#!/usr/bin/perl -evil

I came across some Perl used for defacing websites. Not the standard stuff that adds a picture or scriptkiddie text, but adds an iframe to a website that was used (probably unknowingly) with the Eleonore Exploit Kit.

The Perl just globs standard html files (e.g., html, asp, php, etc), opens them, and appends the iframe to it (and remembers to CLOSE the file handle, too). That's it. Pretty manual. Not as automated as I thought it would be. I expected that it would at least change directories to the standard html directories or delete logs or something, but no... and it's clearly not used for attacking the servers which would host the "defaced" sites either. I suppose that since some servers host dozens to hundreds of sites that maybe it doesn't have to be so automated.

Anyway, if I had to guess, the index.php file from the iframe probably leads to exploits seen in the Wepawet link below.

In other news, Perl's not dead.

Pastebin link for Perl: http://pastebin.com/8KjZkMUn
Wepawet link: http://wepawet.iseclab.org/view.php?hash=20ff2743085c19354b5c6a57de099178&t=1264351976&type=js

1 Comment

Oh my. A complete newbie. You could much easier do this with a short shell script. (~ 3 lines)

Leave a comment

About dave_m

user-pic I'm an amateur Perl geek and the author of ClamTk, a GUI written in gtk2-perl.