If the Hackers uploaded scripts to /tmp and executing them via perl even if /tmp is mounted nosuid,noexec,nodev,noatime so they can't run programs from this directory, but they can run perl from another location using the script (textfile) uploaded in /tmp.
apparently it's called c99shell
It doesn't root the server, but it allows a person to get a shell where he can delete/modify/move files from another account apparently.
It uses a simple PHP blog exploit apparently..
How does the speedy front end connect to the back end process?
Via a Unix socket in /tmp. A queue is kept in /tmp that holds an
entry for each process. In that queue are the pids of the perl
processes waiting for connections. The CGI-front end pulls a process
out of this queue, connects to its socket, sends over the
environment and argv, and then uses this socket for stdin/stdout to
the perl process.
Usefull Links:
==========
http://forum.parallels.com/showthread.php?t=67184
http://www.derekfountain.org/security_c99madshell.php
http://forums.theplanet.com/index.php?showtopic=90109
==========
Key Words:
========
function.fsockopen
opendir
eval()
passthru
backtick()
pipes
popen()
escapeshellcmd()
PHP.INI settings:
===========
allow_url_fopen = Off
disable_functions = dl,passthru,proc_open,proc_close,shell_exec,
system,popen,virtual,show_source,readfile,pclose,
posix_kill,proc_get_status,proc_nice,proc_terminate,
escapeshellarg,highlight_file,leak,diskfreespace,show_source,
php_uname,ini_alter,ini_restore,getrusage,get_current_user,
set_time_limit,getmyuid,getmypid,phpinfo,popen,
curl_multi_exec,parse_ini_file,show_source,backtic,
escapeshellcmd,move_uploaded_file,copy,ftp_chdir,
uploaddir,ini_get,ini_set,fputs,disk_free_space,
unlink,chdir,getcwd,
Disable Server Wide:
============
http://youropensource.com/projects/408-Disable-wget-on-a-cPanel-web-server
Wget --- which wget; chmod 0000 /usr/bin/wget; chattr +i /usr/bin/wget;
Curl ---- which curl; chmod 0000 /usr/bin/curl; chattr +i /usr/bin/curl;
GET ------ which get; chmod 0000 /usr/bin/get; chattr +i /usr/bin/get;
fetch -------- which fetch; chmod 0000 /usr/bin/fetch; chattr +i /usr/bin/fetch;
lynx ---------- which lynx ; chmod 0000 /usr/bin/lynx ; chattr +i /usr/bin/lynx ;
lwp-download ------- which lwp-download; chmod 0000 /usr/bin/lwp-download; chattr +i /usr/bin/lwp-download;
How to search:
=========
find / -name '*.php' | xargs grep 'eval(gzinflate(base64_decode('
find / -name '*.php' | xargs grep 'eval(gzinflate(base64_decode('HJ3Hkq...
Grep The Apache Log:
==========
grep 'move_uploaded_file' /usr/local/apache/domlogs/*
grep 'move_uploaded_file' /usr/local/apache/logs/errorlog
ps aux | grep nobody | grep -v http | grep -v ftp
lsof -p pid
cat /proc/pid/environ
=============================================
#!/bin/bash
# Find process-IDs (PID) for unwanted processes and kill them
# List unwanted processnames or some text that can uniquely identify the unwanted process. Separate the strings with a single space.
UNWANTED="httpssql DSSL httpdse"
for PROGRAM in $UNWANTED
do
for PID in `ps aux | awk '/^apache.+'"$PROGRAM"'/ {print $2}'`
do
#lsof -p $PID | mail -s "Files used by unwanted process" hostmaster@mydomain.com
kill -9 $PID
#echo $PID
done
done
=========================================
apparently it's called c99shell
It doesn't root the server, but it allows a person to get a shell where he can delete/modify/move files from another account apparently.
It uses a simple PHP blog exploit apparently..
How does the speedy front end connect to the back end process?
Via a Unix socket in /tmp. A queue is kept in /tmp that holds an
entry for each process. In that queue are the pids of the perl
processes waiting for connections. The CGI-front end pulls a process
out of this queue, connects to its socket, sends over the
environment and argv, and then uses this socket for stdin/stdout to
the perl process.
Usefull Links:
==========
http://forum.parallels.com/showthread.php?t=67184
http://www.derekfountain.org/security_c99madshell.php
http://forums.theplanet.com/index.php?showtopic=90109
==========
Key Words:
========
function.fsockopen
opendir
eval()
passthru
backtick()
pipes
popen()
escapeshellcmd()
PHP.INI settings:
===========
allow_url_fopen = Off
disable_functions = dl,passthru,proc_open,proc_close,shell_exec,
system,popen,virtual,show_source,readfile,pclose,
posix_kill,proc_get_status,proc_nice,proc_terminate,
escapeshellarg,highlight_file,leak,diskfreespace,show_source,
php_uname,ini_alter,ini_restore,getrusage,get_current_user,
set_time_limit,getmyuid,getmypid,phpinfo,popen,
curl_multi_exec,parse_ini_file,show_source,backtic,
escapeshellcmd,move_uploaded_file,copy,ftp_chdir,
uploaddir,ini_get,ini_set,fputs,disk_free_space,
unlink,chdir,getcwd,
Disable Server Wide:
============
http://youropensource.com/projects/408-Disable-wget-on-a-cPanel-web-server
Wget --- which wget; chmod 0000 /usr/bin/wget; chattr +i /usr/bin/wget;
Curl ---- which curl; chmod 0000 /usr/bin/curl; chattr +i /usr/bin/curl;
GET ------ which get; chmod 0000 /usr/bin/get; chattr +i /usr/bin/get;
fetch -------- which fetch; chmod 0000 /usr/bin/fetch; chattr +i /usr/bin/fetch;
lynx ---------- which lynx ; chmod 0000 /usr/bin/lynx ; chattr +i /usr/bin/lynx ;
lwp-download ------- which lwp-download; chmod 0000 /usr/bin/lwp-download; chattr +i /usr/bin/lwp-download;
How to search:
=========
find / -name '*.php' | xargs grep 'eval(gzinflate(base64_decode('
find / -name '*.php' | xargs grep 'eval(gzinflate(base64_decode('HJ3Hkq...
Grep The Apache Log:
==========
grep 'move_uploaded_file' /usr/local/apache/domlogs/*
grep 'move_uploaded_file' /usr/local/apache/logs/errorlog
ps aux | grep nobody | grep -v http | grep -v ftp
lsof -p pid
cat /proc/pid/environ
=============================================
#!/bin/bash
# Find process-IDs (PID) for unwanted processes and kill them
# List unwanted processnames or some text that can uniquely identify the unwanted process. Separate the strings with a single space.
UNWANTED="httpssql DSSL httpdse"
for PROGRAM in $UNWANTED
do
for PID in `ps aux | awk '/^apache.+'"$PROGRAM"'/ {print $2}'`
do
#lsof -p $PID | mail -s "Files used by unwanted process" hostmaster@mydomain.com
kill -9 $PID
#echo $PID
done
done
=========================================
