Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

been hacked , ask for help
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
changmingyu
New Member
New Member



Joined: Oct 04, 2005
Posts: 1
PostPosted: Tue Oct 04, 2005 3:35 am Reply with quote
my FC-3 server has been hacked through the incompleted updated bbtonuke,

this guy put a file into /tmp directory and executed it

the file seems composed with lots of machince code which i can't tell ,
ececpt ,
....
pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty socket bind listen PsychoPhobia Backdoor is starting... OK, pid = %d
/ /dev/null sh -i /var/tmp HOME=%s Can't fork pty, bye!

anyone kindly to advise me how to find out whether my server was planted a backdoor or not.

thanks
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce



Joined:
Posts: 5661
PostPosted: Tue Oct 04, 2005 4:12 am Reply with quote
well this is what i could find with a little howto and what happend...

--------------start sample-----------------------------
These functions are simply documented:

> /* creates tty/pty name by index */
> /* search for free pty and open it */
> /* to avoid creating zombies(fantasmas) lol */

An analysis of the program itself:
> int main()
Create a daemon, listening for TCP connections on given port
> printf("PsychoPhobia Backdoor is starting..."); fflush(stdout);
Note that this is meant to run interactively. Someone already has access to
your system, they are just running this program.
> char *argv[] = {"sh", "-i", NULL};

Remote shell. This is like a telnet server.
So this is NOT how they gained ** initial ** entry to your system. Somebody
already had access to a user account, perhaps nobody. What they've done is
moved code onto your system, compiled it into a program, and run a little
custom telnet server that lets them get a proper remote shell.
You might have had a CGI vulnerability on a web server that allowed them to
execute arbitrary commands.
The program seems well written but it's not a security threat in itself, I
don't believe it includes any kind of exploit (but I'm tired and on my way
to bed). The program itself is pretty harmless; if you had netcat on your
system the attacker could have used that to accomplish the same thing.
You should keep that hard drive for future analysis, but reinstall
everything on your system from scratch. When an attacker gets to the point
where they can execute arbitrary commands on your system, it's a hop skip
and a jump to root shell.

---------------------------end sample-----------------------------------------

its not completely the same but a sample of what the same group probably did....creating a backdoor on a certain port.
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©