Date: Wed, 26 Aug 2009 07:53:36 +0700 (ICT) From: Olivier Nicole <on@cs.ait.ac.th> Cc: freebsd-questions@freebsd.org, cb@lim.nl Subject: Re: what www perl script is running? Message-ID: <200908260053.n7Q0raSb018303@banyan.cs.ait.ac.th> In-Reply-To: <4A943A9B.1030703@cyberleo.net> (message from CyberLeo Kitsana on Tue, 25 Aug 2009 14:25:15 -0500) References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> <25134056.post@talk.nabble.com> <20090825134250.GA6871@ei.bzerk.org> <25135959.post@talk.nabble.com> <4A943A9B.1030703@cyberleo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Colin, Be aware that what you listed below is what additional scripts the hacker installed on your server after he broke in. This does not tell you hwo the hacker broke in. So your server is still subject to compromission. Bests, olivier >> Try a find through the entire filesystem for files owned by this user that >> you can't account for. Also check your cron and at files under /var/cron >> and >> /var/at >> > > I found the cronjob which keeps restarting the script: > > [root@venus /var/cron/tabs]# ls -l > total 12 > -rw------- 1 root wheel 3440 Aug 25 12:06 colin > -rw------- 1 root wheel 240 Jul 28 23:49 www > > [root@venus /var/cron/tabs]# cat www > # DO NOT EDIT THIS FILE - edit the master and reinstall. > # (cron.job installed on Tue Jul 28 23:49:28 2009) > # (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.24 > 2006/09/03 17:52:19 ru Exp $) > */1 * * * * perl /tmp/tmpfile > > I removed it, so now at least the script stops relaunching. > > /tmp/tmpfile is of course the script. > > In a subdirectory of tmp, there is a whole bunch of source code, all owned > by 'www': > > /tmp/.,]# ls -l > total 5692 > -rw-r--r-- 1 www wheel 2844160 Mar 27 10:00 m.tgz > drwxr-xr-x 4 www wheel 512 Nov 10 2008 ml > -rw-r--r-- 1 www wheel 43419 May 27 23:22 scanxml.txt > > ]# ls -l ml > total 3208 > -rwxr-xr-x 1 www wheel 411 Mar 27 09:57 1.user > -rwxr-xr-x 1 www wheel 422 Mar 27 09:57 2.user > -rwxr-xr-x 1 www wheel 505767 Aug 3 2008 LinkEvents > -rwxr-xr-x 1 www wheel 2154 May 16 2003 Makefile > -rwx--x--x 1 www wheel 418490 Dec 3 2005 bsd > -rwxr-xr-x 1 www wheel 941 Dec 3 2005 checkmech > -rwxr-xr-x 1 www wheel 23237 May 16 2003 configure > -rwx--x--x 1 www wheel 397274 Dec 3 2005 crond > -rwxr-xr-x 1 www wheel 22882 May 16 2003 m.h > -rwxr-xr-x 1 www wheel 1054 Aug 3 2008 m.lev > -rwx--x--x 1 www wheel 6 May 25 2008 m.pid > -rwxr-xr-x 1 www wheel 1320 Mar 27 09:56 m.set > -rwxr-xr-x 1 www wheel 10240 Nov 10 2008 m.tgz > -rwxr-xr-x 1 www wheel 167964 Mar 16 2001 pico > drwxr-xr-x 2 www wheel 512 Mar 4 2005 r > drwxr-xr-x 2 www wheel 1024 Dec 3 2005 src > > If anyone is interested in looking at this stuff, or wants more info, please > let me know.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908260053.n7Q0raSb018303>