Strange perl script
Paul Schmehl
pauls at utdallas.edu
Wed Oct 17 14:07:54 PDT 2007
--On Wednesday, October 17, 2007 16:15:27 -0400 Josh Carroll
<josh.carroll at gmail.com> wrote:
>> The stangest thing is that I cann't find sploger on my system. After a
>> reboot sploger doesn't appear anymore, which makes it more stranger.
>
> So you have done a:
>
> find / -name sploger -type f
>
> And nothing comes up? If that's the case, it sounds like it was a perl
> script that was run, then subsequently removed from the file system.
> Which sounds rather nefarious to me. You might want to check for
> rootkits, etc.
>
If you google for "sploger+perl", all you get is stuff that looks like
hacked websites being run as spam operations.
Look in /tmp for anything unusual, like directories named ". " or ".. "
or similar. Look for oddly named files in /tmp, such as dp, xz, etc.
Look at your website logs carefully. I suspect a malicious script has been
run through some exploit such as php or perl or an apache weakness.
Is all your software completely patched up to date?
--
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
More information about the freebsd-questions
mailing list