C
criticman
Guest
Alright, qmail queue is HUGE (508926).
So I did:
ps -fuapache
Did readlink /proc/8781/exe and found out it is in /tmp and /tmp/drk.
I deleted the drk dir and its contents. The script itself is in tmp.
How can I trace how it got in? I am going to rename the script (in .txt format) but maybe someone has seent his one before?
dc.txt (I am only including the header so as not to post the malicious code others could then reuse)
So I did:
ps -fuapache
UID PID PPID C STIME TTY TIME CMD
apache 9359 20374 0 Apr23 ? 00:00:28 /usr/sbin/httpd
apache 9362 20374 0 Apr23 ? 00:00:27 /usr/sbin/httpd
apache 23050 20374 0 Apr23 ? 00:00:27 /usr/sbin/httpd
apache 6642 20374 0 11:14 ? 00:00:03 /usr/sbin/httpd
apache 6657 20374 0 11:14 ? 00:00:05 /usr/sbin/httpd
apache 6665 20374 0 11:14 ? 00:00:04 /usr/sbin/httpd
apache 6670 20374 0 11:14 ? 00:00:02 /usr/sbin/httpd
apache 577 20374 0 16:22 ? 00:00:01 /usr/sbin/httpd
apache 587 20374 0 16:22 ? 00:00:01 /usr/sbin/httpd
apache 588 20374 0 16:22 ? 00:00:02 /usr/sbin/httpd
apache 589 20374 0 16:22 ? 00:00:01 /usr/sbin/httpd
apache 601 20374 0 16:22 ? 00:00:01 /usr/sbin/httpd
apache 612 20374 0 16:22 ? 00:00:01 /usr/sbin/httpd
apache 613 20374 0 16:22 ? 00:00:02 /usr/sbin/httpd
apache 642 20374 0 16:22 ? 00:00:02 /usr/sbin/httpd
apache 652 20374 0 16:22 ? 00:00:01 /usr/sbin/httpd
apache 653 20374 0 16:22 ? 00:00:01 /usr/sbin/httpd
apache 675 20374 0 16:23 ? 00:00:02 /usr/sbin/httpd
apache 678 20374 0 16:23 ? 00:00:02 /usr/sbin/httpd
apache 684 20374 0 16:23 ? 00:00:01 /usr/sbin/httpd
apache 842 1 0 16:23 ? 00:00:00 /bin/sh
apache 8781 842 0 18:03 ? 00:00:52 php spam.txt juridico.txt carteiro.htm
apache 18179 8781 0 19:32 ? 00:00:00 bin/qmail-inject -H --
Did readlink /proc/8781/exe and found out it is in /tmp and /tmp/drk.
I deleted the drk dir and its contents. The script itself is in tmp.
How can I trace how it got in? I am going to rename the script (in .txt format) but maybe someone has seent his one before?
dc.txt (I am only including the header so as not to post the malicious code others could then reuse)
#IRAN HACKERS SABOTAGE Connect Back Shell
#code by:LorD
#We Are :LorD-C0d3r-NT