Perl hack - help!

Hi all

I found that perl script from my previous post.

It's been downloaded and run through some vulnerability in one of my client's web apps (not sure which one yet).

I've pulled Perl support from apache (so hopefully they can't do it again). Have also deleted all copies of the script (bot.scp) and have run a fresh copy of chkrootkit (all clean).

I have attached a copy of the perl script, can anyone tell me what it does as I'm no perl coder.

Got this from the main http error log:

[root@ns httpd]# grep bot.scp *
error_log:--14:44:21-- http://www.szone.gratishost.com/bot.scp
error_log: => `bot.scp'
error_log:14:44:38 (112.04 KB/s) - `bot.scp' saved [19275/19275]
error_log:--14:44:38-- http://www.szone.gratishost.com/bot.scp
error_log: => `bot.scp.1'
error_log:14:44:42 (68.70 KB/s) - `bot.scp.1' saved [19275/19275]
error_log:--14:44:42-- http://www.szone.gratishost.com/bot.scp
error_log: => `bot.scp.2'
error_log:14:44:45 (68.70 KB/s) - `bot.scp.2' saved [19275/19275]
error_log:rm: cannot remove `bot.scp.*': No such file or directory
error_log:rm: cannot remove `bot.scp.*': No such file or directory
error_log:--04:03:06-- http://www.szone.gratishost.com/bot.scp
error_log: => `bot.scp'
error_log:04:03:07 (98.55 KB/s) - `bot.scp' saved [19275/19275]
error_log:--05:51:00-- http://www.szone.gratishost.com/bot.scp
error_log: => `bot.scp.1'
error_log:05:51:01 (98.55 KB/s) - `bot.scp.1' saved [19275/19275]
error_log:--10:54:12-- http://www.szone.gratishost.com/bot.scp
error_log: => `bot.scp.2'
error_log:10:54:12 (66.51 KB/s) - `bot.scp.2' saved [19275/19275]

I have searched for the bot.scp and the hostname in client log files but can't find it anywhere.

So does anyone know how I can identify which script on the server is vulnerable?

Thanks

Matt

PS - Box is FC1 (fully up-to-date with the Fedora legacy yum updates).

 

 

 

 

Top