Perfect.BR Team

To: debian-security@lists.debian.org
Subject: Perfect.BR Team
From: maulkin@halon.org.uk (Neil McGovern)
Date: Wed, 28 May 2003 19:10:56 +0100
Message-id: <20030528181056.GA17364@halon.org.uk>
Mail-followup-to: debian-security@lists.debian.org

Taken from news://blueyonder.comp.linux -

> A friend of mine has his Debian box r00ted. It only seems to have been
> brought to his attention after seeing a file being wgetted and
> compiled
> within his Apache error log. 
> 
> He brought it to my attention as he originally suspected that there
> may be an Apache overflow or the likes.
> 
> After obtaining a copy of the src that was downloaded, this was a
> _VERY_ sloppy/crudelly coded backdoor (copied "httpd" as argv[0] to try and 
> hide itself in ps/top etc, and assumes data after sending a password
> to be a command executed via execl(). The backdoor appears to have been 
> coded (or has reference to at least) some lame script kiddie web site
> defacers. I googled for the name "Perfect.BR Team" and it seems some 
> kids in Portugal have defaced a few sites. His index.php file was
> replaced and renamed as index.bak.php (which was nice? lol).. although 
> the datestamp on the file was old still (Mar 3 rather than yesterdays
> date.. I assume creation/last legit modded date). It also calls
> 'setpgrp();' which failed on another friends *nix box when he tried to 
> compile it as a test (I don't know what OS/distro), and it bombed with 
> too few args. He modded to setpgrp(0,0); and it worked fine.
> RCompiling that upon a debian box bombed with too many args, and removing the 
> additional '0,0' enabled it to compile and run "perfectly".. so the
> backdoor would seem somewhat distro specific maybe (although according 
> to my friend that compiled this, setpgrp() would appear to be an 
> undocumented function on debian at least). 
>
> The debian install itself, has been fully patched with any updates
> that have appeared this month (and previous) but I don't know everything
> that's being run, only that minimal is running (server box, no X etc). 
> 
> Never having used a Linux distro (yup, he now has a copy of FBSD 8) ), 
> is there anything different on Debian that may be checked into that I
> can't use as reference in FBSD to try and help him locate the
> intrusion? 
> 
> Infortunately, no IPTables is running (spare me the flames, heh ;) ).
>
> I have a large section of the error_log in question with the wget/gcc
> commands in it if it'd help anyone help me, but I personally think the 
> box was r00ted previous to this alert. 
>
> I'm not a security expert, just someone trying to help a friend.. so
> if anyone has _any_ info that maybe of interest, I'd be more than happy
> to hear and pass on to him. If any more details are required for anyone
> to be able to possibly help, I'll ask me mate and get further details. 

Cheers,
Neil
-- 
16 Channels in mode 4
I disclaim everything I can under English law.
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li 8DEC67C5

Attachment: pgpgA9TIAkWw2.pgp
Description: PGP signature

Reply to:

Prev by Date: Re: Advice Needed On Recent Rootings
Next by Date: Re: Advice Needed On Recent Rootings
Previous by thread: [no subject]
Next by thread: iptables rule to drop from sources that are -nat postrouting from the outside to inside
Index(es):
- Date
- Thread