Re: Follow up on the NCSDRecover DDOS perl script
Robert,
The only way to truly recover from a break-in, is to fully restore the system
from a trusted medium. That being said, here's what your script does:
1) Hide it's name in the process table as '/usr/sbin/nscd ' (100
spaces).
2) Bind to UDP port 1337 in order to receive control information and wait.
For this script to take any action, 3 arguments must be supplied: password,
command, and at least one argument. For some commands two arguments are
needed.
ping: Sends a single udp packet to $arg1 on port $arg2. This packet contains
the word 'pong', followed by the output of 'uname -mnrs'.
redir: Redirect a $localport to a remote $host an port.
shell: open a shell on a supplied port. The shell will be opened with
the permissions of the user running the crontab (www-data), but
root may then be attainable by a number of local exploits. ptrace is
the first and easiest that comes to mind.
udp: Sends a string containing 1337 copies of:
'Mess with the best - die like a
rest!'
as often as possible to a supplies $host for a given amount of $time. The
destination port is random.
** Shouldn't it be 'Mess with the best - die like the rest!' anyway? I guess
we haven't messed with those that are best at grammar.
ddns: Begins a DOS attack to a specified dns $host, for a given amount of
$time.
die: If the correct password is supplied, this script will exit.
Hope it helps clear things up.
--jordan
>
> I have a question as to how safe a box is after
> it has been compromised by this perl script.
> I believe it opens up a shell account at 1337,
> but it shouldn't give them root access or the
> ability to log in as the web user at most should
> it ? Cuz if so that would be bad news for a lot
> of people who got hacked via this. Regardless I
> upgraded my kernel to the new version, is there
> anything else I should do to ensure there were
> no backdoors implemented by this. Also thanks
> for all of the initial help and responses I
> received. The debian community is truly a great
> example of mutual aid in effect.
>
> Robert Ebright
> sysadmin at azone.org
>
Reply to: