Re: Follow up on the NCSDRecover DDOS perl script

Thu, 19 Jun 2003 14:13:44 -0500 

Robert,
        
        The only way to truly recover from a break-in, is to fully restore the 
system 
from a trusted medium. That being said, here's what your script does:



1) Hide it's name in the process table as '/usr/sbin/nscd             ' (100 
spaces).

2) Bind to UDP port 1337 in order to receive control information and wait. 
For this script to take any action, 3 arguments must be supplied: password, 
command, and at least one argument. For some commands two arguments are 
needed.

ping:           Sends a single udp packet to $arg1 on port $arg2. This packet 
contains 
                the word 'pong', followed by the output of 'uname -mnrs'.

redir:  Redirect a $localport to a remote $host an port. 

shell:        open a shell on a supplied port. The shell will be opened with 
                the permissions of the user running the crontab (www-data), but
                root may then be attainable by a number of local exploits. 
ptrace is
                the first and easiest that comes to mind.

udp:            Sends a string containing 1337 copies of:
'Mess with the best - die like a
 rest!' 
                as often as possible to a supplies $host for a given amount of 
$time. The 
                destination port is random.
                ** Shouldn't it be 'Mess with the best - die like the rest!' 
anyway? I guess
                we haven't messed with those that are best at grammar.

ddns:   Begins a DOS attack to a specified dns $host, for a given amount of     
                
                $time.

die:            If the correct password is supplied, this script will exit.


                Hope it helps clear things up.
                                --jordan

> 
> I have a question as to how safe a box is after
> it has been compromised by this perl script.
> I believe it opens up a shell account at 1337,
> but it shouldn't give them root access or the
> ability to log in as the web user at most should
> it ? Cuz if so that would be bad news for a lot
> of people who got hacked via this. Regardless I
> upgraded my kernel to the new version, is there
> anything else I should do to ensure there were
> no backdoors implemented by this. Also thanks
> for all of the initial help and responses I
> received. The debian community is truly a great
> example of mutual aid in effect.
> 
> Robert Ebright
> sysadmin at azone.org
>

Reply via email to