From owner-freebsd-questions@FreeBSD.ORG Tue Aug 25 23:06:05 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E9D5106568B for ; Tue, 25 Aug 2009 23:06:05 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 62BD98FC15 for ; Tue, 25 Aug 2009 23:06:05 +0000 (UTC) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1Mg55Y-0007MN-9R for freebsd-questions@freebsd.org; Tue, 25 Aug 2009 16:06:04 -0700 Message-ID: <25143778.post@talk.nabble.com> Date: Tue, 25 Aug 2009 16:06:04 -0700 (PDT) From: Colin Brace To: freebsd-questions@freebsd.org In-Reply-To: <4A943A9B.1030703@cyberleo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: cb@lim.nl References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> <25134056.post@talk.nabble.com> <20090825134250.GA6871@ei.bzerk.org> <25135959.post@talk.nabble.com> <4A943A9B.1030703@cyberleo.net> Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 23:06:05 -0000 CyberLeo Kitsana wrote: > > Are these files available in a tarball someplace public, for those of us > who enjoy performing autopsies on virii? Sure thing: http://silenceisdefeat.com/~cbrace/www_badstuff.gz this tarball contains "tmpfile" which is the misbehaving script as well as the contents of a directory called ".," which has a bunch of source code and so on. As indicated earlier, this stuff was installed by user 'www'. It should be unpacked in an empty directory. Have fun! ----- Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25143778.html Sent from the freebsd-questions mailing list archive at Nabble.com.