10 replies to this topic

[falco85]

I was looking through my log files and happened by a file upload that should not have been uploaded (through a script somehow they managed to upload although they shouldn't have access). I then immediatly went to the directory the script was inserted into "/tmp" and opened the file. The first line reads #!/usr/bin/perl and even though I have used perl before I still don't entirely understand what this script does.

Edit: Code Removed

I can see that it opens lynx and connects to the local machine but what does this do:

[highlight="Perl"]
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
[/highlight]

I understand echo and uname but is it calling /bin/sh?

From this point down I do not understand. Any of this I do not really understand what it is doing:

[highlight="Perl"]
EDIT: Code Removed
[/highlight]

Can someone help me figure out what the intention of this script is?

Edited by Jordan, 30 January 2009 - 06:13 AM.

[KevinADC]

hmmm.... I don't know what it is trying to do. Maybe ask on PerlMonks - The Monastery Gates if you get an answer post back here.

[Lop]

It looks like it is just loading a website. The arguments could be anything though. It doesn't look malicious.

[zosorock]

I believe it is indeed malicious. In my case I was presented with a mailqueue of 9000 emails trying to send out a phising/scam type of email (excerpt below), right after this script showed up.

I am not that good of a server admin but I am pretty sure this script started it somehow.

Excerpt of the email:
The Local Organizing Committee of the Heineken European Champions League is glad to announce to the world the giving away of the sum of TWO HUNDRED MILLION POUNDS to 100 lucky email addresses all over the world.

I hope you didn't have the same problem... it was pretty annoying to delete all those... thankfully they all came from nobody@.

[ETbyrne]

Did you ever find out what it was?

[TkTech]

It in itself is not malicious. It connects to an external server and port passed as parameters to the script and sends all of the detailed system information to that server. Then that can be used to find commmon security flaws for that os/aric

[psousa]

falco85 said:

I was looking through my log files and happened by a file upload that should not have been uploaded (through a script somehow they managed to upload although they shouldn't have access). I then immediatly went to the directory the script was inserted into "/tmp" and opened the file. The first line reads #!/usr/bin/perl and even though I have used perl before I still don't entirely understand what this script does.



I can see that it opens lynx and connects to the local machine but what does this do:

[highlight="Perl"]
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
[/highlight]

I understand echo and uname but is it calling /bin/sh?

From this point down I do not understand. Any of this I do not really understand what it is doing:

[highlight="Perl"]

[/highlight]

Can someone help me figure out what the intention of this script is?

Same issue here. Do you have any news on this issue?

My details:


Hello.

Today I found a /tmp script (/tmp/back).
I have APF firewall and anti-DoS, secured tmp's and modsecurity2 on apache2 running gotroot rules.

How can it is possible to write a perl file on /tmp? File has not run permitions, but is a Perl file, so I think they ran it. I found this script after someone to send mail bomb through the server (about 9000 each time).

Server simptoms:
several connections from my server to ftp.hosteurope.de
several phishing emails being sent over my server

Script code:

Quote

Email Bazilian content:

Quote

(...) Estamos fazendo atualizações críticas em nossos servidores, por esse motivo é necessário o recadastro de seus dados cadastrais para ter acesso a todos os serviços do Internet Banking Caixa.
Para realizar a atualização, basta baixar o programa de atualização da Caixa que segue link abaixo. (...)

How can server possible be compromised?

Any help will be appreciated.

Regards.

Edited by Jordan, 30 January 2009 - 06:14 AM.

[KevinADC]

This is a perl forum, not a server setup or server related issues forum. The fact that it is a perl script has no bearing on how your server was compromised, it could have well been a shell script, like bash or ksh. The place to ask is on a forum that discusses the particular server you use or possibly a system administrator forum.

[d0m14n]

yes he is indeed correct when we hack we use uname -a on a linux system to derive the architechture of machine in question your just lucky that person isnt good i would have made a backdoor and passed the installed apps etc kernel version to a db and compiled exploits then netcatted them to you and exploited you thank god im a white hat lol