Malicious Script hnc.cgi ?

[smile]

Hello,

Since last few hours I keep seeing a process run by a user named hnc.cgi . I killed it and then it appeared again. I searched the entire directory of the user where this process was launched but I could not find anything over there too.
The process just keeps coming up again and again.

Can somebody throw some light on this, what is this hnc.cgi process and if its a malicious file being run.

 

[ebizindia]

cgi-bin directory?

Look in the cgi-bin directory. Also look for files named good.txt, bad.txt etc. There may be a trojan sending out spam from your server.

 

[AndyReed]

Since last few hours I keep seeing a process run by a user named hnc.cgi . I killed it and then it appeared again. I searched the entire directory of the user where this process was launched but I could not find anything over there too.
The process just keeps coming up again and again.

/tmp is the directory where these files are saved/downloaded. I suggest you seek professional help to secure and harden your server. You can also search these forums on how to secure your server, if you're comfortable with Linux and cPanel.

 

[smile]

Nothing in cgi-bin and the tmp is clean. Any other possibility that you can see ?

 

[jpetersen]

The one time I've seen hnc.cgi, it was in the location that ebizindia stated, which was the user's cgi-bin/ directory.

Here it is being uploaded:

[b]Sep 25 05:52:19[/b] host pure-ftpd: ([email protected]) [NOTICE] /home/victim//www/cgi-bin/hnc.cgi uploaded  (35024 bytes, 67.26KB/sec)

then executed:

example.com:195.189.226.220 - - [b][25/Sep/2008:05:52:19 -0400][/b] "GET /cgi-bin/hnc.cgi HTTP/1.0" 200 1 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

and then removed:

[b]Sep 25 05:52:20[/b] host pure-ftpd: ([email protected]) [NOTICE] Deleted www/cgi-bin/hnc.cgi

You're not finding it on the filesystem because it's probably getting deleted immediately after being executed. Check your syslogs for any FTP activity related to the file:

# cd /var/log
# zgrep hnc.cgi messages*

edit: also check any domain logs in /usr/local/apache/domlogs for "hnc.cgi" as well.

more edit: in case I wasn't all too clear, the issue in the logs shown above occurred because the attacker had, somehow, obtained the user's cPanel password, which allowed them to upload the file via FTP. Once you find the cause of the script getting onto your server, make sure you change that user's password, tell them to never use any old passwords they've used before (since at least 1 is known by someone else), and it would probably be a good idea for the user to install/update/run a full antivirus scan on their own computer, in case that was the cause of their password getting stolen (e.g., the customer's home computer is trojaned, being keylogged, etc).

Do let us know what you find out please.

 

[jpetersen]

To break up the posts a bit, I'm making a separate reply.

To answer your question: the script could be legit, unless it's not. The one I saw is not. Check the first few lines of the script. If it looks like this:

# head -2 hnc.cgi
#!/usr/bin/perl -w
# HSH.net client

then it's a script for sending spam.

Here's a very small part of it which shows the fake mail user agent strings that the script uses:

        my $mailer =
        [
                "Exim 3.12",
                "Qmail 2.67",
                "Sendmail 3.84/3.84",
                "mLogic",
                "WebPOP 1.0",
                "Gentoo"
        ];

If you're on any spam related feedback loops like the one AOL provides, check the headers of the spam complaints. If you see any of those user agent strings in the headers, then you might have an hnc.cgi issue on your server.

If you're unable to locate the cause of the problem, I would definitely recommend hiring an admin to help you investigate.