Locating Rogue Perl Script
Posted
by
Gary Garside
on Server Fault
See other posts from Server Fault
or by Gary Garside
Published on 2013-11-06T09:10:19Z
Indexed on
2013/11/06
9:55 UTC
Read the original article
Hit count: 805
I've been trying to source the location of a perl script which is causing havoc on a server which i control. I'm also trying to find out exactly how this script was installed on the server - my best guess is through a wordpress exploit.
The server is a basic web setup running Ubuntu 9.04, Apache and MySQL. I use IPTables for firewall, the site runs around 20 sites and the load never really creeps above 0.7.
From what i can see the script is making outbound connection to other servers (most likely trying to brute force entry).
Here is a top dump of one of the processes:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
22569 www-data 20 0 22784 3216 780 R 100 0.2 47:00.60 perl
The command the process is running is /usr/sbin/sshd . I've tried to find an exact file name but im having no luck... i've ran a lsof -p PID and here is the output:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 22569 www-data cwd DIR 8,6 4096 2 /
perl 22569 www-data rtd DIR 8,6 4096 2 /
perl 22569 www-data txt REG 8,6 10336 162220 /usr/bin/perl
perl 22569 www-data mem REG 8,6 26936 170219 /usr/lib/perl/5.10.0/auto/Socket/Socket.so
perl 22569 www-data mem REG 8,6 22808 170214 /usr/lib/perl/5.10.0/auto/IO/IO.so
perl 22569 www-data mem REG 8,6 39112 145112 /lib/libcrypt-2.9.so
perl 22569 www-data mem REG 8,6 1502512 145124 /lib/libc-2.9.so
perl 22569 www-data mem REG 8,6 130151 145113 /lib/libpthread-2.9.so
perl 22569 www-data mem REG 8,6 542928 145122 /lib/libm-2.9.so
perl 22569 www-data mem REG 8,6 14608 145125 /lib/libdl-2.9.so
perl 22569 www-data mem REG 8,6 1503704 162222 /usr/lib/libperl.so.5.10.0
perl 22569 www-data mem REG 8,6 135680 145116 /lib/ld-2.9.so
perl 22569 www-data 0r FIFO 0,6 157216 pipe
perl 22569 www-data 1w FIFO 0,6 197642 pipe
perl 22569 www-data 2w FIFO 0,6 197642 pipe
perl 22569 www-data 3w FIFO 0,6 197642 pipe
perl 22569 www-data 4u IPv4 383991 TCP outsidesoftware.com:56869->server12.34.56.78.live-servers.net:www (ESTABLISHED)
My gut feeling is outsidesoftware.com is also under attacK? Or possibly being used as a tunnel.
I've managed to find a number of rouge files in /tmp and /var/tmp, here is a brief output of one of these files:
#!/usr/bin/perl
# this spreader is coded by xdh
# xdh@xxxxxxxxxxx
# only for testing...
my @nickname = ("vn");
my $nick = $nickname[rand scalar @nickname];
my $ircname = $nickname[rand scalar @nickname];
#system("kill -9 `ps ax |grep httpdse |grep -v grep|awk '{print $1;}'`");
my $processo = '/usr/sbin/sshd';
The full file contents can be viewed here: http://pastebin.com/yenFRrGP
Im trying to achieve a couple of things here...
Firstly i need to stop these processes from running. Either by disabling outbound SSH or any IP Tables rules etc... these scripts have been running for around 36 hours now and my main concern is to stop these things running and respawning by themselves.
Secondly i need to try and source where and how these scripts have been installed. If anybody has any advise on what to look for in access logs or anything else i would be really grateful.
Thanks in advance
© Server Fault or respective owner