Rouge Perl Script 
			Apr 20, 2009
				I've got a rouge perl script running on one of my servers and need help in tracking it down.
TOP 
1877 apache    25   0  4856 3060 1252 R 49.9  0.3  13:51.98 perl
as soon as ps is killed it restarts
/tmp
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.1
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.10
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.11
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.12
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.13
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.14
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.15
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.16
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.17
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.18
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.2
-rw-r--r--  1 apache apache  48444 Apr 15 01:11 blue.3
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.4
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.5
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.6
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.7
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.8
-rw-r--r--  1 apache apache  29572 Apr 15 01:11 blue.9
and over the past couple of days there's been a number of these
-rw-------  1 apache apache     99 Apr 20 02:22 sess_00f39873b47be556f0c047e96b726640
-rw-------  1 apache apache     68 Apr 20 08:20 sess_01d2ba3e471475384ea3c1d2ff1cde7f
-rw-------  1 apache apache      0 Apr 20 06:04 sess_01ea1b9ebe41331239ded82506f66090
-rw-------  1 apache apache      0 Apr 19 23:04 sess_0a83f93845da3fabce31d897f13735b0
-rw-------  1 apache apache     68 Apr 20 01:50 sess_0c83beb8ba2ce1f42833874b0d8a7470
-rw-------  1 apache apache     68 Apr 20 08:25 sess_0d5989b161d7d6434692de42faa248ab
-rw-------  1 apache apache      0 Apr 19 18:15 sess_10f858c3904a12a1e4c9e7da70e0fbb8
-rw-------  1 apache apache     26 Apr 20 09:39 sess_11a8b8d85883c8f2da146bb8f97bd25e
-rw-------  1 apache apache     68 Apr 19 14:22 sess_11f018952ec1cae08e6d8a95a0c99287
-rw-------  1 apache apache     26 Apr 19 21:18 sess_1706bf1b9e5d4b09e29cfbc3517d6755
-rw-------  1 apache apache     26 Apr 20 02:22 sess_1c48c7232dbc7087c312d43debb942a7
-rw-------  1 apache apache      0 Apr 20 06:46 sess_1cdf7ecf082c27f389b759adef50f932
-rw-------  1 apache apache      0 Apr 20 08:04 sess_1d6d06ea737c1eff71152a590cd420a4
-rw-------  1 apache apache     26 Apr 20 09:42 sess_26b16f5a5b59639af28f6bc49dba1ed5ly 
	
	View 7 Replies
  
    
	ADVERTISEMENT
    	
    	
        Dec 5, 2008
        When i was running top -cd2 command following scripts  are taking high cup uses on server. But when we are go home directory we didn't find any thing.
24489 "User Name"      20   0  6732 5084 1164 S  8.0  0.2  11:00.69 /usr/bin/perl -w hnc.cgi
26456 "User Name"    20   0  6876 5080 1164 S  8.0  0.2   7:23.47 /usr/bin/perl -w hnc.cgi
32569 "User Name"    20   0  6748 5056 1164 S  7.5  0.2   8:57.30 /usr/bin/perl -w hnc.cgi
update us why this script are running under some particular users and what the application of this script.
	View 11 Replies
    View Related
  
    
	
    	
    	
        May 16, 2007
        I have a website is written by Perl language. I donnt know how to run it. 
 
I installed Activeperl 5.0 and IIS is running. I  have heared someone who told me that need to install a software as Emperl/ html-emperl, is it right?
	View 1 Replies
    View Related
  
    
	
    	
    	
        Jul 7, 2009
        How do you install perl on a centos 5?
	View 3 Replies
    View Related
  
    
	
    	
    	
        Aug 15, 2008
        i have big problem all Forums in my server hacked by perl symlink see all config.php by shell perl in .txt by include 
i solve it by make perl permission 000 but all thing in cpanel stop cause cpanel by perl
	View 6 Replies
    View Related
  
    
	
    	
    	
        Feb 2, 2008
        A client's server's password was guessed, and the hacker conveniently uninstalled perl. I can't seem to get perl reinstalled. Any ideas on how this would be done? RPM, TAR's and YUM don't work, as they require perl!
Is this going to be a reinstall job?
	View 14 Replies
    View Related
  
    
	
    	
    	
        Mar 28, 2008
        all we know that perl language its using in alot of scripts and alot of system admins stop it why this why u dont try stopp the problems from it and make ur client have perl to used it in scripts lets try this if some one need to see passwd he will do cat /etc/passwd what about make this  chmod 700 /bin/cat and he will used wget to get files what about this chmod 700 /usr/bin/wget and lynx what about chmod 700 /usr/bin/lynx in this case we make root only can using this commands any system admin sure know now the idea and he can use it as he want ,, this secured method not only in perl its in another programing language put i give this as a clear exampel.
	View 5 Replies
    View Related
  
    
	
    	
    	
        Mar 12, 2008
        I have a Centos VPS with Cpanel. I have begun receiving some email notifications, apparantly from my cpanel... The latest one says that the version of perl I am running is too old.
Subj: [checkperlmodules] perl version too old (v5.8.8 required, v5.8.7 is installed.)
Are there any problems or dire consequences from upgrading or side effects?  What version should I upgrade to?
	View 3 Replies
    View Related
  
    
	
    	
    	
        Jul 29, 2007
        I've been trying to figure this out for about the past week and haven't had any success.
Can't locate funcs.pl in @INC (@INC contains: lib/perl . /usr/lib/perl5/5.8.8/i686-linux /usr/lib/perl5/5.8.8 /usr/lib/perl5/site_perl/5.8.8/i686-linux /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl) at ./terr.pl line 28.
I'm trying to run perl magick.
	View 2 Replies
    View Related
  
    
	
    	
    	
        Jan 27, 2007
        ive been trying to install it for about 3 hours and ive finally got it working. now, how do i configure it to be nice and secure?
first thing is that i want to restrict which paths people can use in scripts. my site needs to access any paths but site users can only access their own directories. i want the exact same thing as in this thread but with perl instead of php
how do i block certain functions and which ones do i block? i heard perl and php are very similar so im guessing i want to block similar functions to the ones listed here
	View 3 Replies
    View Related
  
    
	
    	
    	
        Jul 20, 2007
        Tasks: 150 total,   7 running, 143 sleeping,   0 stopped,   0 zombie
Cpu(s): 76.9% us, 23.1% sy,  0.0% ni,  0.0% id,  0.0% wa,  0.0% hi,  0.0% si
Mem:   1026224k total,   604068k used,   422156k free,    61396k buffers
Swap:  1052248k total,   140736k used,   911512k free,   233200k cached
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
12825 apache    25   0  6752 2040  936 R   33  0.2   1556:57 perl
15338 apache    25   0  7592 4068 1324 R   33  0.4 545:03.58 perl
 5817 apache    25   0  6996 4052 1240 R   33  0.4 520:37.18 perl
27139 apache    25   0  6404 4068 1248 R   33  0.4 197:40.96 perl
29176 apache    25   0  7964 4092 1272 R   33  0.4 523:40.92 perl
14785 apache    25   0  7392 4088 1272 R   31  0.4   1158:41 perl
27420 root      16   0  3248 1000  760 R    1  0.1   0:00.04 top
27441 qmaild    16   0  4736  752  604 S    0  0.1   0:00.01 qmail-smtpd
    1 root      16   0  1956   96   64 S    0  0.0   0:06.83 init
    2 root      RT   0     0    0    0 S    0  0.0   0:04.04 migration/0
    3 root      34  19     0    0    0 S    0  0.0   0:00.56 ksoftirqd/0
    4 root      RT   0     0    0    0 S    0  0.0   0:02.36 migration/1
    5 root      34  19     0    0    0 S    0  0.0   0:00.47 ksoftirqd/1
    6 root       5 -10     0    0    0 S    0  0.0   0:00.12 events/0
    7 root       5 -10     0    0    0 S    0  0.0   0:00.05 events/1
    8 root       9 -10     0    0    0 S    0  0.0   0:00.00 khelper
    9 root      15 -10     0    0    0 S    0  0.0   0:00.00 kacpid
   24 root       5 -10     0    0    0 S    0  0.0   0:00.00 kblockd/0
   25 root       5 -10     0    0    0 S    0  0.0   0:00.00 kblockd/1
   44 root      15   0     0    0    0 S    0  0.0   0:24.16 pdflush
   26 root      15   0     0    0    0 S    0  0.0   0:00.00 khubd
   46 root      13 -10     0    0    0 S    0  0.0   0:00.00 aio/0
   47 root      13 -10     0    0    0 S    0  0.0   0:00.00 aio/1
   45 root      15   0     0    0    0 S    0  0.0   2:45.50 kswapd0
  193 root      25   0     0    0    0 S    0  0.0   0:00.00 kseriod
  308 root      15   0     0    0    0 S    0  0.0   4:29.19 kjournald
 1393 root       6 -10  1968    4    0 S    0  0.0   0:00.02 udevd
 1912 root       6 -10     0    0    0 S    0  0.0   0:00.00 kauditd
 1976 root       7 -10     0    0    0 S    0  0.0   0:00.00 kmirrord
 1995 root      22   0     0    0    0 S    0  0.0   0:00.00 kjournald
 1996 root      15   0     0    0    0 S    0  0.0   0:01.55 kjournald
 1997 root      20   0     0    0    0 S    0  0.0   0:00.00 kjournald
 2769 root      15   0  2908  244  176 S    0  0.0   2:48.00 syslogd
 2773 root      16   0  3348  196  140 S    0  0.0   0:00.00 klogd
 2783 root      16   0  3092  272  208 S    0  0.0   0:08.25 irqbalance
 2798 named     16   0 50760 4492 1408 S    0  0.4   2:59.58 named
 2852 root      15   0  2664  260  104 S    0  0.0   0:00.13 smartd
 2861 root      16   0  5220  380  264 S    0  0.0   0:15.04 sshd
[root@cl-t058-280cl tmp]#
I am suffering with perl scripts attack. Please help me to resolve this issue.
	View 11 Replies
    View Related
  
    
	
    	
    	
        Feb 14, 2007
        How do I trace what user this is?  
Code:
   PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME CPU COMMAND  9488 nobody    25   0  1612 1280  1108 S    21.1  0.2 619:37   1 perl bodyb3 200.101.193.42 0 5000
  I also ran netstat -n and found this:  
Code:
 udp    15184      0 server.host.com:55936    ns1.datacenter.net:domain      ESTABLISHED
	View 3 Replies
    View Related
  
    
	
    	
    	
        Aug 15, 2007
        How can change perl 5.8.8 to 5.8.7
 
Now I cant Install any Perl Module use CP.
 
all show me this :
Testing connection speed...(this could take a while)...Done
Ping:2.016 Testing connection speed to cpan.erlbaum.net using pureperl...(157450.00 bytes/s)...Done
Ping:2.316 Testing connection speed to cpan.belfry.net using pureperl...(157450.00 bytes/s)...Done
Ping:1.911 Testing connection speed to cpan.glines.org using pureperl...(104300.00 bytes/s)...Done
Three usable mirrors located
Mirror Check passed for cpan.erlbaum.net (/index.html)
Unknown config variable 'less'
commit: wrote '/usr/lib/perl5/5.8.8/CPAN/Config.pm'
CPAN: File::HomeDir loaded ok (v0.65)
CPAN: Storable loaded ok (v2.16)
Going to read /home/.cpan/Metadata
  Database was generated on Wed, 15 Aug 2007 01:38:08 GMT
Acme:pork is up to date (0.0.7).
perlmod--Install done
	View 10 Replies
    View Related
  
    
	
    	
    	
        Nov 11, 2007
        i,m facing perl script on my server and i can,t find a way to protect it from perl
really i need the best way 
i choose  this forum  because most of you here are expert in this filed . ... .. 
	View 1 Replies
    View Related
  
    
	
    	
    	
        Dec 7, 2007
        Want to apply this to a forum
[url]
I think I installed html2ps correctly, but I do not know how to get ps2pdf installed on Centos 4.5
I have cpanel as well
	View 0 Replies
    View Related
  
    
	
    	
    	
        Oct 24, 2007
        We are using FreeBsd with Cpanel.
Some one has upload some scripts,they are running and attacking 
to other systems.
last pid: 64017;  load averages: 59.59, 60.75, 63.04   up 19+22:52:28  12:03:45
457 processes: 61 running, 315 sleeping, 81 zombie
CPU states: 52.4% user,  0.0% nice, 47.6% system,  0.0% interrupt,  0.0% idle
Mem: 465M Active, 212M Inact, 236M Wired, 22M Cache, 111M Buf, 62M Free
Swap: 2048M Total, 458M Used, 1590M Free, 22% Inuse
  PID USERNAME  PRI NICE   SIZE    RES STATE    TIME   WCPU    CPU COMMAND
 3282 root      128    0 37536K 30520K RUN      3:49  4.79%  4.79% perl
62953 root      128    0 30284K 25248K RUN      0:05  1.90%  1.90% perl
49249 root      128    0 33720K 28876K RUN      0:46  1.86%  1.86% perl
 2981 root      128    0 40928K 30724K RUN      3:56  1.56%  1.56% perl
76809 nobody    127    0  4148K  2080K RUN     13:52  1.42%  1.42% perl5.8.8
19633 nobody    127    0  4148K  2128K RUN      2:34  1.42%  1.42% perl5.8.8
57451 nobody    126    0  4148K  2072K RUN     39:24  1.22%  1.22% perl5.8.8
76599 nobody    126    0  4148K  2080K RUN     13:53  1.22%  1.22% perl5.8.8
76966 nobody    126    0  4148K  2080K RUN     14:01  1.17%  1.17% perl5.8.8
60286 nobody    126    0  4148K  2072K RUN     38:42  1.12%  1.12% perl5.8.8
77488 nobody    126    0  4148K  2080K RUN     13:48  1.12%  1.12% perl5.8.8
77697 nobody    126    0  4148K  2080K RUN     13:47  1.12%  1.12% perl5.8.8
56573 nobody    126    0  4148K  2096K RUN     39:55  1.07%  1.07% perl5.8.8
58126 nobody    126    0  4148K  2072K RUN     39:11  1.07%  1.07% perl5.8.8
76513 nobody    126    0  4148K  2080K RUN     13:58  1.07%  1.07% perl5.8.8
76807 nobody    126    0  4148K  2080K RUN     13:57  1.07%  1.07% perl5.
	View 6 Replies
    View Related
  
    
	
    	
    	
        Aug 17, 2007
        What would I have to add inside .htaccess to allow perl scripts to run?
	View 1 Replies
    View Related
  
    
	
    	
    	
        Jan 14, 2009
        I am trying to write a perl script, it send's mail to a user i used system(mail -s test) and also send some messages using this.
but my issue is i receive mail with html code like <br> and so..
how to get a plain mail using this system command. 
	View 2 Replies
    View Related
  
    
	
    	
    	
        Jun 3, 2009
        How can see just perl or exim runing process with ssh on linux?
	View 2 Replies
    View Related
  
    
	
    	
    	
        May 25, 2009
        I'm getting a internal 500 on a test perl file that I placed inside cgi-bin
This is a cpanel box with suphp enabled ....
	View 2 Replies
    View Related
  
    
	
    	
    	
        Jan 12, 2008
        I have a cPanel/Linux server, runing apache as a webserver.
i want to know how can i prevent perl/cgi files from working on all virtual hosts on both apache2/apache1.3!
	View 14 Replies
    View Related
  
    
	
    	
    	
        Dec 1, 2008
        I've used Servage for about 18 months. For most of that time there have been no problems. Then they decided to upgrade the cluster. This happened 3 weeks ago. Since then, there has been a catalogue of problems, mostly centred around a Perl script my site uses to implement a wiki.
The first problem was that they had removed four of the supporting Perl modules used by my Perl script.  All of the missing modules are ones you would expect to find on any server that claims to support Perl.  They had warned that this might happen (obviously too difficult for them to make sure that the upgraded server has all the Perl modules) so I notified them with a list of missing modules expecting the modules to be restored quickly.  It actually took 1 week, during which time their support team tried their best to annoy me by giving responses related to PHP (apparently they'd managed to kill PHP scripting completely) and a non-working link to a list of installed modules (I knew what was installed already).
Having now got the script running, I hit a further problem.  Prior to the upgrade the script had run under the "webserver" account.  It was now running under the "you" account.  This meant it couldn't write to its own data files.  I had real trouble getting Servage to understand this one, let alone fix it.  Most of their answers were about how to change the ownership of my script, which makes absolutely no difference to the problem.  Eventually, after 4 days, they tried to fix the problem.  The result was that my website became completely inaccessible.  Even the static content was giving a 403 error.  Again, it took support a while to understand the problem and about 1.5 days to fix it.
At this point Servage claimed to have fixed all outstanding issues.  However, my script was still running under the wrong account.  In frustration, I changed the ownership of all the script's data files to "you", which at least got my wiki running again.  
However, I now find that people can't upload images to the site.  Any attempt to do so produces an error "CGI open of tmpfile: Permission denied".
I've given up.  I think my chances of getting Servage to even understand the problem are minimal. I'm not even going to try.  I will be moving to another host as soon as possible - probably a VPS.  That way I should be able to fix most problems myself.
	View 14 Replies
    View Related
  
    
	
    	
    	
        Jul 11, 2008
        Trying to Image::Magick via whm perl module installer. Got the below error.
{standard input}:99: Warning: size of "opacity" is already 2; not changing to 8
{standard input}:155: Warning: size of "backdrop" is already 4; not changing to 288
{standard input}:159: Warning: size of "magnify" is already 4; not changing to 288
make: *** [Magick.o] Error 1
  JCRISTY/PerlMagick-6.40.tar.gz
  /usr/bin/make -- NOT OK
CPAN: YAML loaded ok (v0.66)
Running make install
  Make had returned bad status, install seems impossible
perlmod--Install done
I'm using perl 5.8.8
This is perl, v5.8.8 built for i686-linux
	View 3 Replies
    View Related
  
    
	
    	
    	
        Oct 29, 2008
        what command I must write into SSH to see if perl is installed or not?
	View 4 Replies
    View Related
  
    
	
    	
    	
        Jan 26, 2007
        we have a customer who has Red Hat Enterprise Linux 4 on there server and they have asked us to install GD-1.8 and perl-GD-1.33-1.i386 every time we try and install GD-1.8 it says 'GD-2.2 is newer blah blah' and we can not continue. Dose any one know how this can be done and if so could they please give us some information of how to do it. 
we have been thinking about forcing 1.8 to install but we do not think this is a good solution as it will cause other problems.
	View 1 Replies
    View Related
  
    
	
    	
    	
        Sep 16, 2007
        to install these two but whm did not find them
html2ps
ps2pdf 
Only found this, 
Meta::Tool:s2Pdf 
not sure if that is the proper one anyway.
Using perl 5.8.8 / centos 4.5
	View 6 Replies
    View Related
  
    
	
    	
    	
        Jan 14, 2007
        Two servers, with almost exactly same setup.
I can run perl cgi at one, but the other one just displays the perl code of the same script.
I know this must be an easy one, but I have absolutely no knowledge about perl, 
	View 2 Replies
    View Related
  
    
	
    	
    	
        Aug 17, 2007
        i've to install perl-XML-Parser on my dedicated server. i'm using centOS4.5. i tried
Code:
yum install perl-XML-Parser
after that command i got:
Code:
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
Parsing package install arguments
No Match for argument: perl-XML-Parser
Nothing to do
if anyone asks why i've to install it, i want to install VNC. while installing gnome with that command:
Code:
yum install gnome*
i got that error :
Code:
--> Running transaction check
--> Processing Dependency: perl-XML-Parser for package: intltool
--> Finished Dependency Resolution
Error: Missing Dependency: perl-XML-Parser is needed by package intltool
so, i think that i've to install perl-XML-Parser. but how?  
	View 2 Replies
    View Related
  
    
	
    	
    	
        Jun 14, 2007
        find my server filled with suspicious perl processes, most likely the result of bad PHP coding somewhere on my box. I successfully eradicated all of it, but I know it'll only come back again unless I figure out where it came from. Anyone have any ideas how to track it down? I'd search all the httpd logs for each domain, but I don't really know what I'd be looking for.
	View 3 Replies
    View Related
  
    
	
    	
    	
        Apr 10, 2007
        I'm nearly at my wits end with this. 
My server keeps going down lately, and I suspect some kind of DoS. Whenever it does, sometimes I can even watch it happen. Such as:
Quote:
80 requests currently being processed, 0 idle workers
WWWWWWWWWWWWWWWWWWKWWWWWWWWWWWWWWWWWWWKWWWWWWWWWWWWWWCWWWWWWCWWW
WWWWWWCWKWWWWWWW
I watched it fill up like that, from my NORMAL status:
Quote:
13.8 requests/sec - 33.6 kB/second - 2484 B/request
22 requests currently being processed, 36 idle workers
___K__C____CC__C_C_____.C_C____C_CC_K___K_K_KKK__KCKK__W___.....
................
That's what it usually looks like. Anyway, more and more Ws were added in a matter of seconds as I watched it. Next thing, my site doesn't load, and it goes dead. My TimeOut in apache was set to 5 seconds. Now it's at 2, though. I do have keep alive on, but it is VERY low, like its set to 2 seconds and the max keep alives is set to 15 or so.
I have been working on even just catching who is doing this for about 2 weeks now, trying everything to my ability. Here is everything from start to finish:
1. First I tried mod_evasive - this program seems worthless, it doesn't ever detect anything. I can post settings if need be, but ive played with it and it just doesn't work well I find. I have more trouble with it getting false positives. Also, I tried going over the apache logs. For me, this has been a nightmare because its just so hard to see between attackers and non attackers... and i've come up with nothing.
2. I tried APF with AntiDOS but it didn't seem to do anything...
3. I read about DDoS deflate by medialayer, and installed it and gave it a shot. It didn't do anything for me. I tried poking around with the command they have on their website and I found the results quite weird, it didnt show me all of the IPs like it was supposed to, but rather some mess like:
Code:
1 (ip here)
3 (ip here)
9
(1 addres
ses)
So I did more searches online, and eventually came across this command:
Code:
netstat -ntu | grep ':' | awk '{print $5}' | awk '{sub("::ffff:","");print}' | cut -f1 -d ':' | sort | uniq -c | sort -nr
This seemed nice, looked like it was working as it should this time. I used the test.pl ( my only test for this, I have trouble finding other tools  )that comes with mod_evasive and sure enough it showed connections by me in there about like 150 or so after. I thought, 'hey thats pretty good, now ill try to make a script to parse it.' I did this, and then croned the script to run every minute.
Then I asked a friend of mine who I know has a better "DoS"er (though won't give it to anyone, understandably) to test the defence. It didn't hold up well at all. He suggested making the script run in an infinite loop instead of a cron, and make it sleep in the loop forever.
I did just that, and it now runs every 5 seconds. Here is the script, it's not the best, but it's all I've got now:
Code:
#!/usr/bin/perl
# Dos
use IO::Socket;
my $command;
for (my $i=0; 1; $i++) {
$command = `netstat -ntu | grep ':' | awk '{print $5}' | awk '{sub("::ffff:","");print}' | cut -f1 -d ':' | sort | uniq -c | sort -nr`;
@lines = split /
/, $command;
foreach my $line (@lines) 
{
@twospleet = split(" ", $line);
if($twospleet[0] > 150) {
if($twospleet[1] != "") {
$carp=$twospleet[1];
$carp2=$twospleet[0];
$block = "/usr/local/sbin/apf -d $carp $carp2";
system($block);
}
}
}
sleep(5);
}
This actually worked; he started his attack, it found his IP, and he was blocked, and I didn't go down. The netstat command showed him in with some 200 something connections before he was blocked.
I was not able to see if this was effective against this issue until today, haven't been hit for 4 days now or so (perhaps some sort of easter vacation?). Today though, I watched the same thing happen again, filled to the brim with Ws. 
The netstat command I found doesn't seem to be helping me here. If I am correct:
W means Sending Reply, according to the server status page. So what's going on here, someones making lots of connections and my system can't send a reply back for some reason?
My main questions are,
1. Am I right, that this is some kind of DoS?
2. If yes, how is this being done? And are there any test scripts available that I can download and try on myself to watch the statistics & test some more?
3. And again, how can I go about detecting whatever this is? Maybe some better netstat command, or something I can look for on the command page?
4. Is there any way to improve my perl script to protect against this?
5. If it isn't a DoS attack, what else might it be?
	View 7 Replies
    View Related