Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re: Malicious Perl Scripts & Web Development

by rnewsham (Curate)
on Apr 12, 2019 at 23:22 UTC ( #1232522=note: print w/replies, xml ) Need Help??


in reply to Malicious Perl Scripts & Web Development

I am afraid that its probably a fairly standard script to give a web based terminal emulator or file manager on your site. The common exploit path is to use a vulnerability in a site to upload a script which can then be called to gain further access. It will probably be impossible to trace what the attacker actually did although a good starting point is a grep for that script name in the access logs. It may give a clue as to when it was added and how to help you secure the site.

What you need to do now is to backup all files and databases. Then delete all files from your site and clear the database. Don't assume that you have managed to find all the files, if the attacker had access to your site they could have modified any code in any file. Don't be tempted to use the same database, if any section of your database contains html to be rendered in the page it could have been modified to add malicious javascript.

Restore your database from a backup taken prior to the exploit. Install the latest version of whatever software you are using on the site with all security patches applied and security configuration recommendations followed. You also should change every password associated with the site. Now you can use the backups of the exploited site in a separate environment to carefully extract any recent changes which were not in the backup.

It may sound paranoid but I have been dealing with the aftermath of website exploits like this for years. I have seen more sites than I can count exploited again because people did not properly secure and clean their sites.

  • Comment on Re: Malicious Perl Scripts & Web Development

Replies are listed 'Best First'.
Re^2: Malicious Perl Scripts & Web Development
by roboticus (Chancellor) on Apr 13, 2019 at 13:00 UTC

    rnewsham:

    I've not looked into exploit code in quite a while, so I spent a little while reorganizing it to see what it does. As you mention, it performs the file manager features you mention, but also has some database exploration functionality, too. Not particularly malicious in itself, that I can see, but it's not something you'd put on someone's system unless one had larcenous intent.

    It's kind of painful to look at, though, as the code is a mishmash of styles (functions called with & vs not), repetitive (bits of code pointlessly repeated), buggy (poorly formed HTML, and mostly crap.

    ...roboticus

    When your only tool is a hammer, all problems look like your thumb.

      Steals cpu n more from the careless just fine

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1232522]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (6)
As of 2020-11-24 21:11 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?