Server compromised Zen-Cart "record company" Exploit

James Smallacombe up at 3.am
Sun Jan 31 21:41:24 UTC 2010 

Whoever speculated that my server may have been compromised was on to 
something (see bottom).  The good news is, it does appear to be contained 
to the "www" unpriveleged user (with no shell).  The bad news is, they can 
still cause a lot of trouble.  I found the compromised customer site and 
chmod 0 their cart (had php binaries called "core(some number).php that 
gave the hacker a nice browser screen to cause all kinds of trouble)

Not sure if this is related to the UDP floods, but if not, it's a heck of 
a coincidence.  At times, CPU went through the roof for the www user, 
mostly running some sort of perl scripts (nothing in the suexec-log).  I 
would kill apache, but couldn't restart it as it would show port 80 in 
use.  I would have to manually kill processes like these:

www  70471  1.4  0.1  6056  3824  ??  R  4:21PM   0:44.75 [eth0] (perl)
www  70470  1.2  0.1  6060  3828  ??  R  4:21PM   0:44.50 [bash] (perl)
www  64779  1.0  0.1  6056  3820  ??  R     4:07PM   2:24.34
/sbin/klogd -c 1 -x -x (perl)
www   70472  1.0  0.1  6060  3828  ??  R     4:21PM   0:44.84

I could not find ANY file named klogd on the system, let alone in /sbin. 
Clues as to how to dig myself out of this are appreciated....

I found this in /tmp/bx1.txt:

--More--(5%)#!/usr/bin/php
<?php

#
# ------- Zen Cart 1.3.8 Remote Code Execution
# http://www.zen-cart.com/
# Zen Cart Ecommerce - putting the dream of server rooting within reach of 
anyone!
# A new version (1.3.8a)  is avaible on http://www.zen-cart.com/
#
# BlackH :)
#

error_reporting(E_ALL ^ E_NOTICE);
if($argc < 2)
{
echo "
=___________ Zen Cart 1.3.8 Remote Code Execution Exploit  ____________=
========================================================================
|                  BlackH <Bl4ck.H at gmail.com>                          |
========================================================================
|                                                                      |
| \$system> php $argv[0] <url>                                        |
| Notes: <url>      ex: http://victim.com/site (no slash)              |
|                                                                      |
========================================================================
";exit(1);

-----------  snipped ------

It is dated from two nights ago, after these issues started, but it's 
nonetheless larming.  Security Focus is aware of the issue and refers you 
to Zen for the fix.  Only problem is, this is an old version of Zen cart, 
and the

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up at 3.am							    http://3.am
=========================================================================

More information about the freebsd-questions mailing list