Taken from news://blueyonder.comp.linux - > A friend of mine has his Debian box r00ted. It only seems to have been > brought to his attention after seeing a file being wgetted and > compiled > within his Apache error log. > > He brought it to my attention as he originally suspected that there > may be an Apache overflow or the likes. > > After obtaining a copy of the src that was downloaded, this was a > _VERY_ sloppy/crudelly coded backdoor (copied "httpd" as argv[0] to try and > hide itself in ps/top etc, and assumes data after sending a password > to be a command executed via execl(). The backdoor appears to have been > coded (or has reference to at least) some lame script kiddie web site > defacers. I googled for the name "Perfect.BR Team" and it seems some > kids in Portugal have defaced a few sites. His index.php file was > replaced and renamed as index.bak.php (which was nice? lol).. although > the datestamp on the file was old still (Mar 3 rather than yesterdays > date.. I assume creation/last legit modded date). It also calls > 'setpgrp();' which failed on another friends *nix box when he tried to > compile it as a test (I don't know what OS/distro), and it bombed with > too few args. He modded to setpgrp(0,0); and it worked fine. > RCompiling that upon a debian box bombed with too many args, and removing the > additional '0,0' enabled it to compile and run "perfectly".. so the > backdoor would seem somewhat distro specific maybe (although according > to my friend that compiled this, setpgrp() would appear to be an > undocumented function on debian at least). > > The debian install itself, has been fully patched with any updates > that have appeared this month (and previous) but I don't know everything > that's being run, only that minimal is running (server box, no X etc). > > Never having used a Linux distro (yup, he now has a copy of FBSD 8) ), > is there anything different on Debian that may be checked into that I > can't use as reference in FBSD to try and help him locate the > intrusion? > > Infortunately, no IPTables is running (spare me the flames, heh ;) ). > > I have a large section of the error_log in question with the wget/gcc > commands in it if it'd help anyone help me, but I personally think the > box was r00ted previous to this alert. > > I'm not a security expert, just someone trying to help a friend.. so > if anyone has _any_ info that maybe of interest, I'd be more than happy > to hear and pass on to him. If any more details are required for anyone > to be able to possibly help, I'll ask me mate and get further details. Cheers, Neil -- 16 Channels in mode 4 I disclaim everything I can under English law. gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li 8DEC67C5
Attachment:
pgpgA9TIAkWw2.pgp
Description: PGP signature