what www perl script is running?

CyberLeo Kitsana cyberleo at cyberleo.net
Tue Aug 25 19:25:32 UTC 2009 

Colin Brace wrote:
> 
> Ruben de Groot wrote:
>> Try a find through the entire filesystem for files owned by this user that 
>> you can't account for. Also check your cron and at files under /var/cron
>> and
>> /var/at
>>
> 
> I found the cronjob which keeps restarting the script: 
> 
> [root at venus /var/cron/tabs]# ls -l
> total 12
> -rw-------  1 root  wheel  3440 Aug 25 12:06 colin
> -rw-------  1 root  wheel   240 Jul 28 23:49 www
> 
> [root at venus /var/cron/tabs]# cat www 
> # DO NOT EDIT THIS FILE - edit the master and reinstall.
> # (cron.job installed on Tue Jul 28 23:49:28 2009)
> # (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.24
> 2006/09/03 17:52:19 ru Exp $)
> */1 * * * * perl /tmp/tmpfile
> 
> I removed it, so now at least the script stops relaunching.
> 
> /tmp/tmpfile is of course the script.
> 
> In a subdirectory of tmp, there is a whole bunch of source code, all owned
> by 'www':
> 
> /tmp/.,]# ls -l
> total 5692
> -rw-r--r--  1 www  wheel  2844160 Mar 27 10:00 m.tgz
> drwxr-xr-x  4 www  wheel      512 Nov 10  2008 ml
> -rw-r--r--  1 www  wheel    43419 May 27 23:22 scanxml.txt
> 
> ]# ls -l ml
> total 3208
> -rwxr-xr-x  1 www  wheel     411 Mar 27 09:57 1.user
> -rwxr-xr-x  1 www  wheel     422 Mar 27 09:57 2.user
> -rwxr-xr-x  1 www  wheel  505767 Aug  3  2008 LinkEvents
> -rwxr-xr-x  1 www  wheel    2154 May 16  2003 Makefile
> -rwx--x--x  1 www  wheel  418490 Dec  3  2005 bsd
> -rwxr-xr-x  1 www  wheel     941 Dec  3  2005 checkmech
> -rwxr-xr-x  1 www  wheel   23237 May 16  2003 configure
> -rwx--x--x  1 www  wheel  397274 Dec  3  2005 crond
> -rwxr-xr-x  1 www  wheel   22882 May 16  2003 m.h
> -rwxr-xr-x  1 www  wheel    1054 Aug  3  2008 m.lev
> -rwx--x--x  1 www  wheel       6 May 25  2008 m.pid
> -rwxr-xr-x  1 www  wheel    1320 Mar 27 09:56 m.set
> -rwxr-xr-x  1 www  wheel   10240 Nov 10  2008 m.tgz
> -rwxr-xr-x  1 www  wheel  167964 Mar 16  2001 pico
> drwxr-xr-x  2 www  wheel     512 Mar  4  2005 r
> drwxr-xr-x  2 www  wheel    1024 Dec  3  2005 src
> 
> If anyone is interested in looking at this stuff, or wants more info, please
> let me know.

Are these files available in a tarball someplace public, for those of us
who enjoy performing autopsies on virii?

-- 
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo at CyberLeo.Net>

Furry Peace! - http://wwww.fur.com/peace/

More information about the freebsd-questions mailing list