Guest User

dump_cdorked_config.py

a guest
May 10th, 2013
169
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-
  3. #
  4. # This script dumps the content of a shared memory block
  5. # used by Linux/Cdorked.A into a file named httpd_cdorked_config.bin
  6. # when the machine is infected.
  7. #
  8. # Some of the data is encrypted. If your server is infected and you
  9. # would like to help, please send the httpd_cdorked_config.bin
  10. # to our lab for analysis. Thanks!
  11. #  
  12. # Marc-Etienne M.Léveillé <leveille@eset.com>
  13. #
  14.  
  15. from ctypes import *
  16.  
  17. SHM_SIZE = 6118512
  18. SHM_KEY = 63599
  19.  
  20. OUTFILE="httpd_cdorked_config.bin"
  21.  
  22. try:
  23.   rt = CDLL('librt.so')
  24. except:
  25.   rt = CDLL('librt.so.1')
  26.  
  27. shmget = rt.shmget
  28. shmget.argtypes = [c_int, c_size_t, c_int]
  29. shmget.restype = c_int
  30. shmat = rt.shmat
  31. shmat.argtypes = [c_int, POINTER(c_void_p), c_int]
  32. shmat.restype = c_void_p
  33.  
  34. shmid = shmget(SHM_KEY, SHM_SIZE, 0o666)
  35. if shmid < 0:
  36.   print "System not infected"
  37. else:
  38.   addr = shmat(shmid, None, 0)
  39.  
  40.   f = file(OUTFILE, 'wb')
  41.   f.write(string_at(addr,SHM_SIZE))
  42.   f.close()
  43.  
  44.   print "Dumped %d bytes in %s" % (SHM_SIZE, OUTFILE)
RAW Paste Data