stat running as www weirdness - genarting INCOMING traffic

Ruben Bloemgarten ruben at bloemgarten.demon.nl
Thu Jun 23 23:07:03 GMT 2005 

After I stopped being lazy ( my sincere apologies) and a little backtracking
I realized I had been seriously compromised.

A cronjob had been installed in /var/tmp/httpd.cron

This contained the following disturbing files :

 drwxr-xr-x  3 www  wheel   512B Jun 23 23:30 ../
-rw-r--r--  1 www  wheel   327M Jun 22 09:46
my.summer.of.love.2005.italian.md.ts.xvid-mcf.avi
drwxr-xr-x  4 www  wheel   1.0K Jun 22 06:31 ./
-rw-r--r--  1 www  wheel   482M Jun 21 22:39
My.SuMMer.Of.LoVe.2005.iTaLiaN.MD.TS.XviD-MCF.avi
-rw-r--r--  1 www  wheel   1.1K Jun 21 07:08 Infodll.state
-rw-r--r--  1 www  wheel   1.1K Jun 21 07:05 Infodll.state~
-rw-r--r--  1 www  wheel     0B Jun 19 16:54 PROFONDO_BLU_.avi
-rw-r--r--  1 www  wheel   6.0K Jun 16 01:05 README.txt
-rw-r--r--  1 www  wheel   1.5K Jun 12 21:46 httpd.cron
-rwxr-xr-x  1 www  wheel   207K Jun 10 18:52 stat*
drwxr-xr-x  2 www  wheel   512B Jun 10 18:52 obj/
-rwxr-xr-x  1 www  wheel  59.8K Jun 10 18:51 convertxdccfile*
-rw-r--r--  1 www  wheel   4.2K Jun 10 18:51 Makefile
drwxr-xr-x  2 www  wheel   512B Jun 10 18:51 src/
-r--r--r--  1 www  wheel  22.6K Jan 17 00:17 sample.config
-r--r--r--  1 www  wheel  15.6K Jan 17 00:17 COPYING
-r--r--r--  1 www  wheel  23.0K Jan 17 00:17 WHATSNEW
-r--r--r--  1 www  wheel   4.0K Jan 17 00:17 Makefile.config
-r-xr-xr-x  1 www  wheel  28.5K Jan 17 00:17 Configure*
-r-xr-xr-x  1 www  wheel   857B Jan 17 00:17 iroffer.cron*
-r-xr-xr-x  1 www  wheel   942B Jan 17 00:17 dynip.sh*
-r--r--r--  1 www  wheel   5.0K Jan 17 00:17 README
-rw-r--r--  1 www  wheel    15B Jan 17 00:17 .cset_number

Iroffer had been installed http://iroffer.org/

The cronjob did the following :

more httpd.cron
################### Logging #################
#pidfile Infodll.pid
#logfile Infodll.log
logstats no
logrotate weekly
statefile Infodll.state
###########################################


#################### Connessione #############
connectionmethod direct
server 66.225.223.54 6666
server 66.225.223.54 6669
server 66.225.223.54 6667
channel #Eternity -key otis
channel #Eternity.staff -key otis
user_realname ETE
user_modes +ix
loginname ETE
tcprangestart 4000
#usenatip 195.41.47.74
###########################################


#################### Slot e Code ##############
slotsmax 15
queuesize 25
nickserv_pass beatat
maxtransfersperperson 1
maxqueueditemsperperson 1
restrictlist yes
restrictsend yes
#restrictprivlist yes
############################################

##################### Headline ################
creditline ^C14\ \^C15^B Staff f0r #Eternity ^C14\\^B^C
headline ^C14\ \^C15^B Staff f0r #Eternity ^C14\\^B^C
############################################


############# Adminhost e download ###############
adminhost *!*@Eternity.Staff
adminhost *!*@Eternity.Staff
adminhost *!*@*Eternity.Staff*
uploadhost *!*@*
downloadhost *!*@*.*
downloadhost *!*@*
#firewall yes
hideos yes
#############################################


################ QUI VA ADMINPASS ##############
adminpass pYiNmgVwHKZHE
##############################################


 ####### RUNTIME ADDED #######


filedir /var/tmp/cron/httpd
uploaddir /var/tmp/cron/httpd
user_nick ETE|DivX-01

Using dynip to advertise my box .

Aaaargh ! 

Thanks for the help anyway.

Regards, 

Ruben





-----Original Message-----
From: Chuck Swiger [mailto:cswiger at mac.com] 
Sent: June 23, 2005 7:26 PM
To: ruben at bloemgarten.demon.nl
Cc: FreeBSD-questions at FreeBSD.org
Subject: Re: stat running as www weirdness - genarting INCOMING traffic

Ruben Bloemgarten wrote:
> I’m seeing weirdness of stat opening up port  4000+ and
generating/receiving
> enormous amounts of incoming traffic i.e. 400Gb over a 24hour time
> period.Does this sound familiar to anyone ? Thanks for any brain usage not
> my own.

Insufficient data.  From which port(s) to which port(s), and are the IP 
addresses on the other side the same or a random range (which would imply
your 
machine has been hacked and is scanning outwards).

Showing a tcpdump of a few example connections would be really useful.

-- 
-Chuck



-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: 06/22/2005


-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: 06/22/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.7.11/26 - Release Date: 06/22/2005

More information about the freebsd-questions mailing list