running "ghost" perl script

S

santovito

Verified User
Joined
Nov 23, 2008
Messages
143
Hi at all,

a website in Joomla has been hacked. In cgi-bin directory have been included files (the files I have them deleted), 1.pl the file (in the cgi-bin) sent SPAM.

now the user is deleted but I keep getting these warnings:

Sep 13 16:02:15 xx lfd[22946]: *Suspicious Process* PID:7339 User: Uptime:576665 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 16:02:15 xx lfd[22946]: *Suspicious Process* PID:7343 User: Uptime:576665 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 16:02:16 xx lfd[22946]: *Suspicious Process* PID:7348 User: Uptime:576665 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 16:02:16 xx lfd[22946]: *Suspicious Process* PID:7357 User: Uptime:576665 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 16:02:16 xx lfd[22946]: *Suspicious Process* PID:7362 User: Uptime:576665 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 16:02:16 xx lfd[22946]: *Suspicious Process* PID:7365 User: Uptime:576665 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 16:02:16 xx lfd[22946]: *Suspicious Process* PID:7368 User: Uptime:576665 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 16:02:16 xx lfd[22946]: *Suspicious Process* PID:7375 User: Uptime:576665 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 16:02:16 xx lfd[22946]: *Suspicious Process* PID:7384 User: Uptime:576665 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:22 xx lfd[28778]: *Suspicious Process* PID:7295 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:22 xx lfd[28778]: *Suspicious Process* PID:7310 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:23 xx lfd[28778]: *Suspicious Process* PID:7314 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:23 xx lfd[28778]: *Suspicious Process* PID:7315 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:23 xx lfd[28778]: *Suspicious Process* PID:7326 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:23 xx lfd[28778]: *Suspicious Process* PID:7328 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:23 xx lfd[28778]: *Suspicious Process* PID:7330 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:23 xx lfd[28778]: *Suspicious Process* PID:7332 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:23 xx lfd[28778]: *Suspicious Process* PID:7338 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:24 xx lfd[28778]: *Suspicious Process* PID:7339 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:24 xx lfd[28778]: *Suspicious Process* PID:7343 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:24 xx lfd[28778]: *Suspicious Process* PID:7348 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:24 xx lfd[28778]: *Suspicious Process* PID:7357 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:24 xx lfd[28778]: *Suspicious Process* PID:7362 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:24 xx lfd[28778]: *Suspicious Process* PID:7365 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:24 xx lfd[28778]: *Suspicious Process* PID:7368 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:24 xx lfd[28778]: *Suspicious Process* PID:7375 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Sep 13 17:02:25 xx lfd[28778]: *Suspicious Process* PID:7384 User: Uptime:580273 secs EXE:/usr/bin/perl.#prelink# (deleted) CMD:/usr/bin/perl 1.pl
Click to expand...

seems that executes the command at the same time, but there seems no CRON.

Sorry for my bad english, can you help me?

Thank You

Vito
 
You must log in or register to reply here.
Back
Top