Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

server compromised - perl script

Options
  • 12-10-2009 1:48pm
    #1
    adm
    Registered Users Posts: 342 ✭✭


    Hi can anyone tell me what this perl script does - nothing good I know as it was uploaded and ran on out servers through some security hole.

    http://www.tank-treff.de/images/so.txt


Comments

  • Options
    #2
    ressem
    Registered Users Posts: 2,426 ✭✭✭ressem


    A variant of this...

    http://www.sophos.com/security/analyses/viruses-and-spyware/perlelxbota.html

    Perl/Elxbot-A is a worm and IRC backdoor Trojan.

    Perl/Elxbot-A attempts to spread by exploiting a vulnerability in the Mambo content management system.

    The worm also connects to an IRC channel and listens for backdoor commands.

    Perl/Elxbot-A allows an attacker to run arbitrary commands on the infected system and may be used to carry out denial-of-service attacks.


  • Options
    #3
    anton
    Registered Users Posts: 134 ✭✭anton


    Had a quick glance, it looks like a backdor script. It connects to an IRC server and allows attacker to execute arbitrary commands on your host.

    adm wrote: »
    Hi can anyone tell me what this perl script does - nothing good I know as it was uploaded and ran on out servers through some security hole.

    http://www.tank-treff.de/images/so.txt


  • Options
    #4
    adm
    Registered Users Posts: 342 ✭✭adm


    Many thanks for the replies.
    So is wiping the server the best course of action?

    Also is this restricted to mambo/joomla i wonder?


  • Options
    #5
    ressem
    Registered Users Posts: 2,426 ✭✭✭ressem


    The perl script is limited to unpatched mambo/joomla installs.

    And I would recommend reinstalling the whole OS. Might be worth creating an image of it first in case there's someone who could audit the logs and changes made (users added, cron jobs, connections on to other machines (the joomla database server, if you store any customer details there?))

    I don't mean to overhype the issue but if this is a company web server...
    you shouldn't ignore the fact that depending on the restrictions on network traffic outgoing from this server,
    through this backdoor the group responsible could have had access to the connected database credentials and any data it could read, and through that, sent a partial or full dump of your database.

    So you might have an obligation to have someone audit your server logs and determine whether any customer data might have been exposed. And check the auth.log files of other servers for attempted connections.


Advertisement