1. #!/usr/bin/perl
  2. # -*- coding: utf-8 -*-
  3. #
  4. # This script dumps the content of a shared memory block
  5. # used by Linux/Cdorked.A into a file named httpd_cdorked_config.bin
  6. # when the machine is infected.
  7. #
  8. # Some of the data is encrypted. If your server is infected and you
  9. # would like to help, please send the httpd_cdorked_config.bin
  10. # to our lab for analysis. Thanks!
  11. #
  12. # Alessandro Forghieri <alf@orion.it>
  13. #
  14. use IPC::SysV;
  15.  
  16. use strict;
  17. use warnings;
  18.  
  19.  
  20. my $SHM_SIZE = 6118512;
  21. my $SHM_KEY = 63599;
  22.  
  23. my $OUTFILE="/tmp/httpd_cdorked_config.bin";
  24.  
  25. my $shmid = shmget($SHM_KEY, $SHM_SIZE, 0666);
  26. if (!$shmid) {
  27.   print STDERR "System not infected\n"
  28. } else {
  29.   print STDERR "*SYSTEM INFECTED ($shmid)!!!!\n";
  30.   my $addr = shmat($shmid, undef, 0);
  31.   open (OUTFILE,">$OUTFILE") or die "Opening $OUTFILE:$!";
  32.   my $buffer;
  33.  
  34.   memread($addr,$buffer,$SHM_SIZE);
  35.   my $bytes=syswrite(OUTFILE,$buffer);
  36.   print STDERR "Dumped $SHM_SIZE bytes in $OUTFILE\n";
  37.   close (OUTFILE) or die "closing $OUTFILE:$!";
  38. }