Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

server compromised - perl script

  • 12-10-2009 12:48pm
    #1
    adm
    Registered Users, Registered Users 2 Posts: 342 ✭✭


    Hi can anyone tell me what this perl script does - nothing good I know as it was uploaded and ran on out servers through some security hole.

    http://www.tank-treff.de/images/so.txt


Comments

  • #2
    ressem
    Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    A variant of this...

    http://www.sophos.com/security/analyses/viruses-and-spyware/perlelxbota.html

    Perl/Elxbot-A is a worm and IRC backdoor Trojan.

    Perl/Elxbot-A attempts to spread by exploiting a vulnerability in the Mambo content management system.

    The worm also connects to an IRC channel and listens for backdoor commands.

    Perl/Elxbot-A allows an attacker to run arbitrary commands on the infected system and may be used to carry out denial-of-service attacks.


  • #3
    anton
    Registered Users, Registered Users 2 Posts: 134 ✭✭anton


    Had a quick glance, it looks like a backdor script. It connects to an IRC server and allows attacker to execute arbitrary commands on your host.

    adm wrote: »
    Hi can anyone tell me what this perl script does - nothing good I know as it was uploaded and ran on out servers through some security hole.

    http://www.tank-treff.de/images/so.txt


  • #4
    adm
    Registered Users, Registered Users 2 Posts: 342 ✭✭adm


    Many thanks for the replies.
    So is wiping the server the best course of action?

    Also is this restricted to mambo/joomla i wonder?


  • #5
    ressem
    Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    The perl script is limited to unpatched mambo/joomla installs.

    And I would recommend reinstalling the whole OS. Might be worth creating an image of it first in case there's someone who could audit the logs and changes made (users added, cron jobs, connections on to other machines (the joomla database server, if you store any customer details there?))

    I don't mean to overhype the issue but if this is a company web server...
    you shouldn't ignore the fact that depending on the restrictions on network traffic outgoing from this server,
    through this backdoor the group responsible could have had access to the connected database credentials and any data it could read, and through that, sent a partial or full dump of your database.

    So you might have an obligation to have someone audit your server logs and determine whether any customer data might have been exposed. And check the auth.log files of other servers for attempted connections.


Advertisement