Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- # -*- coding: utf-8 -*-
- #
- # This script dumps the content of a shared memory block
- # used by Linux/Cdorked.A into a file named httpd_cdorked_config.bin
- # when the machine is infected.
- #
- # Some of the data is encrypted. If your server is infected and you
- # would like to help, please send the httpd_cdorked_config.bin
- # to our lab for analysis. Thanks!
- #
- # Alessandro Forghieri <alf@orion.it>
- #
- use IPC::SysV;
- use strict;
- use warnings;
- my $SHM_SIZE = 6118512;
- my $SHM_KEY = 63599;
- my $OUTFILE="/tmp/httpd_cdorked_config.bin";
- my $shmid = shmget($SHM_KEY, $SHM_SIZE, 0666);
- if (!$shmid) {
- print STDERR "System not infected\n"
- } else {
- print STDERR "*SYSTEM INFECTED ($shmid)!!!!\n";
- my $addr = shmat($shmid, undef, 0);
- open (OUTFILE,">$OUTFILE") or die "Opening $OUTFILE:$!";
- my $buffer;
- memread($addr,$buffer,$SHM_SIZE);
- my $bytes=syswrite(OUTFILE,$buffer);
- print STDERR "Dumped $SHM_SIZE bytes in $OUTFILE\n";
- close (OUTFILE) or die "closing $OUTFILE:$!";
- }
Add Comment
Please, Sign In to add comment