From owner-freebsd-questions@FreeBSD.ORG Wed Oct 17 21:46:01 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37D7C16A417 for ; Wed, 17 Oct 2007 21:46:01 +0000 (UTC) (envelope-from per-olof.nilsson@comhem.se) Received: from ch-smtp02.sth.basefarm.net (ch-smtp02.sth.basefarm.net [80.76.149.213]) by mx1.freebsd.org (Postfix) with ESMTP id BE11D13C480 for ; Wed, 17 Oct 2007 21:46:00 +0000 (UTC) (envelope-from per-olof.nilsson@comhem.se) Received: from c83-249-37-37.bredband.comhem.se ([83.249.37.37]:65478) by ch-smtp02.sth.basefarm.net with esmtp (Exim 4.68) (envelope-from ) id 1IiGiD-00061F-8B for freebsd-questions@freebsd.org; Wed, 17 Oct 2007 23:45:59 +0200 From: Peo Nilsson To: freebsd-questions@freebsd.org In-Reply-To: <0C6C104A0E99E195410424CC@utd59514.utdallas.edu> References: <005801c8107c$8b7b93a0$0202fea9@jarasoft.net> <20071017151607.GB51123@gizmo.acns.msu.edu> <002101c810f9$10379b80$0202fea9@jarasoft.net> <8cb6106e0710171315ue106605k55770e63d89294ea@mail.gmail.com> <0C6C104A0E99E195410424CC@utd59514.utdallas.edu> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-B22HsWze+qYv+HxfEjca" Date: Wed, 17 Oct 2007 23:51:39 +0200 Message-Id: <1192657899.51572.12.camel@zeus.se> Mime-Version: 1.0 X-Mailer: Evolution 2.10.3 FreeBSD GNOME Team Port X-Originating-IP: 83.249.37.37 X-Scan-Result: No virus found in message 1IiGiD-00061F-8B. X-Scan-Signature: ch-smtp02.sth.basefarm.net 1IiGiD-00061F-8B 73ba369b58df48bb4915843e7d131d7d Subject: Re: Strange perl script X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Oct 2007 21:46:01 -0000 --=-B22HsWze+qYv+HxfEjca Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2007-10-17 at 16:07 -0500, Paul Schmehl wrote: > --On Wednesday, October 17, 2007 16:15:27 -0400 Josh Carroll=20 > wrote: >=20 > >> The stangest thing is that I cann't find sploger on my system. After = a > >> reboot sploger doesn't appear anymore, which makes it more stranger. > > > > So you have done a: > > > > find / -name sploger -type f > > > > And nothing comes up? If that's the case, it sounds like it was a perl > > script that was run, then subsequently removed from the file system. > > Which sounds rather nefarious to me. You might want to check for > > rootkits, etc. > > > If you google for "sploger+perl", all you get is stuff that looks like=20 > hacked websites being run as spam operations. >=20 > Look in /tmp for anything unusual, like directories named ". " or ".. "= =20 > or similar. Look for oddly named files in /tmp, such as dp, xz, etc. >=20 > Look at your website logs carefully. I suspect a malicious script has be= en=20 > run through some exploit such as php or perl or an apache weakness. >=20 > Is all your software completely patched up to date? >=20 Dear list members. I scanned my FreeBSD 6.2-Release (ports up to date) with Avira Antivir personal ed, some days ago. The scanner returned this: ... checking drive/path (cwd): / /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist Date: 11.10.2007 Time: 16:04:06 Size: 9975 ALERT: [HTML/MHT.Gen] /usr/ports/security/p5-openxpki-client-html-mason/pkg-plist = <<< Contains detection pattern of the HTML script virus HTML/MHT.Gen ... The information Avira has one can read here: http://www.avira.com/en/threats/section/details/id_vir/3679/html_mht.gen.ht= ml I posted a question to openxpki-devel@lists.sourceforge.net. They proposed that the scanner probably was "to nervous" for using with Unix. (I can't tell myself) Don't know if this says anything, but I though I would mention it when I saw your posts. --=20 /Peo --=-B22HsWze+qYv+HxfEjca Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQBHFoPmgWSfflYlIbwRAkXXAKCfTEJY44l1CEylFeZR1YTOSXHqjwCgzjRp on9T9fWrV0YYruf/qm8/1f4= =Hpa5 -----END PGP SIGNATURE----- --=-B22HsWze+qYv+HxfEjca--