Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Possible intrusion?

by PyrexKidd (Monk)
on Jun 10, 2010 at 23:02 UTC ( #844142=perlquestion: print w/replies, xml ) Need Help??
PyrexKidd has asked for the wisdom of the Perl Monks concerning the following question:

WTF? I know the who belongs to the IP address that created the file. (is there any way to verify what IP address created what file?) My concern is that it did not come from the address specified. I found this in /tmp/udp.pl can anyone shed some light on this?
#!/usr/bin/perl ##################################################### # udp flood. # # gr33ts: meth, etech, skrilla, datawar, fr3aky, etc. # # --/odix ###################################################### use Socket; $ARGC=@ARGV;
I have removed the body of the code to reduce hacking attempts. Please do not copy/paste this code. Thanks

Replies are listed 'Best First'.
Re: Possible intrusion?
by aquarium (Curate) on Jun 10, 2010 at 23:33 UTC
    Check your server access logs. My guess is that one (or more) of your cgi programs is not secure, allowing someone sneaky to upload a file into /tmp. You should be able to match up the date/time of the file and access to your CGI or possibly some other web component you're hosting, to find the insecure code. There is no entity/IP signature on a file. Btw the comment block lists some "hacker" aliases. odix is the signature but it could be absolutely anyone.
    the hardest line to type correctly is: stty erase ^H
Re: Possible intrusion?
by ikegami (Pope) on Jun 10, 2010 at 23:16 UTC

    Possible intrusion?

    Yes.

    is there any way to verify what IP address created what file?

    IP addresses don't create files.

    I found this in /tmp/udp.pl can anyone shed some light on this?

    It sends a deluge of UDP packets to a specified address and port.

Re: Possible intrusion?
by choroba (Bishop) on Jun 10, 2010 at 23:22 UTC
Re: Possible intrusion?
by aquarium (Curate) on Jun 10, 2010 at 23:35 UTC
    you'll find heaps of these kinds of intrusions to other web servers, search web for the two words: odix udp
    the hardest line to type correctly is: stty erase ^H
Re: Possible intrusion?
by kikuchiyo (Pilgrim) on Jun 11, 2010 at 11:05 UTC
    An idea: why don't you mount /tmp with a noexec flag, so that they can't run anything from it even if they uploaded their malicious code? (For this, /tmp has to be on a separate partition.)
      Better than nothing, but it would still be possible to run the script by perl /tmp/udp.pl...

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://844142]
Approved by toolic
help
Chatterbox?
[robby_dobby]: Jerry spaniel seinfeld? /o\
[shmem]: not Jerry, mine is a she-dog
[robby_dobby]: I'm not an animal person, but these 2 gun dogs make me think what they'd be like as therapy dogs
LanX will call his next dog Mutator
[shmem]: Despina
[LanX]: food's closing. ...
[LanX]: hot dog!

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (12)
As of 2017-12-15 19:58 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    What programming language do you hate the most?




















    Results (442 votes). Check out past polls.

    Notices?