransmission involved, or first pkt => size info useless. return; if ( seq > max_top_seq ) { // Estimate number of packets in the sequence gap int gap = seq - max_top_seq; num_pkts += int((gap + DEFAULT_MTU - 1) / DEFAULT_MTU); } ++num_pkts; // According to the spec: // SSH 1.x pkts have size 8k+4 // SSH 2.x pkts have size 8k >= 16 (most cipher blocks are 8n) if ( len <= 127 ) switch ( len & 7 ) { case 0: if ( len >= 16 ) ++num_8k0_pkts; break; case 4: ++num_8k4_pkts; break; } else { // len is likely to be some MTU. } }

int BackDoorEndpoint::CheckForString (  const char *  str, const u_char *  data, int  len )  [protected]

Definition at line 688 of file BackDoor.cc. References len. Referenced by CheckForFTP(), CheckForGaoBot(), CheckForGnutella(), CheckForKazaa(), CheckForNapster(), CheckForSSH(), and CheckForStrings(). { for ( ; len > 0 && *str; --len, ++data, ++str ) if ( *str != *data ) return 0; return *str == 0; }

int BackDoorEndpoint::CheckForStrings (  const char **  strs, const u_char *  data, int  len )  [protected]

Definition at line 678 of file BackDoor.cc. References CheckForString(), and len. Referenced by CheckForIRC(), and CheckForSMTP(). { for ( ; *strs; ++strs ) if ( CheckForString(*strs, data, len) ) return 1; return 0; }

void BackDoorEndpoint::CheckForTelnet (  int  seq, int  len, const u_char *  data )  [protected]

Definition at line 273 of file BackDoor.cc. References IS_TELNET_NEGOTIATION_CMD, len, NORMAL_LINE_LENGTH, num_7bit_ascii, num_bytes, num_lines, num_normal_lines, TELNET_IAC, and TelnetSignatureFound(). Referenced by DataSent(). { if ( len >= 3 && data[0] == TELNET_IAC && IS_TELNET_NEGOTIATION_CMD(data[1]) ) { TelnetSignatureFound(len); return; } // Note, we do the analysis per-packet rather than on the reassembled // stream. This is a lot more efficient as then we don't need to // do stream reassembly; but it's potentially less accurate, and // subject to evasion. *But*: backdoor detection is inherently // subject to a wide variety of evasion, so allowing this form // (which is a pain to exploit) costs little. num_bytes += len; int last_char = 0; int offset = 0; // where we consider the latest line to have begun int option_length = 0; // length of options in a line for ( int i = 0; i < len; ++i ) { unsigned int c = data[i]; if ( c == '\n' && last_char == '\r' ) { // Compress CRLF to just one line termination. last_char = c; continue; } if ( c == '\n' || c == '\r' ) { ++num_lines; if ( i - offset - option_length <= NORMAL_LINE_LENGTH ) ++num_normal_lines; option_length = 0; offset = i; } else if ( c == TELNET_IAC ) { ++option_length; --num_bytes; if ( ++i < len ) { unsigned int code = data[i]; if ( code == TELNET_IAC ) // Escaped IAC. last_char = code; else if ( code >= 251 && code <= 254 ) { // 3-byte option: ignore next byte ++i; option_length += 2; num_bytes -= 2; } else // XXX: We don't deal with sub option for simplicity // although we SHOULD! { ++option_length; --num_bytes; } } continue; } else if ( c != 0 && c < 128 ) ++num_7bit_ascii; last_char = c; } }

int BackDoorEndpoint::DataSent (  double  t, int  seq, int  len, int  caplen, const u_char *  data, const IP_Hdr *  ip, const struct tcphdr *  tp )  [virtual]

Reimplemented from TCP_EndpointAnalyzer. Definition at line 64 of file BackDoor.cc. References TCP_Endpoint::AckSeq(), CheckForFTP(), CheckForGaoBot(), CheckForGnutella(), CheckForHTTP(), CheckForIRC(), CheckForKazaa(), CheckForNapster(), CheckForRlogin(), CheckForRootBackdoor(), CheckForSMTP(), CheckForSSH(), CheckForTelnet(), TCP_EndpointAnalyzer::Endpoint(), is_partial, len, max_top_seq, TCP_Endpoint::StartSeq(), TCP_Endpoint::state, and TCP_PARTIAL. { if ( caplen < len ) len = caplen; if ( len <= 0 ) return 0; if ( Endpoint()->state == TCP_PARTIAL ) is_partial = 1; int ack = Endpoint()->AckSeq() - Endpoint()->StartSeq(); int top_seq = seq + len; if ( top_seq <= ack || top_seq <= max_top_seq ) // There is no new data in this packet. return 0; if ( rlogin_signature_found ) CheckForRlogin(seq, len, data); if ( telnet_signature_found ) CheckForTelnet(seq, len, data); if ( ssh_signature_found ) CheckForSSH(seq, len, data); if ( ftp_signature_found ) CheckForFTP(seq, len, data); if ( root_backdoor_signature_found ) CheckForRootBackdoor(seq, len, data); if ( napster_signature_found ) CheckForNapster(seq, len, data); if ( gnutella_signature_found ) CheckForGnutella(seq, len, data); if ( kazaa_signature_found ) CheckForKazaa(seq, len, data); if ( http_signature_found || http_proxy_signature_found ) CheckForHTTP(seq, len, data); if ( smtp_signature_found ) CheckForSMTP(seq, len, data); if ( irc_signature_found ) CheckForIRC(seq, len, data); if ( gaobot_signature_found ) CheckForGaoBot(seq, len, data); max_top_seq = top_seq; return 1; }

void BackDoorEndpoint::FinalCheckForRlogin (   )

Definition at line 53 of file BackDoor.cc. References rlogin_checking_done, rlogin_num_null, and RloginSignatureFound(). Referenced by BackDoorAnalyzer::Done(). { if ( ! rlogin_checking_done ) { rlogin_checking_done = 1; if ( rlogin_num_null > 0 ) RloginSignatureFound(0); } }

void BackDoorEndpoint::RloginSignatureFound (  int  len  )  [protected]

Definition at line 257 of file BackDoor.cc. References TCP_EndpointAnalyzer::Conn(), Connection::ConnectionEvent(), TCP_EndpointAnalyzer::Endpoint(), len, rlogin_checking_done, rlogin_num_null, TYPE_BOOL, TYPE_COUNT, and Val. Referenced by CheckForRlogin(), and FinalCheckForRlogin(). { if ( rlogin_checking_done ) return; rlogin_checking_done = 1; val_list* vl = new val_list; vl->append(Conn()->BuildConnVal()); vl->append(new Val(Endpoint()->IsOrig(), TYPE_BOOL)); vl->append(new Val(rlogin_num_null, TYPE_COUNT)); vl->append(new Val(len, TYPE_COUNT)); Conn()->ConnectionEvent(rlogin_signature_found, vl); }

void BackDoorEndpoint::SignatureFound (  EventHandlerPtr  e, int  do_orig = 0 )  [protected]

Definition at line 666 of file BackDoor.cc. References TCP_EndpointAnalyzer::Conn(), Connection::ConnectionEvent(), TCP_EndpointAnalyzer::Endpoint(), TYPE_BOOL, and Val. Referenced by CheckForFTP(), CheckForGaoBot(), CheckForGnutella(), CheckForHTTP(), CheckForHTTPProxy(), CheckForIRC(), CheckForKazaa(), CheckForNapster(), CheckForRootBackdoor(), CheckForSMTP(), and CheckForSSH(). { val_list* vl = new val_list; vl->append(Conn()->BuildConnVal()); if ( do_orig ) vl->append(new Val(Endpoint()->IsOrig(), TYPE_BOOL)); Conn()->ConnectionEvent(e, vl); }

void BackDoorEndpoint::TelnetSignatureFound (  int  len  )  [protected]

Definition at line 354 of file BackDoor.cc. References TCP_EndpointAnalyzer::Conn(), Connection::ConnectionEvent(), TCP_EndpointAnalyzer::Endpoint(), len, TYPE_BOOL, TYPE_COUNT, and Val. Referenced by CheckForTelnet(). { val_list* vl = new val_list; vl->append(Conn()->BuildConnVal()); vl->append(new Val(Endpoint()->IsOrig(), TYPE_BOOL)); vl->append(new Val(len, TYPE_COUNT)); Conn()->ConnectionEvent(telnet_signature_found, vl); }

---

Member Data Documentation

int BackDoorEndpoint::is_partial [protected]

Definition at line 65 of file BackDoor.h. Referenced by BackDoorEndpoint(), BuildStats(), and DataSent().

int BackDoorEndpoint::max_top_seq [protected]

Definition at line 66 of file BackDoor.h. Referenced by BackDoorEndpoint(), CheckForRlogin(), CheckForSSH(), and DataSent().

uint32 BackDoorEndpoint::num_7bit_ascii [protected]

Definition at line 79 of file BackDoor.h. Referenced by BackDoorEndpoint(), BuildStats(), and CheckForTelnet().

uint32 BackDoorEndpoint::num_8k0_pkts [protected]

Definition at line 75 of file BackDoor.h. Referenced by BackDoorEndpoint(), BuildStats(), and CheckForSSH().

uint32 BackDoorEndpoint::num_8k4_pkts [protected]

Definition at line 74 of file BackDoor.h. Referenced by BackDoorEndpoint(), BuildStats(), and CheckForSSH().

uint32 BackDoorEndpoint::num_bytes [protected]

Definition at line 78 of file BackDoor.h. Referenced by BackDoorEndpoint(), BuildStats(), and CheckForTelnet().

uint32 BackDoorEndpoint::num_lines [protected]

Definition at line 76 of file BackDoor.h. Referenced by BackDoorEndpoint(), BuildStats(), and CheckForTelnet().

uint32 BackDoorEndpoint::num_normal_lines [protected]

Definition at line 77 of file BackDoor.h. Referenced by BackDoorEndpoint(), BuildStats(), and CheckForTelnet().

uint32 BackDoorEndpoint::num_pkts [protected]

Definition at line 73 of file BackDoor.h. Referenced by BackDoorEndpoint(), BuildStats(), CheckForIRC(), and CheckForSSH().

int BackDoorEndpoint::rlogin_checking_done [protected]

Definition at line 68 of file BackDoor.h. Referenced by BackDoorEndpoint(), CheckForRlogin(), FinalCheckForRlogin(), and RloginSignatureFound().

int BackDoorEndpoint::rlogin_num_null [protected]

Definition at line 69 of file BackDoor.h. Referenced by BackDoorEndpoint(), CheckForRlogin(), FinalCheckForRlogin(), and RloginSignatureFound().

int BackDoorEndpoint::rlogin_slash_seen [protected]

Definition at line 71 of file BackDoor.h. Referenced by BackDoorEndpoint(), and CheckForRlogin().

int BackDoorEndpoint::rlogin_string_separator_pos [protected]

Definition at line 70 of file BackDoor.h. Referenced by BackDoorEndpoint(), and CheckForRlogin().

---

The documentation for this class was generated from the following files:

• BackDoor.h
• BackDoor.cc

---