New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Is it perl script? What does it do?
This? http://www.mediafire.com/?r4kkj92ij77r1sf
Yes.
Darn script kiddies. Thanks for the warning.
How does it get in?
Normal, lazy didn't click "UPDATE NOW" on their web app?
Looking at some of this stuff, I need to spend some time on HF apparently. Some great tools I wouldn't mind running against my own stuff to catch any weak spots I may have overlooked. Always best to stay one step ahead of these people, and they make it so easy most of the time.
Normal, lazy didn't click "UPDATE NOW" on their web app?
Any insecure places that they can upload this.....usually a script on a website on the server with a vulnerability.....
Is this a sym link hack? So if you disabled sym links on apache that should make the script in effective correct.
Good call.
Here, many PHP disabled functions, fopen URL off, allow_url_include off, and a whole load of GotRoot & custom mod_security on this end.
I try to keep up / download shells from recent failed XSS attempts in my Mod_Security audit log, then run them on a sandbox VPS against my own mod_sec rules to see what would have happened would it have been launched locally. Then I add more rules
No.
As far as I can understand, the script will run through the userlist, and symlink all the known config files for each of those users. It then
tar
s up the whole set of config files and presents this archive as a file.Disabling symlinks on Apache won't do a thing because:
so this has to be uploaded and run as a shell script correct?
Not as a 'shell script' per se - it's Perl after all. An exec() call in PHP, or basically any other way to get a Perl script to run, will do.
ahhh okay. So besides scanning the script and turning everything off is there anyway to block this script, other than mod_security.
Regarding: http://www.mediafire.com/?r4kkj92ij77r1sf
Meh, I'll upload it if anyone wants it. If "they" have it, we might as well too.
@stormvz
The script is still out there... you can't erase it from the internet.
Sign up on HF or even PacketStorm has some kiddie tools that show up on there.
I will upload id if anyone still want it