Strange perl script
pauls at utdallas.edu
Wed Oct 17 14:07:54 PDT 2007
--On Wednesday, October 17, 2007 16:15:27 -0400 Josh Carroll
<josh.carroll at gmail.com> wrote:
>> The stangest thing is that I cann't find sploger on my system. After a
>> reboot sploger doesn't appear anymore, which makes it more stranger.
> So you have done a:
> find / -name sploger -type f
> And nothing comes up? If that's the case, it sounds like it was a perl
> script that was run, then subsequently removed from the file system.
> Which sounds rather nefarious to me. You might want to check for
> rootkits, etc.
If you google for "sploger+perl", all you get is stuff that looks like
hacked websites being run as spam operations.
Look in /tmp for anything unusual, like directories named ". " or ".. "
or similar. Look for oddly named files in /tmp, such as dp, xz, etc.
Look at your website logs carefully. I suspect a malicious script has been
run through some exploit such as php or perl or an apache weakness.
Is all your software completely patched up to date?
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
More information about the freebsd-questions