HI all. After a two-month absence, I'm back, and I've got a problem.
I recently discovered a copy of PsyBNC, an IRC client, installed in
/private/var/tmp/ on a client's Xserve running MOSXS v.10.3.9 on a
public IP address. Simultaneously, I noticed that a file named
"pula" had been created in /tmp, the beginning text of which is the
following:
#!/usr/bin/perl
#
# ShellBOT - FBI TEAM Corporation
#
# 0ldW0lf - email@hidden
# - www.security.cnc.net
#
#
#
################ CONFIGURACAO
#################################################################
my $processo = '/usr/local/apache/bin/httpd -DSSL';
# Nome do processo que vai aparece no ps #
#----------------------------------------------################################################
my $linas_max='8'; # Evita o flood :)
depois de X linhas #
#----------------------------------------------################################################
my $sleep='4'; # ele dorme X
segundos #
##################### IRC
#####################################################################
my @adms=("bujuzip"); # Nick do
administrador #
I have the full text of the file to share with anyone who wants it.
The end result was that this jackass was able to relay spam from the
server for a couple of hours before I discovered him. I immediately
took the machine off the network, removed all suspect files, and
reset all passwords, including admins, non-admins, and root. Since
reconnecting the box to the network and rebooting it, I've seen no
more problems. As usual, the logs are filled with the harmless
attempts of jerks trying to log in to the server by brute-forcing
passwords and users, but that's it. My questions are:
1. How can something like this happen?
2. How can I prevent it from happening again?
3. Should I worry about the box being compromised in some other way?
What could I have missed?
I've been keeping up with all security patches, and the machine is
running a bone stock Apple implementation, except for a customized
Postfix main.cf/master.cf setup for spam and virus filtering with
SpamAssassin v.3.0.2 (running on Perl v.5.8.1), and ClamAV v.0.83
(on my list of things to up-grade).
TIA for your insights and suggestions.
Ted Dively
--
Group D Communications
Technology Consulting -- IT, Databases, Software, Websites, Hosting
www.groupd.com
PH 415.701.8331
FX 415.701.8332
P.O. Box 170697
San Francisco, CA 94117-0697
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
