Possible intrusion?

PyrexKidd has asked for the wisdom of the Perl Monks concerning the following question:

WTF? I know the who belongs to the IP address that created the file. (is there any way to verify what IP address created what file?) My concern is that it did not come from the address specified. I found this in /tmp/udp.pl can anyone shed some light on this?

#!/usr/bin/perl
#####################################################
# udp flood.
#
# gr33ts: meth, etech, skrilla, datawar, fr3aky, etc.
#
# --/odix
######################################################

use Socket;

$ARGC=@ARGV;
[download]

I have removed the body of the code to reduce hacking attempts. Please do not copy/paste this code. Thanks

Comment on Possible intrusion? Download Code

Replies are listed 'Best First'.
Re: Possible intrusion? by aquarium (Curate) on Jun 10, 2010 at 23:33 UTC
Check your server access logs. My guess is that one (or more) of your cgi programs is not secure, allowing someone sneaky to upload a file into /tmp. You should be able to match up the date/time of the file and access to your CGI or possibly some other web component you're hosting, to find the insecure code. There is no entity/IP signature on a file. Btw the comment block lists some "hacker" aliases. odix is the signature but it could be absolutely anyone. the hardest line to type correctly is: stty erase ^H	[reply]
Re: Possible intrusion? by ikegami (Patriarch) on Jun 10, 2010 at 23:16 UTC
Possible intrusion? Yes. is there any way to verify what IP address created what file? IP addresses don't create files. I found this in /tmp/udp.pl can anyone shed some light on this? It sends a deluge of UDP packets to a specified address and port.	[reply]
Re: Possible intrusion? by choroba (Cardinal) on Jun 10, 2010 at 23:22 UTC
Google searching for "udp flood metch etech" shows lots of hits, for example this one: http://www.linuxquestions.org/questions/linux-security-4/attacks-with-udp-pl-help-261205/ with some explanation and advice. Also notice, as mentioned in another found page, that the `$rand` variable is never initialized.	[reply] [d/l]
Re: Possible intrusion? by aquarium (Curate) on Jun 10, 2010 at 23:35 UTC
you'll find heaps of these kinds of intrusions to other web servers, search web for the two words: odix udp the hardest line to type correctly is: stty erase ^H	[reply]
Re: Possible intrusion? by kikuchiyo (Hermit) on Jun 11, 2010 at 11:05 UTC
An idea: why don't you mount /tmp with a noexec flag, so that they can't run anything from it even if they uploaded their malicious code? (For this, /tmp has to be on a separate partition.)	[reply]
Re^2: Possible intrusion? by choroba (Cardinal) on Jun 11, 2010 at 12:24 UTC
Better than nothing, but it would still be possible to run the script by `perl /tmp/udp.pl`...	[reply] [d/l]