Results 1 to 10 of 10
  1. #1
    Join Date
    Sep 2008

    Thumbs up Serious problem with dark mailer scripts like(dm.cgi,dark.cgi) ....


    I Have a linux shared hosting server,and a couple of days i am facing the serious issue regarding dark mailer or some .cgi script like (dark.cgi,dm.cgi,coms.cgi,mrm.cgi) ,i have also using mod_security2.0 +WHM to prevent such type of problem,So can any one tell me the best solution to block these type of attacks through mod_security,how to create a rule specific for the attacker "(dark.cgi,dm.cgi,coms.cgi,mrm.cgi)" scripts..please do need ful and let me know the best solution...

    ************************************************** *****************************************
    Time: Sun Jun 28 10:13:48 2009 +0530
    PID: 30951
    Account: unixsurg
    Uptime: 25705 seconds



    Command Line (often faked in exploits):

    /usr/bin/perl dark.cgi

    Network connections by the process (if any):

    tcp: ->

    Files open by the process (if any):

    /home/unixsurg/public_html/truck/sys/.pureftpd-rename.23258.7342c161 (deleted)
    /home/unixsurg/public_html/truck/sys/.pureftpd-rename.23258.7342c161 (deleted)
    /tmp/ZCUD4Fyc93 (deleted)

    Memory maps by the process (if any):

    00110000-0024e000 r-xp 00000000 08:05 9176295 /lib/
    0024e000-00250000 r--p 0013e000 08:05 9176295 /lib/
    00250000-00251000 rw-p 00140000 08:05 9176295 /lib/
    00251000-00254000 rw-p 00251000 00:00 0
    00254000-00258000 r-xp 00000000 08:05 9175078 /lib/
    00258000-00259000 r--p 00003000 08:05 9175078 /lib/
    00259000-0025a000 rw-p 00004000 08:05 9175078 /lib/
    00500000-0062b000 r-xp 00000000 08:03 10270297 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/
    0062b000-00630000 rw-p 0012a000 08:03 10270297 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/
    00630000-00632000 rw-p 00630000 00:00 0
    006ca000-006e6000 r-xp 00000000 08:03 10269980 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/
    006e6000-006e7000 rw-p 0001b000 08:03 10269980 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/
    006eb000-006f0000 r-xp 00000000 08:03 10270142 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/
    006f0000-006f1000 rw-p 00004000 08:03 10270142 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Socket/
    00771000-0078b000 r-xp 00000000 08:05 9176294 /lib/
    0078b000-0078c000 r--p 00019000 08:05 9176294 /lib/
    0078c000-0078d000 rw-p 0001a000 08:05 9176294 /lib/
    007bd000-007be000 r-xp 007bd000 00:00 0 [vdso]
    00801000-00805000 r-xp 00000000 08:03 10269967 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/
    00805000-00806000 rw-p 00003000 08:03 10269967 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/IO/
    008d5000-008d7000 r-xp 00000000 08:05 9176298 /lib/
    008d7000-008d8000 r--p 00001000 08:05 9176298 /lib/
    008d8000-008d9000 rw-p 00002000 08:05 9176298 /lib/
    008db000-00900000 r-xp 00000000 08:05 9176297 /lib/
    00900000-00901000 r--p 00024000 08:05 9176297 /lib/
    00901000-00902000 rw-p 00025000 08:05 9176297 /lib/
    00904000-00917000 r-xp 00000000 08:05 9176308 /lib/
    00917000-00918000 r--p 00012000 08:05 9176308 /lib/
    00918000-00919000 rw-p 00013000 08:05 9176308 /lib/
    00919000-0091b000 rw-p 00919000 00:00 0
    0099f000-009b2000 r-xp 00000000 08:05 9176300 /lib/
    009b2000-009b3000 r--p 00012000 08:05 9176300 /lib/
    009b3000-009b4000 rw-p 00013000 08:05 9176300 /lib/
    009b4000-009b6000 rw-p 009b4000 00:00 0
    009b8000-009c1000 r-xp 00000000 08:05 9176317 /lib/
    009c1000-009c2000 r--p 00008000 08:05 9176317 /lib/
    009c2000-009c3000 rw-p 00009000 08:05 9176317 /lib/
    009c3000-009ea000 rw-p 009c3000 00:00 0
    00a3a000-00a43000 r-xp 00000000 08:05 9175080 /lib/
    00a43000-00a44000 r--p 00008000 08:05 9175080 /lib/
    00a44000-00a45000 rw-p 00009000 08:05 9175080 /lib/
    00be0000-00bef000 r-xp 00000000 08:05 9176302 /lib/
    00bef000-00bf0000 r--p 0000e000 08:05 9176302 /lib/
    00bf0000-00bf1000 rw-p 0000f000 08:05 9176302 /lib/
    00bf1000-00bf3000 rw-p 00bf1000 00:00 0
    00e4d000-00e4f000 r-xp 00000000 08:03 10270168 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Hostname/
    00e4f000-00e50000 rw-p 00001000 08:03 10270168 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/Sys/Hostname/
    05ad4000-05ad6000 r-xp 00000000 08:05 9176299 /lib/
    05ad6000-05ad7000 r--p 00001000 08:05 9176299 /lib/
    05ad7000-05ad8000 rw-p 00002000 08:05 9176299 /lib/
    08048000-0804b000 r-xp 00000000 08:03 1733841 /usr/bin/perl
    0804b000-0804c000 rw-p 00002000 08:03 1733841 /usr/bin/perl
    084e5000-087bb000 rw-p 084e5000 00:00 0 [heap]
    b7f3a000-b7f5e000 rw-p b7f3a000 00:00 0
    b7f67000-b7f68000 rw-p b7f67000 00:00 0
    bfdb3000-bfdc8000 rw-p bffea000 00:00 0 [stack]
    ************************************************** **************************************
    p-root The Linux Dude

  2. #2
    Join Date
    Feb 2005

    The first result (for me) is this - Steven's suggestion looks handy.

    IMO it's really the wrong approach though. If someone is able to upload this sort of crap you should find out how they're getting access and block it at source instead of using mod_sec to restrict the type of content they can upload. Start by updating your Wordpress install.

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  3. #3
    Join Date
    Jun 2003
    World Wide Web
    A wild guess..

    Files open by the process (if any):

    /home/unixsurg/public_html/truck/sys/.pureftpd-rename.23258.7342c161 (deleted)
    /home/unixsurg/public_html/truck/sys/.pureftpd-rename.23258.7342c161 (deleted)
    /tmp/ZCUD4Fyc93 (deleted)
    looks like ftp password was compromised, to upload this script. Make sure that you have a more complex/strong password.

    Also make sure that your server have some protection against brute force attacks. - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  4. #4
    Join Date
    Sep 2008

    Thanks...but we have already enabled firewall,mod_security and Brute-force protection,so can you please tell me the exact rule for to block such type of script through mod_security 2.0,please do need ful..


  5. #5
    Join Date
    Sep 2008

    I have solved the problem with creating new rules for these .cgi scripts, in mod_security...


  6. #6
    Quote Originally Posted by p-root View Post

    I have solved the problem with creating new rules for these .cgi scripts, in mod_security...

    Drop me a PM if you have further problems with this, I have some mod_sec2 rules of my own that successfully kill DarkMailer if you need them.
    cPanel Hosting - Best support in the hosting business!

  7. #7
    Join Date
    Mar 2003
    California USA
    These are generally uploaded via FTP. If you are using pure-ftpd this may be of some interest to you:

    ------------------------ AFTER AN UPLOAD ------------------------

    After a successful upload, any external program or shell script can be
    spawned with the name of the newly uploaded file as an argument. You can use
    that feature to automatically send a mail when a new file arrives. Or you
    can pass it to a moderation system, an anti-virus, a MD5 signature generator
    or whatever you decide can be done with a file.

    To support this, the server has to be configured --with-uploadscript at
    compilation time. Upload scripts won't be spawned on unreadable directories.
    So it's highly recommended to use upload scripts with the --customerproof
    run-time option and without unreadable parent directories.
    To tell the FTP server to use upload scripts, it has to be launched with the
    '-o' option. Finally, you have to run another daemon called 'pure-uploadscript'
    provided by this package.



    For security purposes, the server never launches any external program. It's
    why there is a separate daemon, that reads new uploads pushed into a named
    pipe by the server. Uploads are processed synchronously and sequencially.
    It's why on loaded or untrusted servers, it might be a bad idea to use
    pure-uploadscript with lenghty or cpu-intensive scripts.

    The easiest way to run pure-uploadscript is 'pure-uploadscript -r <script>':

    /usr/local/sbin/pure-uploadscript -r /bin/

    The absolute path of the newly uploaded file is passed as a first argument.
    Some environment variables are also filled with interesting values:

    - UPLOAD_SIZE : the size of the file, in bytes.
    - UPLOAD_PERMS : the permissions, as an octal value.
    - UPLOAD_UID : the uid of the owner.
    - UPLOAD_GID : the group the file belongs to.
    - UPLOAD_USER : the name of the owner.
    - UPLOAD_GROUP : the group name the file belongs to.
    - UPLOAD_VUSER : the full user name, or the virtual user name. (127 chars max)

    There are also some options to "pure-uploadscript":

    - '-u <uid>' and '-g <gid>' to switch the account pure-uploadscript will run
    as. The script will be spawned with the same identity.

    - '-B' to fork in background.

    Please have a look at the man page ('man pure-uploadscript') for additional
    Steven Ciaburri | Proactive Linux Server Management -
    Managed Servers (AS62710), Server Management, and Security Auditing.

  8. #8
    Join Date
    Sep 2008


    Quote Originally Posted by jphilipson View Post
    Drop me a PM if you have further problems with this, I have some mod_sec2 rules of my own that successfully kill DarkMailer if you need them.
    Please send me your mod_security2 rules regarding Darkmailer,please doneed ful...


  9. #9
    Join Date
    Apr 2008
    Hi jphilipson and Steven,

    I have same problem....

    Please send me your mod_security rules which kills DarkMailer and other script and also update us how can i restrict to upload dark.cgi file through ftp..i m also using pure-ftp.

    Thank you in advanced.

    Linux Blog

  10. #10
    Can anybody spread the final solving and the script there? please!

Similar Threads

  1. Dark fiber
    By Gregorya in forum Colocation and Data Centers
    Replies: 13
    Last Post: 02-08-2009, 06:53 AM
  2. Dark Fiber
    By KyleLC23 in forum Colocation and Data Centers
    Replies: 4
    Last Post: 03-27-2008, 11:24 PM
  3. What are you going to buy this Dark Friday?
    By HiHoHoSun in forum Web Hosting Lounge
    Replies: 1
    Last Post: 11-21-2007, 04:35 AM
  4. New Template (dark)
    By Waterlogged in forum Web Site Reviews
    Replies: 2
    Last Post: 07-31-2003, 06:03 PM
  5. Dark Fiber
    By Scorpion in forum Running a Web Hosting Business
    Replies: 4
    Last Post: 10-11-2002, 12:59 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts