Re: suidperl in /var/log/secure

From: Luke Vogel (
Date: 04/22/02

From: Luke Vogel <>
Date: Mon, 22 Apr 2002 20:08:59 +1000

Tony wrote:
> Hi,
> I have search tje entrie machine and cannot find the script. Any ideas?

I'm not surprised. Many exploit scripts delete themselves on successful
completion (and unsuccessful completion if it comes to that).

If you want to look at the script that was used, search on packetstorm
for "". You will notice that at the end of the script it _does_
remove itself :)

Perhaps you could try the script on yourself and see if you are
vulnerable. If you are, then you need too look much deeper into your
file system AND try and figure out if one of your users is wearing a
dark shade of hat, or whether someone has penetrated you from the net!

Even if you are not vulnerable, I would recommend that you either remove
the suidperl binary, or at the very least unset the suid bit.

Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
Note: Remove NOSPAM from my return address if necessary