#!/usr/bin/perl
# -*- coding: utf-8 -*-
#
# This script dumps the content of a shared memory block
# used by Linux/Cdorked.A into a file named httpd_cdorked_config.bin
# when the machine is infected.
#
# Some of the data is encrypted. If your server is infected and you
# would like to help, please send the httpd_cdorked_config.bin
# to our lab for analysis. Thanks!
#
# Alessandro Forghieri <alf@orion.it>
#
use IPC::SysV;
use strict;
use warnings;
my $SHM_SIZE = 6118512;
my $SHM_KEY = 63599;
my $OUTFILE="/tmp/httpd_cdorked_config.bin";
my $shmid = shmget($SHM_KEY, $SHM_SIZE, 0666);
if (!$shmid) {
print STDERR "System not infected\n"
} else {
print STDERR "*SYSTEM INFECTED ($shmid)!!!!\n";
my $addr = shmat($shmid, undef, 0);
open (OUTFILE,">$OUTFILE") or die "Opening $OUTFILE:$!";
my $buffer;
memread($addr,$buffer,$SHM_SIZE);
my $bytes=syswrite(OUTFILE,$buffer);
print STDERR "Dumped $SHM_SIZE bytes in $OUTFILE\n";
close (OUTFILE) or die "closing $OUTFILE:$!";
}