Locating Rogue Perl Script

Posted by Gary Garside on Server Fault See other posts from Server Fault or by Gary Garside
Published on 2013-11-06T09:10:19Z Indexed on 2013/11/06 9:55 UTC
Read the original article Hit count: 750

Filed under:
|
|
|
|

I've been trying to source the location of a perl script which is causing havoc on a server which i control. I'm also trying to find out exactly how this script was installed on the server - my best guess is through a wordpress exploit.

The server is a basic web setup running Ubuntu 9.04, Apache and MySQL. I use IPTables for firewall, the site runs around 20 sites and the load never really creeps above 0.7.

From what i can see the script is making outbound connection to other servers (most likely trying to brute force entry).

Here is a top dump of one of the processes:

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                                                                                                                                              
  22569 www-data  20   0 22784 3216  780 R  100  0.2  47:00.60 perl           

The command the process is running is /usr/sbin/sshd . I've tried to find an exact file name but im having no luck... i've ran a lsof -p PID and here is the output:

COMMAND   PID     USER   FD   TYPE DEVICE    SIZE   NODE NAME
perl    22569 www-data  cwd    DIR    8,6    4096      2 /
perl    22569 www-data  rtd    DIR    8,6    4096      2 /
perl    22569 www-data  txt    REG    8,6   10336 162220 /usr/bin/perl
perl    22569 www-data  mem    REG    8,6   26936 170219 /usr/lib/perl/5.10.0/auto/Socket/Socket.so
perl    22569 www-data  mem    REG    8,6   22808 170214     /usr/lib/perl/5.10.0/auto/IO/IO.so
perl    22569 www-data  mem    REG    8,6   39112 145112 /lib/libcrypt-2.9.so
perl    22569 www-data  mem    REG    8,6 1502512 145124 /lib/libc-2.9.so
perl    22569 www-data  mem    REG    8,6  130151 145113 /lib/libpthread-2.9.so
perl    22569 www-data  mem    REG    8,6  542928 145122 /lib/libm-2.9.so
perl    22569 www-data  mem    REG    8,6   14608 145125 /lib/libdl-2.9.so
perl    22569 www-data  mem    REG    8,6 1503704 162222 /usr/lib/libperl.so.5.10.0
perl    22569 www-data  mem    REG    8,6  135680 145116 /lib/ld-2.9.so
perl    22569 www-data    0r  FIFO    0,6         157216 pipe
perl    22569 www-data    1w  FIFO    0,6         197642 pipe
perl    22569 www-data    2w  FIFO    0,6         197642 pipe
perl    22569 www-data    3w  FIFO    0,6         197642 pipe
perl    22569 www-data    4u  IPv4 383991            TCP outsidesoftware.com:56869->server12.34.56.78.live-servers.net:www (ESTABLISHED)

My gut feeling is outsidesoftware.com is also under attacK? Or possibly being used as a tunnel.

I've managed to find a number of rouge files in /tmp and /var/tmp, here is a brief output of one of these files:

#!/usr/bin/perl
# this spreader is coded by xdh
# xdh@xxxxxxxxxxx
# only for testing...

my @nickname = ("vn");
my $nick = $nickname[rand scalar @nickname];
my $ircname = $nickname[rand scalar @nickname];

#system("kill -9 `ps ax |grep httpdse |grep -v grep|awk '{print $1;}'`");
my $processo = '/usr/sbin/sshd';

The full file contents can be viewed here: http://pastebin.com/yenFRrGP

Im trying to achieve a couple of things here...

Firstly i need to stop these processes from running. Either by disabling outbound SSH or any IP Tables rules etc... these scripts have been running for around 36 hours now and my main concern is to stop these things running and respawning by themselves.

Secondly i need to try and source where and how these scripts have been installed. If anybody has any advise on what to look for in access logs or anything else i would be really grateful.

Thanks in advance

© Server Fault or respective owner

Related posts about ubuntu

Related posts about perl