If someone comes up with a true solution, let me know... no matter what I do, they're back today.
"Ok, yes... I like pie... um, I meant, pi."
Hi JimDunn and the rest,
I had the same and I have collected literally thousands of these perl scripts.
It crippled my network twice from the inside.
I even thought of changing all FTP password, but it would be a pain for hundreds of clients' domains in there (nevertheless did one and regretted it because it wouldn't work) and there was no proof it came via the FTP, nor the WEB.
My first (brute force) solution was to write and run a script to clear all scripts in cgi-bin folders and move it to a secluded folder under root. Every second, that's the only way to win, because the script once manifested itself it was straight away called via the web.
Even though we disable perl in apache, it was still deadly. Done many things but nothing works. It just kept coming back without invitation and without any trace.
Initially to eradicate:
- following your instructions over clearing stopping apache and clearing and restart apache
- Run my script and let it stay resident (every second mv command put the server a bit of strain when it was busy)
- So far it has been amazing, collection started right away
- Basically I won the fight in matter of split seconds
7 Mar morning, had a few attacks again at about 7-9AM (+0800) and what I did desperately was:
1. clear all the test folder under httpdocs and httpsdocs (the asp, php, perl, etc folders)
2. Remove the test from the skeleton
Reason I did this was I kept seeing python test.fcgi keep appearing in the ps, maybe it was a loophole.
Since yesterday morning, the attack stopped (almost 1 day of quietness)
- Not sure whether it was because the attack has literally stopped
- The removal of test folders work and that was their way of coming in
Jim, the attack has stopped for the last 24 hours for you too? If yes, then it's the first speculation, otherwise the second