From owner-freebsd-questions@FreeBSD.ORG Wed Oct 17 21:07:54 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCA8B16A417 for ; Wed, 17 Oct 2007 21:07:54 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from smtp3.utdallas.edu (smtp3.utdallas.edu [129.110.10.49]) by mx1.freebsd.org (Postfix) with ESMTP id B379613C467 for ; Wed, 17 Oct 2007 21:07:54 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from utd59514.utdallas.edu (utd59514.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTP id 2924C654FB for ; Wed, 17 Oct 2007 16:07:54 -0500 (CDT) Date: Wed, 17 Oct 2007 16:07:53 -0500 From: Paul Schmehl To: freebsd-questions@freebsd.org Message-ID: <0C6C104A0E99E195410424CC@utd59514.utdallas.edu> In-Reply-To: <8cb6106e0710171315ue106605k55770e63d89294ea@mail.gmail.com> References: <005801c8107c$8b7b93a0$0202fea9@jarasoft.net> <20071017151607.GB51123@gizmo.acns.msu.edu> <002101c810f9$10379b80$0202fea9@jarasoft.net> <8cb6106e0710171315ue106605k55770e63d89294ea@mail.gmail.com> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: Strange perl script X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Oct 2007 21:07:54 -0000 --On Wednesday, October 17, 2007 16:15:27 -0400 Josh Carroll wrote: >> The stangest thing is that I cann't find sploger on my system. After a >> reboot sploger doesn't appear anymore, which makes it more stranger. > > So you have done a: > > find / -name sploger -type f > > And nothing comes up? If that's the case, it sounds like it was a perl > script that was run, then subsequently removed from the file system. > Which sounds rather nefarious to me. You might want to check for > rootkits, etc. > If you google for "sploger+perl", all you get is stuff that looks like hacked websites being run as spam operations. Look in /tmp for anything unusual, like directories named ". " or ".. " or similar. Look for oddly named files in /tmp, such as dp, xz, etc. Look at your website logs carefully. I suspect a malicious script has been run through some exploit such as php or perl or an apache weakness. Is all your software completely patched up to date? -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/