* * * * *

                           Tracking script kiddies

**YES!**

Last month I wrote a program that wraps around the Perl executable, and all
it does it copy files given to Perl, and then passes on control to Perl. I
did this because we at The Office kept running into sript kiddie Perl scripts
consuming resources on our servers.

Checking the process wouldn't reveal much—they always start in /tmp and would
be owned by the web server process, so we knew how they were coming in, just
not where (i.e. which site was exploited). Worse, these scripts would be
started up, then deleted once running, so viewing said scripts was
impossible.

Thus, by wrapping the Perl executable to record as much information about
each running script as possible, we could gather information about how they
might be getting in.

And tonight, we finally caught one! And better still—we know which site was
exploited!

Now, begins the process of finding out which PHP script (sigh—it figures) is
poorly written.

Oh, by the way, Happy Easter!


Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.