From owner-freebsd-questions@FreeBSD.ORG  Tue Aug 25 23:06:05 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8E9D5106568B
	for <freebsd-questions@freebsd.org>;
	Tue, 25 Aug 2009 23:06:05 +0000 (UTC)
	(envelope-from bounces@nabble.com)
Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158])
	by mx1.freebsd.org (Postfix) with ESMTP id 62BD98FC15
	for <freebsd-questions@freebsd.org>;
	Tue, 25 Aug 2009 23:06:05 +0000 (UTC)
Received: from isper.nabble.com ([192.168.236.156])
	by kuber.nabble.com with esmtp (Exim 4.63)
	(envelope-from <bounces@nabble.com>) id 1Mg55Y-0007MN-9R
	for freebsd-questions@freebsd.org; Tue, 25 Aug 2009 16:06:04 -0700
Message-ID: <25143778.post@talk.nabble.com>
Date: Tue, 25 Aug 2009 16:06:04 -0700 (PDT)
From: Colin Brace <cb@lim.nl>
To: freebsd-questions@freebsd.org
In-Reply-To: <4A943A9B.1030703@cyberleo.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Nabble-From: cb@lim.nl
References: <4A924601.3000507@lim.nl>
	<200908240807.n7O87o3U092052@banyan.cs.ait.ac.th>
	<200908241026.55693.j.mckeown@ru.ac.za>
	<25130058.post@talk.nabble.com>
	<20090825091937.GA53416@cheddar.urgle.com>
	<25131646.post@talk.nabble.com>
	<200908251027.n7PARZBt009994@banyan.cs.ait.ac.th>
	<25132123.post@talk.nabble.com>
	<20090825082604.41cad357.wmoran@potentialtech.com>
	<25134056.post@talk.nabble.com>
	<20090825134250.GA6871@ei.bzerk.org>
	<25135959.post@talk.nabble.com> <4A943A9B.1030703@cyberleo.net>
Subject: Re: what www perl script is running?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2009 23:06:05 -0000



CyberLeo Kitsana wrote:
> 
> Are these files available in a tarball someplace public, for those of us
> who enjoy performing autopsies on virii? 

Sure thing: http://silenceisdefeat.com/~cbrace/www_badstuff.gz

this tarball contains "tmpfile" which is the misbehaving script as well as
the contents of a directory called ".," which has a bunch of source code and
so on. As indicated earlier, this stuff was installed by user 'www'.

It should be unpacked in an empty directory.

Have fun!



-----
  Colin Brace
  Amsterdam
  http://lim.nl
-- 
View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25143778.html
Sent from the freebsd-questions mailing list archive at Nabble.com.