Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Malicious Perl Scripts & Web Development

by Anonymous Monk
on Apr 12, 2019 at 18:36 UTC ( #1232506=perlquestion: print w/replies, xml ) Need Help??

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello Everyone, I am a web developer that has recently run into problems with Malware being injected into our hosting servers by an attacker. I have used our hosting companies file manager to manually remove the infected files, however, during this process I discovered a shell script written in Perl that was unfamiliar to me. the file was titled byyl.pl. Due to the ambiguous nature of malware I must understand fully what damage this script has caused in order to protect my websites and my databases. I am unsure if copying and pasting the text from this document, byyl.pl, will have a negative consequence- so I will wait for instructions to send the code. thank you all for your help in advance, I really need it!

  • Comment on Malicious Perl Scripts & Web Development

Replies are listed 'Best First'.
Re: Malicious Perl Scripts & Web Development
by rnewsham (Curate) on Apr 12, 2019 at 23:22 UTC

    I am afraid that its probably a fairly standard script to give a web based terminal emulator or file manager on your site. The common exploit path is to use a vulnerability in a site to upload a script which can then be called to gain further access. It will probably be impossible to trace what the attacker actually did although a good starting point is a grep for that script name in the access logs. It may give a clue as to when it was added and how to help you secure the site.

    What you need to do now is to backup all files and databases. Then delete all files from your site and clear the database. Don't assume that you have managed to find all the files, if the attacker had access to your site they could have modified any code in any file. Don't be tempted to use the same database, if any section of your database contains html to be rendered in the page it could have been modified to add malicious javascript.

    Restore your database from a backup taken prior to the exploit. Install the latest version of whatever software you are using on the site with all security patches applied and security configuration recommendations followed. You also should change every password associated with the site. Now you can use the backups of the exploited site in a separate environment to carefully extract any recent changes which were not in the backup.

    It may sound paranoid but I have been dealing with the aftermath of website exploits like this for years. I have seen more sites than I can count exploited again because people did not properly secure and clean their sites.

      rnewsham:

      I've not looked into exploit code in quite a while, so I spent a little while reorganizing it to see what it does. As you mention, it performs the file manager features you mention, but also has some database exploration functionality, too. Not particularly malicious in itself, that I can see, but it's not something you'd put on someone's system unless one had larcenous intent.

      It's kind of painful to look at, though, as the code is a mishmash of styles (functions called with & vs not), repetitive (bits of code pointlessly repeated), buggy (poorly formed HTML, and mostly crap.

      ...roboticus

      When your only tool is a hammer, all problems look like your thumb.

        Steals cpu n more from the careless just fine
Re: Malicious Perl Scripts & Web Development
by Lotus1 (Vicar) on Apr 12, 2019 at 19:04 UTC

    As long as there isn't any personal or corporate information included in the script it should be fine to paste it here. You could add a warning that it's potentially malicious and include it inside code tags like this:  <code> ... </code>. Since you posted anonymously you can't edit your node and you'll have to post it in a new one.

    If it is obfuscated it might be difficult to tell what it contains. In that case you could use Perl's B::Deparse module to deparse it and get an idea of what the script would do without actually running it. Here are some examples: Debunk Perl's magic with B::Deparse, 804232

    Try this:

    perl -MO=Deparse byyl.pl

        Interesting. I'll let the Monks who are more experienced with web development comment overall but I noticed the print decode_base64("PHNj.... and decided to try to decode it. It is some JavaScript(?) that has been encoded. It seems to just be doing keyword color highlighting for some program code. I first used a webpage to decode it and then the following script.

        The result is:

        I reformatted it slightly to try to make sense of it but I don't have the time or patience to take this any further. Good luck.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1232506]
Approved by davies
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (3)
As of 2022-10-05 20:52 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My preferred way to holiday/vacation is:











    Results (25 votes). Check out past polls.

    Notices?