comment on

This does look like an attempt at some sort of exploit—more likely a probe to check for vulnerable servers to plant the real attacks on later.

It tries to disguise itself as lynx (a text-based browser) in the process list, a weak measure, perhaps, but a pretty sure sign their intentions are less than pure.

Then it tries to open a TCP socket to $ARGV[0] on port $ARGV[1] and reopen the 3 standard streams, and send your kernel version and the local user ID and groups to the remote server, and try to start a (remote) shell. Quite possibly the $target is a machine controlled by the attackers.

Whether you should be worried or not? I dunno, that depends on how it got there and whether you can identify the target and the perpetrators.

That, and they didn't use strict. Bastards.

use strict; use warnings; omitted for brevity.

In reply to Re: Something I found on my site by rjt
in thread Something I found on my site by GnikLlort

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


good chemistry is complicated, and a little bit messy -LW
	PerlMonks