Robert
08-01-03, 08:18 AM
I have a client who has been with us for 2 months. Within those 2 months he has never pointed his domain to us, he has always changed the namservers every week to a different host. His virtual path on our server is empty, except for the welcome page. Recently I noticed that there are 4 processes running in the background under his username. Located in his cgi-bin (only viewable via FTP and SSH), he has 2 files. cch.cgi and yst. YST is running the backgroud, uses very little ram and is hardly noticeable. It's also compiled. cch.cgi contains the following
#!/usr/bin/perl
# Created on 02.06.2003 14:36:49
$| = 1;
#use strict;
use CGI;
$form = new CGI;
print $form->header;
#print "Content-type: text/plain\n\n";
$id1 = $form->param('id1');
$rname1 = $form->param('roomname1');
$num1 = $form->param('num1');
$id2 = $form->param('id2');
$rname2 = $form->param('roomname2');
$num2 = $form->param('num2');
$id3 = $form->param('id3');
$rname3 = $form->param('roomname3');
$num3 = $form->param('num3');
$id4 = $form->param('id4');
$rname4 = $form->param('roomname4');
$num4 = $form->param('num4');
$id5 = $form->param('id5');
$rname5 = $form->param('roomname5');
$num5 = $form->param('num5');
$SIG{ALRM} = sub {
print ".";
alarm 10;
};
print "hi";
#alarm 10;
#$cmnd="killall yst";
$cmnd=`killall yst`;
print "<pre>pre: $cmnd</pre>";
$cmnd1="./yst $id1 $rname1:$num1 >/dev/null &";
$cmnd2="./yst $id2 $rname2:$num2 >/dev/null &";
$cmnd3="./yst $id3 $rname3:$num3 >/dev/null &";
$cmnd4="./yst $id4 $rname4:$num4 >/dev/null &";
$cmnd5="./yst $id5 $rname5:$num5 >/dev/null &";
if ($id1){ $cmnd1=`$cmnd1`; }
if ($id2){ $cmnd2=`$cmnd2`; }
if ($id3){ $cmnd3=`$cmnd3`; }
if ($id4){ $cmnd4=`$cmnd4`; }
if ($id5){ $cmnd5=`$cmnd5`; }
print "exe2: $cmnd1\n";
I went to the preview URL of his current host and notice he also uploaded those 2 scripts.
I've sent him an email and he hasn't replied. I have suspended his site and killed the processes. I really feel bad for suspending it, but until I can be 100% sure it's not a hazard to the servers and our clients, I cannot allow it to run.
Anyone have any idea what it and what it does?
Thanks.
#!/usr/bin/perl
# Created on 02.06.2003 14:36:49
$| = 1;
#use strict;
use CGI;
$form = new CGI;
print $form->header;
#print "Content-type: text/plain\n\n";
$id1 = $form->param('id1');
$rname1 = $form->param('roomname1');
$num1 = $form->param('num1');
$id2 = $form->param('id2');
$rname2 = $form->param('roomname2');
$num2 = $form->param('num2');
$id3 = $form->param('id3');
$rname3 = $form->param('roomname3');
$num3 = $form->param('num3');
$id4 = $form->param('id4');
$rname4 = $form->param('roomname4');
$num4 = $form->param('num4');
$id5 = $form->param('id5');
$rname5 = $form->param('roomname5');
$num5 = $form->param('num5');
$SIG{ALRM} = sub {
print ".";
alarm 10;
};
print "hi";
#alarm 10;
#$cmnd="killall yst";
$cmnd=`killall yst`;
print "<pre>pre: $cmnd</pre>";
$cmnd1="./yst $id1 $rname1:$num1 >/dev/null &";
$cmnd2="./yst $id2 $rname2:$num2 >/dev/null &";
$cmnd3="./yst $id3 $rname3:$num3 >/dev/null &";
$cmnd4="./yst $id4 $rname4:$num4 >/dev/null &";
$cmnd5="./yst $id5 $rname5:$num5 >/dev/null &";
if ($id1){ $cmnd1=`$cmnd1`; }
if ($id2){ $cmnd2=`$cmnd2`; }
if ($id3){ $cmnd3=`$cmnd3`; }
if ($id4){ $cmnd4=`$cmnd4`; }
if ($id5){ $cmnd5=`$cmnd5`; }
print "exe2: $cmnd1\n";
I went to the preview URL of his current host and notice he also uploaded those 2 scripts.
I've sent him an email and he hasn't replied. I have suspended his site and killed the processes. I really feel bad for suspending it, but until I can be 100% sure it's not a hazard to the servers and our clients, I cannot allow it to run.
Anyone have any idea what it and what it does?
Thanks.