Josh-Daniel S. Davis (joshdavis) wrote,
Josh-Daniel S. Davis
joshdavis

Found CRAP!

OK, so one of the people with an account on my box is not the most technically savy person in the world.
Well, trying to debug some of her crud, I found ref to a cron job.

WHat!?!?!
So I check it out, and I find this sort of disturbing stuff
[root@ns1:/var/tmp/  ]
/bin/bash# crontab -u jester -l
* * * * * /var/tmp/  /.access.log/y2kupdate >/dev/null 2>&1

[root@ns1:/var/tmp/  ]
/bin/bash# ls -alR
.:
total 572
drwxr-xr-x  3 jester nancy   4096 Jun  7 12:30 ./
drwxrwxrwt  7 root   root   28672 Jun 27 16:35 ../
-rw-r--r--  1 jester nancy   2843 Jun  7 12:30 c.htm
-rw-r--r--  1 jester nancy 529926 Apr 29 07:57 info.tar.gz
-rw-r--r--  1 jester nancy   1251 Jun  6 21:20 send
drwxr-xr-x  3 jester nancy   4096 Jun  6 07:13 ssh/
-rw-r--r--  1 jester nancy    124 Jun  7 12:13 target

./ssh:
total 1232
drwxr-xr-x  2 jester nancy    4096 Jun  7 06:25  /
drwxr-xr-x  3 jester nancy    4096 Jun  6 07:13 ./
drwxr-xr-x  3 jester nancy    4096 Jun  7 12:30 ../
-rw-r--r--  1 jester nancy       0 Jun  4 11:31 213.71.pscan.22
-rw-r--r--  1 jester nancy       0 Jun  5 06:51 66.22.pscan.22
-rwx------  1 jester nancy     715 Apr 16 09:54 assh*
-rwx------  1 jester nancy     206 Mar 28 01:39 auto*
-rw-r--r--  1 jester nancy     727 Jun  5 04:49 log.bigsshf
-rwxr-xr-x  1 jester nancy   22574 Apr 16 08:35 pscan2*
-rwxr-xr-x  1 jester nancy 1206920 Jun  5 06:51 sshf*

./ssh/ :
total 540
drwxr-xr-x  2 jester nancy   4096 Jun  7 06:25 ./
drwxr-xr-x  3 jester nancy   4096 Jun  6 07:13 ../
-rwxr-xr-x  1 jester nancy  22295 Jun  7 06:25 0*
-rw-r--r--  1 jester nancy   4096 Jun  7 06:30 213.161.pscan.80
-rwxr-xr-x  1 jester nancy    179 Apr  8 17:31 a*
-rwxr-xr-x  1 jester nancy 426030 Jun  7 06:25 a.out*
-rwxr-xr-x  1 jester nancy    573 Apr  8 15:37 c*
-rwxr-xr-x  1 jester nancy    162 Apr  8 15:37 cgifile*
-rwxr-xr-x  1 jester nancy   2626 Apr  8 15:37 http_get.c*
-rwxr-xr-x  1 jester nancy    270 Apr  8 15:37 http_get.h*
-rwxr-xr-x  1 jester nancy   1937 Apr  8 15:37 s*
-rwxr-xr-x  1 jester nancy    210 Apr  8 15:37 target*
-rw-r--r--  1 jester nancy     68 Jun  6 07:23 vuln.txt
-rwxr-xr-x  1 jester nancy  27237 Apr  8 15:37 x*
-rwxr-xr-x  1 jester nancy  20461 Jun  7 06:25 z*


Aparently, one of it's ways in is that it exploits awstats.pl, brute forces ssh, and a variety of other tools I haven't figured out yet.
Tags: computers, evil, spam
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 12 comments