Date: Wed, 17 Oct 2007 16:07:53 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: freebsd-questions@freebsd.org Subject: Re: Strange perl script Message-ID: <0C6C104A0E99E195410424CC@utd59514.utdallas.edu> In-Reply-To: <8cb6106e0710171315ue106605k55770e63d89294ea@mail.gmail.com> References: <005801c8107c$8b7b93a0$0202fea9@jarasoft.net> <20071017151607.GB51123@gizmo.acns.msu.edu> <002101c810f9$10379b80$0202fea9@jarasoft.net> <8cb6106e0710171315ue106605k55770e63d89294ea@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Wednesday, October 17, 2007 16:15:27 -0400 Josh Carroll <josh.carroll@gmail.com> wrote: >> The stangest thing is that I cann't find sploger on my system. After a >> reboot sploger doesn't appear anymore, which makes it more stranger. > > So you have done a: > > find / -name sploger -type f > > And nothing comes up? If that's the case, it sounds like it was a perl > script that was run, then subsequently removed from the file system. > Which sounds rather nefarious to me. You might want to check for > rootkits, etc. > If you google for "sploger+perl", all you get is stuff that looks like hacked websites being run as spam operations. Look in /tmp for anything unusual, like directories named ". " or ".. " or similar. Look for oddly named files in /tmp, such as dp, xz, etc. Look at your website logs carefully. I suspect a malicious script has been run through some exploit such as php or perl or an apache weakness. Is all your software completely patched up to date? -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0C6C104A0E99E195410424CC>