[CentOS] Uselib24/bindz - owned!

Thu May 4 04:43:20 UTC 2006
Nick <list at everywhereinternet.com>

So pretty sure one of my boxes has been owned. Just wanted some advise 
on what to do next. Obviously, i'll need to nuke the fecker and start 
over but it  would be really nice to find out how they got in as its a 
CentOS 4.3 which is bang up to date.

So i found:

PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
 7052 apache    25   0 27320 5348     8 R    99.0  0.5 736:52   0 uselib24

[root at box tmp]# netstat -lnp |more
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign 
Address             State       PID/Program name
tcp        0      0 0.0.0.0:32768               
0.0.0.0:*                   LISTEN      3012/rpc.statd
tcp        0      0 127.0.0.1:32769             
0.0.0.0:*                   LISTEN      3138/xinetd
tcp        0      0 0.0.0.0:66                  
0.0.0.0:*                   LISTEN      3124/sshd
tcp        0      0 0.0.0.0:9865                
0.0.0.0:*                   LISTEN      7031/bindz
tcp        0      0 0.0.0.0:3306                
0.0.0.0:*                   LISTEN      14534/mysqld
tcp        0      0 0.0.0.0:111                 
0.0.0.0:*                   LISTEN      2993/portmap
tcp        0      0 0.0.0.0:80                  
0.0.0.0:*                   LISTEN      7031/bindz
tcp        0      0 0.0.0.0:113                 
0.0.0.0:*                   LISTEN      3138/xinetd
tcp        0      0 0.0.0.0:21                  
0.0.0.0:*                   LISTEN      3578/vsftpd
tcp        0      0 127.0.0.1:25                
0.0.0.0:*                   LISTEN      10707/sendmail: acc
tcp        0      0 0.0.0.0:443                 
0.0.0.0:*                   LISTEN      7031/bindz

Bindz.... hmm. telnetting to the port gave me a root shell  - nice. My 
firewall scripts should block that port but i don't know if they're 
working now :(

contents of /var/tmp was:

-rwxrwxr-x    1 apache   apache      19429 Jan 10 16:20 bindz
-rw-r--r--    1 apache   apache       2100 Jan  8 21:32 dc.txt
-rwxrwxr-x    1 apache   apache     479843 Aug  3  2005 uselib24

dc.txt started:

#!/usr/bin/perl
use IO::Socket;
#IRAN HACKERS SABOTAGE Connect Back Shell
#code by:LorD
#We Are :LorD-C0d3r-NT
#Email:LorD at ihsteam.com
#
#lord at SlackwareLinux:/home/programing$ perl dc.pl
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE 
==--
#
#Usage: dc.pl [Host] [Port]
#
#Ex: dc.pl 127.0.0.1 2121
#lord at SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE 
==--
#
#[*] Resolving HostName
#[*] Connecting... 127.0.0.1
#[*] Spawning Shell
#[*] Connected to remote host

i might e-mail him and thank him.

So what next?