Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

sample malicious code

by swilting (Beadle)
on Sep 26, 2012 at 22:46 UTC ( #995881=perlquestion: print w/replies, xml ) Need Help??
swilting has asked for the wisdom of the Perl Monks concerning the following question:

I just write a short message that may be related to malicious code. this text is written without the creation of the map of infected machines

#!/usr/bin/perl -w use strict; use warnings; use Net::TFTP; use Net::Ping; use Data::Dumper; use FileHandle; BEGIN { local $/; open (ME,$0); my $me = <ME>; close ME; unless ($me =~ m/#fakessh \@='\d+'$/) { my $length = length $me; open (ME, ">>$0"); print ME "#fakessh \@='$length'"; close ME; $me .= "#fakessh \@='$length'"; } $me =~ s/#fakessh \@='(\d+)'$//; die "File $0 has changed ?viral infection?\n" unless $1 == length +$me; } my $filename = $ARGV[0]; my $lastlogping = $ARGV[1]; usage() unless $filename; usage() unless $lastlogping; my $RESEAU; my $IP; my $tftp; my $port = 69; my %state; my $state; my $ip; my $ping; my $alive; my $sock; my %alive; my $pingerping; my $pingersocktftp; my $transfertftp; my $i; my $scalarlocaltime; my @map; autoflush STDOUT 1; for ($RESEAU = 2; $RESEAU <= 210; $RESEAU=$RESEAU+1) { for ($IP = 2; $IP < 255; $IP = $IP+1) { if ("10.36.".$RESEAU.".".$IP) { $scalarlocaltime = scalar localtime; my $p = Net::Ping->new('udp'); print "\nPinging host 10.36.$RESEAU.$IP\n"; if ($p->ping("10.36.$RESEAU.$IP"),1) { ## If we didn't know it was up, spew that out now.. $pingerping = 1; $pingersocktftp = 0;$transfertftp = 0; print "10.36.$RESEAU.$IP\twas up at ", scalar localtime, "\n" +unless $state{$scalarlocaltime}{$pingerping}{$pingersocktftp}{10.36.$ +RESEAU.$IP}; ## Update the number of times we've seen it up $state{$scalarlocaltime}{$pingerping}{$pingersocktftp}{$trans +fertftp}{10.36.$RESEAU.$IP}++; ## And let STDOUT know about it, too. ##print "alive $scalarlocaltime $pingerping $pingersocktftp 10 +.36.$RESEAU.$IP time"; } my$sock=IO::Socket::INET->new( PeerAddr=>"10.36.$RESEAU.$IP", + PeerPort=>"$port", Proto=>"tcp", Timeout=>"5") or warn "Cannot connect port 69 to 10.36.$RESEAU.$IP\n"; if (defined $sock) { $pingersocktftp = 1; } ## Update the number of times we've seen it up $state{$scalarlocaltime}{$pingerping}{$pingersocktftp}{$transfert +ftp}{10.36.$RESEAU.$IP}++; ## And let STDOUT know about it, too. ##print " alive ($pingerping $pingersocktftp 10.36.$RESEAU.$IP",s +calar localtime; $state{$scalarlocaltime}{$pingerping}{$pingersocktftp}{$transfer +tftp}{alive} = "10.36.$RESEAU.$IP"; ##make log map if (defined ($sock )){ $tftp = Net::TFTP->new("10.36.$RESEAU.$IP", BlockSize => 102 +4) or warn "cannot connect tftp serveur\n"; if (defined ($tftp)){ $transfertftp = 1; ## Update the number of times we've seen it up $state{$scalarlocaltime}{$pingerping}{$pingersocktftp}{$transfer +tftp}{10.36.$RESEAU.$IP}++; ## And let STDOUT know about it, too. print "$state $scalarlocaltime $pingerping $pingersocktftp 10. +36.$RESEAU.$IP transfert start"; $tftp->binary; $tftp->put($filename,$filename); } } my $fh = FileHandle->new($lastlogping , "a"); if (defined($fh)){ print $fh " alive $scalarlocaltime $pingerping $pingersocktftp + $transfertftp 10.36.$RESEAU.$IP\n"; undef $fh; } } } } @map = map { $_ => ${state{$_}{$_}{$_}{$_}{$_}}} %state; sub usage { ## HERE documents are your friend for this kind of thing: print <<"EO_USAGE"; This program scans a C-class subnet and lists all machines, before with a udp ping after with a simple nmap scan and last try to upload via a client tftp You can also use this program to sort the output. Usage: perl $0 <file_to_transfer> <log_file_ping_ip> EO_USAGE exit; } #fakessh @='3715'

I tried to encode a kind of card machines with instruction

@map = map { $_ => ${state{$_}{$_}{$_}{$_}{$_}}} %state;

when do you think? how it would be easier and the right technique to encode both the card to look inside information

it is the best technique you can give me an example

Replies are listed 'Best First'.
Re: sample malicious code
by Anonymous Monk on Sep 27, 2012 at 13:29 UTC

    I'm afraid I can't make out what you're asking.

    The code doesn't seem very malicious to me -- it searches for TFTP servers on a (somewhat reduced) /16 netblock and tries to upload a file.

    There's also a very poorly designed hash called %state that keeps a counter on how many times the host responded to two kinds of ping or TFTP. And that's the hash you are trying to do something to. I'm guessing you want to flatten it to an array, but I don't think that is easy to do until you're familiar with complex data structures.

    May I recommend reading perldsc, and then Data::Dumper to visualise the hash? Or building your array inside the nested loop?

    Also, you should tell the person who wrote that body of code that it is of poor quality. (Hey, (cr|h)ackers need critique, too.)

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://995881]
Approved by Kenosis
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (6)
As of 2017-05-23 03:24 GMT
Find Nodes?
    Voting Booth?