[CentOS] Uselib24/bindz - owned!

Thu May 4 05:31:56 UTC 2006
Rick Philbrick <rickphilbrick at gmail.com>

Hi,

Well thats telling.  So do you have chkroot-kit installed?  Although
you know you've got to have a root-kit on there. Anyway, it may help
narrow your search of the directories and the changes within.

-rickp

On 5/3/06, Nick <list at everywhereinternet.com> wrote:
> So pretty sure one of my boxes has been owned. Just wanted some advise
> on what to do next. Obviously, i'll need to nuke the fecker and start
> over but it  would be really nice to find out how they got in as its a
> CentOS 4.3 which is bang up to date.
>
> So i found:
>
> PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND
>  7052 apache    25   0 27320 5348     8 R    99.0  0.5 736:52   0 uselib24
>
> [root at box tmp]# netstat -lnp |more
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address               Foreign
> Address             State       PID/Program name
> tcp        0      0 0.0.0.0:32768
> 0.0.0.0:*                   LISTEN      3012/rpc.statd
> tcp        0      0 127.0.0.1:32769
> 0.0.0.0:*                   LISTEN      3138/xinetd
> tcp        0      0 0.0.0.0:66
> 0.0.0.0:*                   LISTEN      3124/sshd
> tcp        0      0 0.0.0.0:9865
> 0.0.0.0:*                   LISTEN      7031/bindz
> tcp        0      0 0.0.0.0:3306
> 0.0.0.0:*                   LISTEN      14534/mysqld
> tcp        0      0 0.0.0.0:111
> 0.0.0.0:*                   LISTEN      2993/portmap
> tcp        0      0 0.0.0.0:80
> 0.0.0.0:*                   LISTEN      7031/bindz
> tcp        0      0 0.0.0.0:113
> 0.0.0.0:*                   LISTEN      3138/xinetd
> tcp        0      0 0.0.0.0:21
> 0.0.0.0:*                   LISTEN      3578/vsftpd
> tcp        0      0 127.0.0.1:25
> 0.0.0.0:*                   LISTEN      10707/sendmail: acc
> tcp        0      0 0.0.0.0:443
> 0.0.0.0:*                   LISTEN      7031/bindz
>
> Bindz.... hmm. telnetting to the port gave me a root shell  - nice. My
> firewall scripts should block that port but i don't know if they're
> working now :(
>
> contents of /var/tmp was:
>
> -rwxrwxr-x    1 apache   apache      19429 Jan 10 16:20 bindz
> -rw-r--r--    1 apache   apache       2100 Jan  8 21:32 dc.txt
> -rwxrwxr-x    1 apache   apache     479843 Aug  3  2005 uselib24
>
> dc.txt started:
>
> #!/usr/bin/perl
> use IO::Socket;
> #IRAN HACKERS SABOTAGE Connect Back Shell
> #code by:LorD
> #We Are :LorD-C0d3r-NT
> #Email:LorD at ihsteam.com
> #
> #lord at SlackwareLinux:/home/programing$ perl dc.pl
> #--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE
> ==--
> #
> #Usage: dc.pl [Host] [Port]
> #
> #Ex: dc.pl 127.0.0.1 2121
> #lord at SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
> #--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE
> ==--
> #
> #[*] Resolving HostName
> #[*] Connecting... 127.0.0.1
> #[*] Spawning Shell
> #[*] Connected to remote host
>
> i might e-mail him and thank him.
>
> So what next?
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>