Knowledgebase

Portal Home > Knowledgebase > Articles Database > Track Perl Hacking Script


Track Perl Hacking Script




Posted by mali, 05-19-2008, 03:24 AM
Hi , I have FreeBsd with Cpanel. someone is running attacking perl script from my server.Below is information about that script but it shows / path in command lsof -p 30251 | grep cwd. PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 29018 root 96 0 35968K 30528K select 0:03 2.71% 2.69% perl newinst# lsof -p 30251 | grep cwd lsof: WARNING: compiled for FreeBSD release 5.5-STABLE; this is 5.3-RELEASE. perl 29018 root cwd VDIR 4,12 1024 2 / newinst# ls -la / | more total 22413 drwxr-xr-x 25 root wheel 1024 May 16 03:23 . drwxr-xr-x 25 root wheel 1024 May 16 03:23 .. -rw-r--r-- 1 root wheel 1 Feb 21 2007 .black -rw-r--r-- 1 root wheel 1 Feb 21 2007 .black.bak -rw-r--r-- 2 root wheel 801 Nov 5 2004 .cshrc -rw-r--r-- 1 root wheel 355 Feb 21 2007 .new -rw-r--r-- 2 root wheel 251 Nov 5 2004 .profile -rw-r--r-- 1 root wheel 1 Feb 21 2007 .rbl.db -rw-r--r-- 1 root wheel 1 Feb 21 2007 .rbl.db.bak drwxrwxr-x 2 root operator 512 Jul 19 2005 .snap -rw-r--r-- 1 root wheel 1 Feb 21 2007 .uribl.db -rw-r--r-- 1 root wheel 1 Feb 21 2007 .uribl.db.bak -rw-r--r-- 1 root wheel 1 Feb 21 2007 .white -rw-r--r-- 1 root wheel 1 Feb 21 2007 .white.bak -r--r--r-- 1 root wheel 6184 Nov 5 2004 COPYRIGHT drwx--x--x 3 root wheel 512 Aug 20 2005 backup drwxr-xr-x 2 root wheel 1024 Dec 28 2006 bin drwxr-xr-x 5 root wheel 512 Jul 19 2005 boot drwxr-xr-x 2 root wheel 512 Jul 19 2005 cdrom lrwxr-xr-x 1 root wheel 10 Jul 19 2005 compat -> usr/compat -rw-r--r-- 1 root wheel 177 Dec 5 12:15 cpgd.c dr-xr-xr-x 4 root wheel 512 May 16 16:23 dev drwxr-xr-x 2 root wheel 512 Jul 19 2005 dist -rw------- 1 root wheel 4096 May 13 15:58 entropy drwxr-xr-x 28 root wheel 4608 May 19 11:57 etc drwx--x--x 501 root wheel 9216 May 19 01:33 home drwxr-xr-x 3 root wheel 1024 Jul 19 2005 lib drwxr-xr-x 2 root wheel 512 Jul 19 2005 libexec drwxr-xr-x 2 root wheel 512 Nov 5 2004 mnt drwxr-xr-x 3 root wheel 512 Jul 21 2005 nonexistent drwxr-xr-x 8 root wheel 512 Oct 30 2007 opt -rw------- 1 root wheel 22786048 May 16 04:51 perl.core dr-xr-xr-x 1 root wheel 0 May 19 11:57 proc drwxr-xr-x 2 root wheel 2560 Jul 19 2005 rescue drwxr-xr-x 13 root wheel 1024 May 19 01:33 root drwxr-xr-x 2 root wheel 2560 Jul 19 2005 sbin drwxr-xr-x 5 root wheel 13824 May 19 01:22 scripts drwxr-xr-x 4 root wheel 1024 Jul 19 2005 stand lrwxrwxrwx 1 root wheel 11 Jul 19 2005 sys -> usr/src/sys drwxrwxrwt 9 root wheel 31744 May 19 11:57 tmp drwxr-xr-x 21 root wheel 512 Dec 5 12:12 usr drwxrwxrwx 24 root wheel 512 May 16 16:24 var Can any one suggest where it is localted at / path.
Posted by david510, 05-19-2008, 09:09 AM
Have a check in /tmp for any suspicious files. Also where you able to find under which user this process was running?
Posted by mali, 05-19-2008, 09:30 AM
ls -la /tmp: rwxrwxrwx 1 nobody wheel 77589 May 18 19:22 t.txt The process is running under nobody user.
Posted by david510, 05-19-2008, 10:44 AM
What is the content of that file? cat t.txt If you kill the process does it re-appear again?
Posted by mali, 05-19-2008, 10:53 AM
newinst# cat t.txt | more <> Is there a way that i can clean all .txt file whenever uploaded on /tmp diretory. Last edited by P-nut; 05-26-2008 at 10:36 AM. Reason: Removed code
Posted by david510, 05-19-2008, 11:13 AM
That shows it. Remove that file. try to trace out how it came in /tmp. Check the domlogs. You can set a cron to remove the .txt file every specified interval of time.
Posted by mali, 05-20-2008, 02:01 AM
all these files uploaded at /tmp with nobody user and wheel group. i want that these files must be with domain user rather than nobody user. Thanks for your Help David.
Posted by mali, 05-21-2008, 06:20 AM
How can i force all session and file upload to /tmp with domain specific user.
Posted by mali, 05-26-2008, 06:27 AM
Hi, On today i have perl process running from /tmp. 1-ps -aux | grep perl nobody 55545 0.0 0.4 4924 4244 ?? I 1:51AM 0:00.01 perl k.txt (perl5.8.8) nobody 56633 0.0 0.4 5320 4632 ?? I 1:53AM 0:00.09 /usr/sbin/httpd (perl5.8.8) lsof -p 55545 | grep cwd show /tmp path. 2-ls - la / drwxrwxrwt 8 root wheel 31744 May 26 15:24 tmp How these process are executed from nobody user from /tmp. How acan i stop it to execute perl from /tmp like perl k.txt .
Posted by helpyoulinux, 05-26-2008, 07:59 AM
Hello Mail, As far as i can see, these files are uploaded through apache. So you shld check the apache logs, to get the Ip from which the file is uploaded. This way you can block that IP. Regarding the question, "How can i force all session and file upload to /tmp with domain specific user.", you can try both apahce and php to run as Suexec. Last edited by P-nut; 05-26-2008 at 10:39 AM. Reason: Removed links to questionable (and possibly infected) sites
Posted by P-nut, 05-26-2008, 10:47 AM
Thread has been cleaned of the hacking code and links to their sites. No need to send any traffic to those sites or give an aspiring script kiddie any ideas


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
not permitted to relay? (Views: 493)
setup SMTP server on WIN2003 Apache? (Views: 475)
Nameserver cluster and VPS (Views: 512)
Failed To Connect To Database (Views: 505)
anyone know how to acquisition youtube? (Views: 509)

Language: