Strange die message at print line: hacker attack?

Andre_br has asked for the wisdom of the Perl Monks concerning the following question:

Hello my friends

I recently took a look at my error logs, and, between all the error messages, I've seen a very odd die message.

It is:

Conexão fechada pela outra ponta at /home/virtualshelf/www/mod_perl/se
+arch.cgi line 341, <DATA> line 183.
[download]

Two strangest things:
1) The error message you see is strangely in portuguese. It means the same as the famous "Connection closed by foreign host.", wich I know has to do with telnet attack attempts. I mean, all my RHEL OS and applications are in english; how come this error message in portuguese? Is this some mess a hacker's terminal can leave?

2) This line 341 has not anything but a print command!

              print qq(   # this is line 341!
              
                 <tr $style>
                     <td>$autor</td>
                     <td></td>
                     <td rowspan=2 valign=top>$vendor</td>
                     <td rowspan=2 valign=top></td>
                     <td rowspan=2 valign=top align=center>$year</td>
                     <td rowspan=2 valign=top></td>
                     <td rowspan=2 valign=top>R\$&nbsp;$price</td>
                     <td rowspan=2 valign=top></td>
                     <td rowspan=2 valign=top width=40>
                     <a href="javascript:void(0)" onClick="window.open
+('$domain/mod_perl/display.cgi?livro=$rec_id','Info','status=yes,scro
+llbars=yes,resizable=yes,width=620,height=520,left=100,top=75');"><im
+g src="$domain/images/basket.gif" border=0 alt="click here to see all
+ specs"></a>
                     <a href="javascript:void(0)" onClick="window.open
+('$domain/cgi-bin/cart.cgi?action=buy&item=$item_id','Info','status=y
+es,scrollbars=yes,resizable=yes,width=620,height=520,left=100,top=75'
+);"><img src="$domain/images/go.gif" border=0 alt="clique here to buy
+ "></a>
                     </td>
                     </tr>
                     
                 <tr $xadrez>
                     <td colspan=4>
                     &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
                     <a href="javascript:void(0)" onClick="window.open
+('$domain/mod_perl/details.cgi?item=$item_id','Info','status=yes,scro
+llbars=yes,resizable=yes,width=620,height=520,left=100,top=75');">
                     <i>$name</i></a></td>
                     </tr>
                 
              );
[download]

I visited the url that caused the error, and the script runs just fine, not any sign of this error message.

Also, there's the <DATA> line 183 portion of the error message, wich I also don't understand.

Any hints, fellows?

Thanks a lot

Andre

Comment on Strange die message at print line: hacker attack? Select or Download Code

Replies are listed 'Best First'.
Re: Strange die message at print line: hacker attack? by Somni (Friar) on Oct 26, 2007 at 19:39 UTC
"Connection closed by foreign host" has nothing specifically to do with "telnet hacker attempts", whatever that means. Where did you get that one? This is a CGI script, there is a remote host involved. When that host closes the connection and you attempt to write to the now-closed socket you receive a SIGPIPE. It's probable something is catching this signal and turning it into a croak(). As for why the error is in Portuguese, it's hard to say. Perhaps your $LANG has been set at some point, or perhaps the module that setup the SIGPIPE handler is using a locale. The DATA business is a little odd. Something along the way is in the middle of reading from its DATA handle, but it's hard to tell what. Finally, looking for secret "hackers" is probably counter-productive to finding the actual cause of the problem. Look at what modules you're using, look for where the SIGPIPE handler could be coming from, and look for any locale usage.	[reply]
Re^2: Strange die message at print line: hacker attack? by graff (Chancellor) on Oct 27, 2007 at 00:47 UTC
The DATA business is a little odd. Something along the way is in the middle of reading from its DATA handle Or at the end. It's typical for this sort of error report from perl to mention the current value of `$.` along with the file handle that was last read (i.e. the one that set `$.` to its current value) -- even after the script has reached the end of that file and has closed the handle. It's also not uncommon for this portion of the error message to be irrelevant to the cause of the problem.	[reply] [d/l] [select]
Re: Strange die message at print line: hacker attack? by hossman (Prior) on Oct 26, 2007 at 21:08 UTC
...all my RHEL OS and applications are in english; how come this error message in portuguese? not all of them ... this one for example uses `$autor` instead of `$author`, `clique` instead of `click`, and `livro` instead of `book` ...and that's just in the snipet you've shown us. so if 3 out of the 25 lines you pasted here have portuguese in them, i'm going to go out on a limb and guess that somewhere in the rest of your application, there might be some more Portuguese, maybe even setting the LANG so that error messages from perl are in Portuguese.	[reply] [d/l] [select]
Re: Strange die message at print line: hacker attack? by gamache (Friar) on Oct 26, 2007 at 19:21 UTC
I once believed that the `print` statement on line 341 was bound to fail, because you're using parentheses to delimit a string that contains parens itself. But then runrig set me straight. Anyway, it's not the greatest idea to use parens as delimiters when the text might contain unmatched parens -- try using a "here document" syntax instead: `print <<EOT; <tr $style> <td>$autor</td> <td></td> <td rowspan=2 valign=top>$vendor</td> <td rowspan=2 valign=top></td> <td rowspan=2 valign=top align=center>$year</td> <td rowspan=2 valign=top></td> <td rowspan=2 valign=top>R\$ $price</td> ... EOT` [download] I do not believe your localized error message is an indication of malicious code; given that I see some variable names in Portuguese, I'm guessing it's either just hard-coded somewhere deep in your program, or you're not as EN-localized as you think. In any language, "Connection closed by foreign host" is a very common message and in no way does it imply that you've been hax0red.	[reply] [d/l]
Re^2: Strange die message at print line: hacker attack? by runrig (Abbot) on Oct 26, 2007 at 19:48 UTC
As long as the parenthesis are balanced, there is no problem.	[reply]
Re^2: Strange die message at print line: hacker attack? by saberworks (Curate) on Oct 27, 2007 at 05:40 UTC
HEREDOCS are okay but they can really screw up indenting if you have them in a block. You can use a number of different delimiters for the q* operators. Basically anything with a matching something, like (), [], {}, you can also use \|, ~, #, !, *, geesh, a lot of things. I guess anything that doesn't make it look like a different function/operator (so qq9 something 9; won't work). The regular ones get highlighted properly in most text editors, but even vim gets tripped up on the weirder ones.	[reply]
Re: Strange die message at print line: hacker attack? by graff (Chancellor) on Oct 27, 2007 at 00:54 UTC
My knowledge of http transactions isn't all that broad or deep, but if a web server is trying to print to a client, and the connection to the client somehow happens to fail or vanish in the midst of the printing, wouldn't that cause this sort of "connection closed by remote host" error report? As for the message being in Portuguese, as others have pointed out, there's likely to be something in the script that would account for the choice of language.	[reply]


Problems? Is your data what you think it is?
	PerlMonks