Hello folks,
I'm new to this forum, but not terribly new to Linux.
I'm stumped trying to track down the origin of a security compromise on several of my Plesk servers.
We have found at least 5-10 web sites on several servers that have various foreign Perl scripts in their cgi-bin directory. The servers are all CentOS 4 or 5 running Plesk. The script says it's part of the Gootkit ddos system. Here's a snippit of one of the files:
===================
#!/usr/bin/perl
#part of the Gootkit ddos system
use Fcntl qw(:flock
EFAULT);
use Socket;
use IO::Socket;
use IO::Select;
use POSIX 'setsid';
use Cwd 'abs_path';
print "Content-type: text/plain\n\n";
#---------------------------------------------------#
# CUSTOM parameters #
#---------------------------------------------------#
my $number_of_bots = 5;
my @defaults = ("camizio.net:80", "jumpbeat.net:80", "tagtags.net:80");
my $pingTimeout = 1200;
my $proxyPort = 5432;
#---------------------------------------------------#
===============
It appears that the file installs a cron job and executes every 1 minute and then tries to connect out to the world.
We block all "foreign" outbound traffic on odd ports, so they aren't getting anywhere with this, and it's easy to track down the files and remove them and clear the cron jobs.
BUT, what I can't track down is how they are loading these Perl scripts in to the user's cgi-bin.
Here's an example of ownership:
-rwxr-xr-x 1 customer_name psacln 62934 Mar 2 05:35 contusive.pl
"customer_name" is actually the client's correct FTP username.
Because of the correct ownership, it would appear that these files were uploaded with FTP. We changed all the FTP passwords for the compromised sites yesterday, removed all of the Perl scripts from the cgi-bin and removed all the cron jobs. We also disabled Perl and cgi capabilities for all users who don't need it.
Today, the nasty files are back in the cgi-bin directories!
We checked the ftp logs for the users, and the output of "last", and there are no records of any of those users logging in with FTP.
I thought that maybe there was a common thread with the type of web site the users have. BUT, some of the sites are simply default and/or empty. No nasty PHP elements or any common thread between customers or web sites that I can find.
I ran the chkrootkit tool and it came back with a few false positives, but nothing obvious as far as a root kit.
Any clues about how they are getting these files up to our client's web sites?
Thanks again for any help,
-Nick Voth