Strange perl script
Peo Nilsson
per-olof.nilsson at comhem.se
Wed Oct 17 14:46:01 PDT 2007
On Wed, 2007-10-17 at 16:07 -0500, Paul Schmehl wrote:
> --On Wednesday, October 17, 2007 16:15:27 -0400 Josh Carroll
> <josh.carroll at gmail.com> wrote:
>
> >> The stangest thing is that I cann't find sploger on my system. After a
> >> reboot sploger doesn't appear anymore, which makes it more stranger.
> >
> > So you have done a:
> >
> > find / -name sploger -type f
> >
> > And nothing comes up? If that's the case, it sounds like it was a perl
> > script that was run, then subsequently removed from the file system.
> > Which sounds rather nefarious to me. You might want to check for
> > rootkits, etc.
> >
> If you google for "sploger+perl", all you get is stuff that looks like
> hacked websites being run as spam operations.
>
> Look in /tmp for anything unusual, like directories named ". " or ".. "
> or similar. Look for oddly named files in /tmp, such as dp, xz, etc.
>
> Look at your website logs carefully. I suspect a malicious script has been
> run through some exploit such as php or perl or an apache weakness.
>
> Is all your software completely patched up to date?
>
Dear list members.
I scanned my FreeBSD 6.2-Release (ports up to date) with
Avira Antivir personal ed, some days ago. The scanner returned
this:
...<snap>
checking drive/path (cwd): /
/usr/ports/security/p5-openxpki-client-html-mason/pkg-plist
Date: 11.10.2007 Time: 16:04:06 Size: 9975
ALERT:
[HTML/MHT.Gen] /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist <<< Contains detection pattern of the HTML script virus HTML/MHT.Gen
<snap>...
The information Avira has one can read here:
http://www.avira.com/en/threats/section/details/id_vir/3679/html_mht.gen.html
I posted a question to openxpki-devel at lists.sourceforge.net.
They proposed that the scanner probably was "to nervous" for using with
Unix. (I can't tell myself)
Don't know if this says anything, but I though I would mention it
when I saw your posts.
--
/Peo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20071017/743e42dd/attachment.pgp
More information about the freebsd-questions
mailing list