Re: Follow up on the NCSDRecover DDOS perl script

To: "Robert Ebright" <robert@azone.org>, debian-security@lists.debian.org
Subject: Re: Follow up on the NCSDRecover DDOS perl script
From: Jordan Lederman <jlederma@advance.net>
Date: Thu, 19 Jun 2003 14:51:17 -0400
Message-id: <[🔎] 200306191451.17912.jlederma@advance.net>
In-reply-to: <[🔎] 1547.12.2.217.103.1055968652.squirrel@azone.org>
References: <[🔎] 1547.12.2.217.103.1055968652.squirrel@azone.org>

Robert,
	
	The only way to truly recover from a break-in, is to fully restore the system 
from a trusted medium. That being said, here's what your script does:



1) Hide it's name in the process table as '/usr/sbin/nscd             ' (100 
spaces).

2) Bind to UDP port 1337 in order to receive control information and wait. 
For this script to take any action, 3 arguments must be supplied: password, 
command, and at least one argument. For some commands two arguments are 
needed.

ping:		Sends a single udp packet to $arg1 on port $arg2. This packet contains 
		the word 'pong', followed by the output of 'uname -mnrs'.

redir: 	Redirect a $localport to a remote $host an port. 

shell:        open a shell on a supplied port. The shell will be opened with 
		the permissions of the user running the crontab (www-data), but
		root may then be attainable by a number of local exploits. ptrace is
		the first and easiest that comes to mind.

udp:		Sends a string containing 1337 copies of:
'Mess with the best - die like a
 rest!' 
		as often as possible to a supplies $host for a given amount of $time. The 
		destination port is random.
		** Shouldn't it be 'Mess with the best - die like the rest!' anyway? I guess
		we haven't messed with those that are best at grammar.

ddns:	Begins a DOS attack to a specified dns $host, for a given amount of 			
		$time.

die:		If the correct password is supplied, this script will exit.


		Hope it helps clear things up.
				--jordan

> 
> I have a question as to how safe a box is after
> it has been compromised by this perl script.
> I believe it opens up a shell account at 1337,
> but it shouldn't give them root access or the
> ability to log in as the web user at most should
> it ? Cuz if so that would be bad news for a lot
> of people who got hacked via this. Regardless I
> upgraded my kernel to the new version, is there
> anything else I should do to ensure there were
> no backdoors implemented by this. Also thanks
> for all of the initial help and responses I
> received. The debian community is truly a great
> example of mutual aid in effect.
> 
> Robert Ebright
> sysadmin at azone.org
>

Reply to:

References:
- Follow up on the NCSDRecover DDOS perl script
  - From: "Robert Ebright" <robert@azone.org>

Prev by Date: Re: odd process running /usr/sbin/sendmail -i -CronDaemon -odi -oem root
Next by Date: Fw: Fw: petitie vrije software, educatie en innovatie
Previous by thread: Follow up on the NCSDRecover DDOS perl script
Next by thread: odd process running /usr/sbin/sendmail -i -CronDaemon -odi -oem root
Index(es):
- Date
- Thread