http://qs321.pair.com?node_id=11120041


in reply to Re: Malicious module on CPAN
in thread Malicious module on CPAN

To @aitap I think you're the first one to deobfuscate this code publicly like this. Very nice explanations and I can really appreciate your time doing that! It wasn't so much the HTTP/1.0 or HTTP/1.1 that made any difference. It's that some of my endpoints actually rely on HTTP/0.9 protocol to work properly. Yeah, I admit it's gross, I know. And yes, the RCX.pm is just a useless benign test, as you've observed. But the actual use of Module::AutoLoad never touches RCX.pm except in that RCX.pl test suite just to make sure all the obfuscation endpoints are still up. Maybe your reasoning for failing to actually explain how AutoLoad.pm works (which is what would actually be used) is because it's probably easy enough to follow anyways and thus doesn't need any explanation. So at least you already did the hard part. Fair enough.

Replies are listed 'Best First'.
Re^3: Malicious module on CPAN
by aitap (Curate) on Jul 30, 2020 at 09:26 UTC
    Maybe your reasoning for failing to actually explain how AutoLoad.pm works (which is what would actually be used) is because it's probably easy enough to follow anyways and thus doesn't need any explanation.
    Yeah, the live code botstraps "AutoLoad" instead of "RCX", and once the code evaluates http://perl.rob.com/dl/AutoLoad.pm, it fetches the real Module::AutoLoad, which is much easier to understand and uses MetaCPAN v1 API.