Created
April 29, 2013 18:31
-
-
Save scuderiaf1/5483659 to your computer and use it in GitHub Desktop.
Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole
http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # | |
| # This script dumps the content of a shared memory block | |
| # used by Linux/Cdorked.A into a file named httpd_cdorked_config.bin | |
| # when the machine is infected. | |
| # | |
| # Some of the data is encrypted. If your server is infected and you | |
| # would like to help, please send the httpd_cdorked_config.bin | |
| # to our lab for analysis. Thanks! | |
| # | |
| # Marc-Etienne M.Léveillé <leveille@eset.com> | |
| # | |
| from ctypes import * | |
| SHM_SIZE = 6118512 | |
| SHM_KEY = 63599 | |
| OUTFILE="httpd_cdorked_config.bin" | |
| try: | |
| rt = CDLL('librt.so') | |
| except: | |
| rt = CDLL('librt.so.1') | |
| shmget = rt.shmget | |
| shmget.argtypes = [c_int, c_size_t, c_int] | |
| shmget.restype = c_int | |
| shmat = rt.shmat | |
| shmat.argtypes = [c_int, POINTER(c_void_p), c_int] | |
| shmat.restype = c_void_p | |
| shmid = shmget(SHM_KEY, SHM_SIZE, 0o666) | |
| if shmid < 0: | |
| print "System not infected" | |
| else: | |
| addr = shmat(shmid, None, 0) | |
| f = file(OUTFILE, 'wb') | |
| f.write(string_at(addr,SHM_SIZE)) | |
| f.close() | |
| print "Dumped %d bytes in %s" % (SHM_SIZE, OUTFILE) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment