Re: Strange perl script
Chad Perrin wrote: then updatedb and locate sploger so you're using As was pointed out earlier in the thread, you can easily delete a file after running it, so whatever was running may not exist on the disk any more. Also, it is completely trivial to change the name shown by ps simply by changing the C equivalent of ARGV[0} which in perl is $0. Run the following and ps shows rubbish (perl) and not foo.prl (perl) foo.prl --- #!/usr/bin/env perl $0=rubbish; sleep 120; $ chmod +x foo.prl $ ./foo.prl $ ps 7274 p1 S 0:00.00 rubbish (perl) bar.prl --- #!/usr/bin/env perl sleep 120; $ perl bar.prl $ ps 7575 p1 S 0:00.00 perl ./bar.prl If sploger really was malware, then it was probably picking some name at random to show in ps. The difference between the ps outputs when changing $0 hints at that, but I haven't done exhaustive tests. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
If a simple 'locate sploger' shows nothing(run `periodic weekly` which will update your locate database assuming you're keeping things relatively stock), then in all likelihood you've got an intruder. If some of the other tips posted give no help, and you've got time on your hands, try `grep -l sploger /` and you'll find all files with sploger in it. If you've been broken into and they're being really tricky, it won't work but odds are they aren't that bright if the process is still in ps's output. On Oct 17, 2007, at 3:05 PM, Jack Raats wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 HI Can anyone explain this after ps -ax | grep perl 21893 ?? I 1:02.37 sploger (perl5.8.8) 29536 ?? R184:14.94 sploger (perl5.8.8) 29538 ?? R184:36.44 sploger (perl5.8.8) 30668 ?? R168:56.54 sploger (perl5.8.8) What is sploger? Looks sort of like a Perl script running. That, of course, doesn't say what it is doing. The stangest thing is that I cann't find sploger on my system. After a reboot sploger doesn't appear anymore, which makes it more stranger. Jack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) - GPGrelay v0.959 iD8DBQFHFmsIPh5RwW/NzC4RAurgAJ9m80yBkOqQSmGvG6y2lPDErml/XACeIm++ xj50w4ABeltc1MaxQSW04Zw= =LleI -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
On Thu, Oct 18, 2007 at 01:04:38AM -0500, Joshua Isom wrote: If a simple 'locate sploger' shows nothing(run `periodic weekly` which will update your locate database assuming you're keeping things relatively stock), then in all likelihood you've got an intruder. If some of the other tips posted give no help, and you've got time on your hands, try `grep -l sploger /` and you'll find all files with sploger in it. If you've been broken into and they're being really tricky, it won't work but odds are they aren't that bright if the process is still in ps's output. You might also (if you're in a little more of a hurry and taking the computer out of production for a little bit isn't a problem) boot from a LiveCD, mount all partitions from your hard drive so they're available from the LiveCD OS, then updatedb and locate sploger so you're using tools that haven't been compromised. Even if it's not actually quicker, it should *seem* quicker than using grep -- and if grep doesn't work, this is more likely to work. In the future, you may want to think about using some kind of integrity auditing tool to periodically check for unauthorized changes. Tripwire is the canonical integrity auditing tool, but you can also use mtree and even rsync for integrity auditing. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] They always say that when life gives you lemons you should make lemonade. I always wonder -- isn't the lemonade going to suck if life doesn't give you any sugar? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
Can anyone explain this after ps -ax | grep perl 21893 ?? I 1:02.37 sploger (perl5.8.8) 29536 ?? R184:14.94 sploger (perl5.8.8) 29538 ?? R184:36.44 sploger (perl5.8.8) 30668 ?? R168:56.54 sploger (perl5.8.8) What is sploger? Sploger: someone with little or no accuracy with there penis, and a genetic problem cause then to ejaculate solid sploge like nuggets instead of the norm. (source: http://www.urbandictionary.com/define.php?term=sploger) Doesn't sound good. What does fstat (or lsof) say? Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
On Tuesday 16 October 2007, Jack Raats said: HI Can anyone explain this after ps -ax | grep perl 21893 ?? I 1:02.37 sploger (perl5.8.8) 29536 ?? R184:14.94 sploger (perl5.8.8) 29538 ?? R184:36.44 sploger (perl5.8.8) 30668 ?? R168:56.54 sploger (perl5.8.8) What is sploger? Jack I believe that's part of qmail. Beech -- --- Beech Rintoul - FreeBSD Developer - [EMAIL PROTECTED] /\ ASCII Ribbon Campaign | FreeBSD Since 4.x \ / - NO HTML/RTF in e-mail | http://www.freebsd.org X - NO Word docs in e-mail | Latest Release: / \ - http://www.FreeBSD.org/releases/6.2R/announce.html --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
On Wed, October 17, 2007 08:44, Beech Rintoul wrote: On Tuesday 16 October 2007, Jack Raats said: What is sploger? Jack I believe that's part of qmail. No, that's splogger. Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
Jack Raats wrote: HI Can anyone explain this after ps -ax | grep perl 21893 ?? I 1:02.37 sploger (perl5.8.8) 29536 ?? R184:14.94 sploger (perl5.8.8) 29538 ?? R184:36.44 sploger (perl5.8.8) 30668 ?? R168:56.54 sploger (perl5.8.8) What is sploger? # locate sploger # head /path/to/sploger If the first line states something similar to: #!/usr/bin/perl Post a chunk of the code here and someone should be able to tell you what it is, or at least attempting to do. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/17/07, Jack Raats wrote: What is sploger? IIRC, you can also do something like: # pkg_info -p `which sploger` That'll tell you what port owns that file at least. - -- Andy Harrison public key: 0x67518262 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: http://firegpg.tuxfamily.org iD8DBQFHFhVkNTm8fWdRgmIRArhZAKDTFJ/vLu7yhkbgY73RuRTfS0hPogCfX0FK PeLXj542x4SAXyVIy2xcvxY= =tHxv -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
On Wed, Oct 17, 2007 at 07:14:07AM +0200, Jack Raats wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 HI Can anyone explain this after ps -ax | grep perl 21893 ?? I 1:02.37 sploger (perl5.8.8) 29536 ?? R184:14.94 sploger (perl5.8.8) 29538 ?? R184:36.44 sploger (perl5.8.8) 30668 ?? R168:56.54 sploger (perl5.8.8) What is sploger? Looks sort of like a Perl script running. That, of course, doesn't say what it is doing. jerry Jack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) - GPGrelay v0.959 iD8DBQFHFZogPh5RwW/NzC4RAprIAJ94/PdPWEJlBlX20RrLRvho1G4eFgCfSDHh dgka8XYVC7MgdpyjVO9zglo= =l79v -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 HI Can anyone explain this after ps -ax | grep perl 21893 ?? I 1:02.37 sploger (perl5.8.8) 29536 ?? R184:14.94 sploger (perl5.8.8) 29538 ?? R184:36.44 sploger (perl5.8.8) 30668 ?? R168:56.54 sploger (perl5.8.8) What is sploger? Looks sort of like a Perl script running. That, of course, doesn't say what it is doing. The stangest thing is that I cann't find sploger on my system. After a reboot sploger doesn't appear anymore, which makes it more stranger. Jack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) - GPGrelay v0.959 iD8DBQFHFmsIPh5RwW/NzC4RAurgAJ9m80yBkOqQSmGvG6y2lPDErml/XACeIm++ xj50w4ABeltc1MaxQSW04Zw= =LleI -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
The stangest thing is that I cann't find sploger on my system. After a reboot sploger doesn't appear anymore, which makes it more stranger. So you have done a: find / -name sploger -type f And nothing comes up? If that's the case, it sounds like it was a perl script that was run, then subsequently removed from the file system. Which sounds rather nefarious to me. You might want to check for rootkits, etc. Josh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
On Wed, 2007-10-17 at 22:05 +0200, Jack Raats wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 HI Can anyone explain this after ps -ax | grep perl 21893 ?? I 1:02.37 sploger (perl5.8.8) 29536 ?? R184:14.94 sploger (perl5.8.8) 29538 ?? R184:36.44 sploger (perl5.8.8) 30668 ?? R168:56.54 sploger (perl5.8.8) What is sploger? Looks sort of like a Perl script running. That, of course, doesn't say what it is doing. The stangest thing is that I cann't find sploger on my system. After a reboot sploger doesn't appear anymore, which makes it more stranger. Jack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) - GPGrelay v0.959 iD8DBQFHFmsIPh5RwW/NzC4RAurgAJ9m80yBkOqQSmGvG6y2lPDErml/XACeIm++ xj50w4ABeltc1MaxQSW04Zw= =LleI -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ...at this point, I'd probably perform a security audit, just to be sure. Check your access logs etc. James ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
Jack Raats wrote: HI Can anyone explain this after ps -ax | grep perl 21893 ?? I 1:02.37 sploger (perl5.8.8) 29536 ?? R184:14.94 sploger (perl5.8.8) 29538 ?? R184:36.44 sploger (perl5.8.8) 30668 ?? R168:56.54 sploger (perl5.8.8) What is sploger? Looks sort of like a Perl script running. That, of course, doesn't say what it is doing. The stangest thing is that I cann't find sploger on my system. After a reboot sploger doesn't appear anymore, which makes it more stranger. Jack Do you have any services available to the outside from the machine? FTP, telnet, ssh, mysql, apache? DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
--On Wednesday, October 17, 2007 16:15:27 -0400 Josh Carroll [EMAIL PROTECTED] wrote: The stangest thing is that I cann't find sploger on my system. After a reboot sploger doesn't appear anymore, which makes it more stranger. So you have done a: find / -name sploger -type f And nothing comes up? If that's the case, it sounds like it was a perl script that was run, then subsequently removed from the file system. Which sounds rather nefarious to me. You might want to check for rootkits, etc. If you google for sploger+perl, all you get is stuff that looks like hacked websites being run as spam operations. Look in /tmp for anything unusual, like directories named . or .. or similar. Look for oddly named files in /tmp, such as dp, xz, etc. Look at your website logs carefully. I suspect a malicious script has been run through some exploit such as php or perl or an apache weakness. Is all your software completely patched up to date? -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
On Wed, 2007-10-17 at 16:07 -0500, Paul Schmehl wrote: --On Wednesday, October 17, 2007 16:15:27 -0400 Josh Carroll [EMAIL PROTECTED] wrote: The stangest thing is that I cann't find sploger on my system. After a reboot sploger doesn't appear anymore, which makes it more stranger. So you have done a: find / -name sploger -type f And nothing comes up? If that's the case, it sounds like it was a perl script that was run, then subsequently removed from the file system. Which sounds rather nefarious to me. You might want to check for rootkits, etc. If you google for sploger+perl, all you get is stuff that looks like hacked websites being run as spam operations. Look in /tmp for anything unusual, like directories named . or .. or similar. Look for oddly named files in /tmp, such as dp, xz, etc. Look at your website logs carefully. I suspect a malicious script has been run through some exploit such as php or perl or an apache weakness. Is all your software completely patched up to date? Dear list members. I scanned my FreeBSD 6.2-Release (ports up to date) with Avira Antivir personal ed, some days ago. The scanner returned this: ...snap checking drive/path (cwd): / /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist Date: 11.10.2007 Time: 16:04:06 Size: 9975 ALERT: [HTML/MHT.Gen] /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist Contains detection pattern of the HTML script virus HTML/MHT.Gen snap... The information Avira has one can read here: http://www.avira.com/en/threats/section/details/id_vir/3679/html_mht.gen.html I posted a question to [EMAIL PROTECTED] They proposed that the scanner probably was to nervous for using with Unix. (I can't tell myself) Don't know if this says anything, but I though I would mention it when I saw your posts. -- /Peo signature.asc Description: This is a digitally signed message part
Re: Strange perl script
--On Wednesday, October 17, 2007 23:51:39 +0200 Peo Nilsson [EMAIL PROTECTED] wrote: I scanned my FreeBSD 6.2-Release (ports up to date) with Avira Antivir personal ed, some days ago. The scanner returned this: ...snap checking drive/path (cwd): / /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist Date: 11.10.2007 Time: 16:04:06 Size: 9975 ALERT: [HTML/MHT.Gen] /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist Contains detection pattern of the HTML script virus HTML/MHT.Gen snap... The information Avira has one can read here: http://www.avira.com/en/threats/section/details/id_vir/3679/html_mht.gen. html I posted a question to [EMAIL PROTECTED] They proposed that the scanner probably was to nervous for using with Unix. (I can't tell myself) Don't know if this says anything, but I though I would mention it when I saw your posts. I've never heard of a nervous anti-virus scanner, but that detection is clearly a false positive. The pkg-plist file is a list of the files and directories installed by the port, so that they can be removed when you run make deinstall. Avira probably saw one of the strings in the file as a possible match to a known malicious script. In fact, their description says it's a generic detection routine designed to detect common family characteristics shared in several variants http://www.avira.com/en/threats/section/fulldetails/id_vir/3679/html_mht.gen.html If you're so inclined, you could report it to Avira so they can tweak their detection accordingly. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange perl script
Looks sort of like a Perl script running. That, of course, doesn't say what it is doing. The stangest thing is that I cann't find sploger on my system. After a reboot sploger doesn't appear anymore, which makes it more stranger. Post output of: # last # cat /root/.history # ls -la /root # ls -la /tmp # ls -la /var/tmp # ps aux Ensure you leave the command you perform with the associated output, and leave a few newlines between each command for ease of reading. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Strange perl script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 HI Can anyone explain this after ps -ax | grep perl 21893 ?? I 1:02.37 sploger (perl5.8.8) 29536 ?? R184:14.94 sploger (perl5.8.8) 29538 ?? R184:36.44 sploger (perl5.8.8) 30668 ?? R168:56.54 sploger (perl5.8.8) What is sploger? Jack -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) - GPGrelay v0.959 iD8DBQFHFZogPh5RwW/NzC4RAprIAJ94/PdPWEJlBlX20RrLRvho1G4eFgCfSDHh dgka8XYVC7MgdpyjVO9zglo= =l79v -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]