Security Alert - Possible hack script here?

ricoche

Well-Known Member
Feb 7, 2003
108
0
166
Hello there,

To Moderators: If this post is not appropriate, please modify or delete asap. Thank you.

Today I just stumbled upon a hack attempt where someone was trying to invoke the following script. This is the entire URL with script for those interested in dissecting it and setting up some additional security measures. I've been battling this guy for quite some time and he seems to be using similar scripts to this one. So same guy, but nothing new.

http://www.centpublications.com/images/linuxdaybot.txt

I have done a lot of security work on the server and so far I've been ok, but if anyone does recognize this script or have experience with fighting it, please let me know. Any insight or additional tips about how to prevent this script from actually getting by on the server would be much appreciated.

In addition, I have no idea how this is even getting pulled. I have tools such as wget completely shut down. Plus my compilers and a ton of other stuff is shut down and yes manually I have to enable everything if I need to get other things done. I'm used to this though so it's part of life now. Anyway, I would love to know any ideas if possible how this script could be getting in.

Also, here is an excerpt of a log file concerning this attempt. You can see there are some compile problems and thus the script does not appear to be working? Not sure.

Code:
19:17:58 (345.96 KB/s) - `/tmp/php5913' saved [18,700/18,700]

Backslash found where operator expected at /tmp/php5913 line 103, near "$meunick\"
        (Missing operator before \?)
Backslash found where operator expected at /tmp/php5913 line 103, near ")\"
        (Missing operator before \?)
Backslash found where operator expected at /tmp/php5913 line 117, near ")\"
  (Might be a runaway multi-line ++ string starting on line 103)
        (Missing operator before \?)
Backslash found where operator expected at /tmp/php5913 line 122, near ")\"
        (Missing operator before \?)
Number found where operator expected at /tmp/php5913 line 124, near "} elsif ($servarg =~ m/^\:(.+?)\s+001"
  (Might be a runaway multi-line ++ string starting on line 122)
        (Missing operator before 001?)
Backslash found where operator expected at /tmp/php5913 line 124, near "001\"
        (Missing operator before \?)
syntax error at /tmp/php5913 line 103, near ")\"
syntax error at /tmp/php5913 line 117, near "'nick'} = "
Execution of /tmp/php5913 aborted due to compilation errors.
--19:17:58--  http://www.centpublications.com/images/linuxdaybot.txt
           => `/tmp/php5913'
Resolving www.centpublications.com... 205.234.147.237
Connecting to www.centpublications.com[205.234.147.237]:80... --19:17:58--  http://www.centpublications.com/images/linuxdaybot.txt
           => `/tmp/php5913'
Resolving www.centpublications.com... 205.234.147.237
Connecting to www.centpublications.com[205.234.147.237]:80... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... 200 OK
Thank you.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
That's a generic IRC bit and not something specific to cPanel. They are most likely getting in through a vulnerable php script on the server. Make sure that all your phpBB installations (if there are any) are using the latest release.