PERL_SHELLBOT.DI
Linux, UNIX, Mac OS X
Threat Type:
Backdoor
Destructiveness:
No
Encrypted:
No
In the wild::
Yes
OVERVIEW
Se conecta a servidores de IRC. Se une a un canal de IRC. Ejecuta comandos desde un usuario remoto malicioso que pone en peligro el sistema afectado.
TECHNICAL DETAILS
Rutina de puerta trasera
Se conecta a alguno de los siguientes servidores de IRC:
- {BLOCKED}.{BLOCKED}.240.38:1337
Se une a alguno de los canales siguientes de IRC:
- #xrt
Ejecuta los comandos siguientes desde un usuario remoto malicioso:
- !die - Terminate current process
- !killall - Terminate all Perl processes
- !reset - Reconnect to IRC server
- !jo - Join a channel
- !part - Leave a channel
- !nick - Change nickname
- !pid - Send fake process name and process ID
- ! - Execute a shell command
- !raw - Send raw IRC message
- !say - Send private message
- !act - Send an action command
- !timot - Set timeout value used in performing HTTP GET
- !matek - Terminate current process
- !modarkabeh - Terminate all Perl processes
- !reset - Reconnect to IRC server
- !jo - Join a channel
- !part - Leave a channel
- .sh - Execute a shell command
- {current nickname} - Execute a shell command
- !Goox - Enable or disable usage of Google search engines
- !engine - Enable or disable usage of non Google search engines
- !pid - Send fake process name and process ID
- !cari - Search for websites with accessible Magento database configuration file
- !jnews - Search for websites that uses vulnerable jNews extensions
- !jnews2 - Search for websites that uses vulnerable jNews extensions
- !open - Search for websites using vulnerable OpenEMR
- !civ - Search for websites using vulnerable CiviCRM
- !civic - Search for websites using vulnerable CiviCRM
- !letter - Search for websites that uses vulnerable jNews extensions
- !letter2 - Search for websites that uses vulnerable jNews extensions
- !tum - Search for websites using PBV MULTI VirtueMart theme with vulnerable TimThumb
- !piwik - Search for websites using vulnerable Piwik
- !slim - Search for websites using vulnerable Slimstat Ex
- !seo - Search for websites using vulnerable SEO Watcher
- !sql - Search for websites vulnerable to SQL injection
- !civicrm - Search for websites using vulnerable CiviCRM
- !acymailing - Search for websites using vulnerable AcyMailing
- !acymailing2 - Search for websites using vulnerable AcyMailing
- !jinc - Search for websites using vulnerable JINC
- !jinc2 - Search for websites using vulnerable JINC
- !maianmedia - Search for websites using vulnerable Maian Media
- !maianmedia2 - Search for websites using vulnerable Maian Media
- !joomleague - Search for websites using vulnerable JoomLeague
- !joomleague2 - Search for websites using vulnerable JoomLeague
- !woopra - Search for websites using vulnerable Woopra
- !jce - Search for websites using vulnerable JCE
- !gento - Search for websites using vulnerable Magento API
- !zimbra - Search for websites using vulnerable Zimbra
- !zim - Search for websites using vulnerable Zimbra
- !shock - Search for websites with CVE-2014-6271 vulnerability and download and execute http://{BLOCKED}x.com/shock/cgi in the vulnerable sites
- !wplfd - Search for websites vulnerable to directory traversal attacks
SOLUTION
Reinicie en modo normal y explore el equipo con su producto de Trend Micro para buscar los archivos identificados como PERL_SHELLBOT.DI En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.
Did this description help? Tell us how we did.