Hackers putting scripts in /tmp

[cartoon]

I have seen that some processes are taking a lot of resources on one of my servers lately. Today I was looking at this and found two scripts in /tmp ( sem.perl and qmail.pl ) I am not sure what they do but I can not find the scripts in any cgi-bin folder for any of the sites running on the server. I am running Freebsd 5.3 with Plesk 7.5 and perl5.8.7 . Have searched the complete server for files including the e-mails adresses in the scripts but cant find it anywhere without in the /tmp folder.

Anyone can point me in the right direction to find out how the scripts come in to the server?

The script start with the following ( if of interest for anyone to take a closer look and find out what it does I can post the complete script later.:

#!/usr/bin/perl
# Telnet-like Standard Daemon 1.0
#
# Dark_Anjo - [email protected]
# - [email protected]
# - www.xn.rg3.net
# - www.red.not.br/xn
#
# For those guys that still like to open ports
# and use non-rooted boxes
#
# This has been developed to join in the TocToc
# project code, now it's done and I'm distributing
# this separated
#
# This one i made without IO:ty so it uses
# only standard modules... enjoy it
#
# tested on linux boxes.. probably will work fine on others
# any problem... #[email protected]
#

##########################################################
# ******************* CONFIGURATION ******************** #
##########################################################
my $PORT = $ARGV[0] || 3847; # default port is 54545
my $PASS = ''; # encripted password
my $SHELL = "/bin/bash"; # shell to be executed
my $HOME = "/tmp"; # your HOME
my $PROC = "/usr/local/apache/bin/httpd -DSSL"; # name of the process
my $PASS_PROMPT = "Password: "; # password prompt
my $WRONG_PASS = "Wrong password!"; # "wrong password" message
my @STTY = ('sane', 'dec'); # stty arguments
##########################################################

# feel free to change the ENV
#### ENVironment ####
$ENV{HOME} = $HOME;
#$ENV{PS1} = '[\u@\h \W]: '; # the way i like
# colorful PS1 is also funny
$ENV{PS1} = '\[\033[3;36m\][\[\033[3;34m\]\[\033[1m\]\u\[\033[3;36m\]@\[\033[0m\]\[\033[3;34m\]\[\033[1m\]\h \[\033[0m\]\[\033[1m\]\W\[\033[0m\]\[\033[3;36m\]]\[\033[0m\]\[\033[1m:\[\033[0m\] ';
$ENV{MAIL} = '/var/mail/root';

 

[wagnerch]

One of your domains has a vulnerable web application. Try correlating the creation time or modification time (use "stat") of the files to the Apache access_logs. The events in the access logs may be a few seconds earlier than the creation/modification time of the files.

Some very popular web applications are vulnerable to remote code inclusion/code execution vulnerabilities like Mambo, phpBB2, phpAds, PostNuke, etc etc.

You should also take a look at your mail queue, I am sure they were locally injecting spam into the queue. Use "qmail-qstat" to inspect the queue sizes (it is located in /var/qmail/bin on FC Linux, not sure where it is under FreeBSD).

A preventative measure that you can take is installed modsecurity, it helps prevent some attacks but requires alot of tuning and updating of rulesets.

 

[cartoon]

Thank you. The scripts has been there since the middle of april. Have closed the ports the scripts are using in the FW and monitoring the server to try to catch them and see how the scripts are comming in the next time. There was not an big mailque now. On FreeBsd /usr/local/psa/qmail/bin/qmail-qstat to see the queue.