Perl Bot Infecting Web Servers

Looks like the bad guys are still using PERL bots and known exploits to infiltrate Web servers.

I found some log records that indicate a scan is in progress looking for weaknesses in various PHP apps. I've been seeing this activity for over a week on various Web servers.

After looking at the script it tries to inject into the server I noticed that it connects to IRC at on port 6667, channel #owned. So I decided to login.

When you login to that IRC server you'll see a long list of "users" with the name prefixed with "zx". All of those zx system are servers that are now infected with the PERL bot, and the channel operators can issue system-level commands to the bots. Ouch.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.