Date: Wed, 17 Oct 2007 23:51:39 +0200 From: Peo Nilsson <per-olof.nilsson@comhem.se> To: freebsd-questions@freebsd.org Subject: Re: Strange perl script Message-ID: <1192657899.51572.12.camel@zeus.se> In-Reply-To: <0C6C104A0E99E195410424CC@utd59514.utdallas.edu> References: <005801c8107c$8b7b93a0$0202fea9@jarasoft.net> <20071017151607.GB51123@gizmo.acns.msu.edu> <002101c810f9$10379b80$0202fea9@jarasoft.net> <8cb6106e0710171315ue106605k55770e63d89294ea@mail.gmail.com> <0C6C104A0E99E195410424CC@utd59514.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-B22HsWze+qYv+HxfEjca Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2007-10-17 at 16:07 -0500, Paul Schmehl wrote: > --On Wednesday, October 17, 2007 16:15:27 -0400 Josh Carroll=20 > <josh.carroll@gmail.com> wrote: >=20 > >> The stangest thing is that I cann't find sploger on my system. After = a > >> reboot sploger doesn't appear anymore, which makes it more stranger. > > > > So you have done a: > > > > find / -name sploger -type f > > > > And nothing comes up? If that's the case, it sounds like it was a perl > > script that was run, then subsequently removed from the file system. > > Which sounds rather nefarious to me. You might want to check for > > rootkits, etc. > > > If you google for "sploger+perl", all you get is stuff that looks like=20 > hacked websites being run as spam operations. >=20 > Look in /tmp for anything unusual, like directories named ". " or ".. "= =20 > or similar. Look for oddly named files in /tmp, such as dp, xz, etc. >=20 > Look at your website logs carefully. I suspect a malicious script has be= en=20 > run through some exploit such as php or perl or an apache weakness. >=20 > Is all your software completely patched up to date? >=20 Dear list members. I scanned my FreeBSD 6.2-Release (ports up to date) with Avira Antivir personal ed, some days ago. The scanner returned this: ...<snap> checking drive/path (cwd): / /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist Date: 11.10.2007 Time: 16:04:06 Size: 9975 ALERT: [HTML/MHT.Gen] /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist = <<< Contains detection pattern of the HTML script virus HTML/MHT.Gen <snap>... The information Avira has one can read here: http://www.avira.com/en/threats/section/details/id_vir/3679/html_mht.gen.ht= ml I posted a question to openxpki-devel@lists.sourceforge.net. They proposed that the scanner probably was "to nervous" for using with Unix. (I can't tell myself) Don't know if this says anything, but I though I would mention it when I saw your posts. --=20 /Peo --=-B22HsWze+qYv+HxfEjca Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQBHFoPmgWSfflYlIbwRAkXXAKCfTEJY44l1CEylFeZR1YTOSXHqjwCgzjRp on9T9fWrV0YYruf/qm8/1f4= =Hpa5 -----END PGP SIGNATURE----- --=-B22HsWze+qYv+HxfEjca--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1192657899.51572.12.camel>