Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Casper the unfriendly ghost - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Casper the unfriendly ghost

We've received a couple reports lately of a bot written in Perl finding its way onto more and more Unix systems. The bot is about 110kb in size - quite chunky for a Perl script in other words.

When you search for this particular email address in Google .. well, yes, usage seems to be widespread enough. Every kid or hax0r also seems to adapt portions of the script, probably with search-and-replace, to make sure their own nick is as prominent in the script as Casper's.

Emerginthreats has a post with some good intel and a couple of Snort Sigs to detect this critter phoning home, and also links to the e107.org content management vulnerabilities for which the script contains exploits. The Perl Bot also contains other PHP remote file inclusion (RFI) exploits, but the script has also turned up on servers where PHP is not present at all. If you can share additional information on the exploits or avenues of attack used to deposit the script/bot onto servers, please let us know.

Daniel

367 Posts
ISC Handler
Surely related to :

aspshellmaker
asp-scanner
shell asp

Suite of tools to exploit ASP SQL injections in order to upload an ASP shell.

Regards.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!