Posted by: Dan O'Connor
casper perl, casper rfi bot, casper.pl
Some of the sh.txt script seems to be pretty old, calling milw0rm and darkc0de, both sites are no longer up and have not been for a while.
There is also a few things worth looking in to here, the script mentions fx29shell.php. Which is a php shell that can be loaded onto the system.
I can do all kinds of nasty to your web server, you can download the /etc/passwd for a start. Not good if you find this on your system, might be a good time to do some google searches against your domain (while we are talking about it).
So after all of this it looks likes capser.(pl|txt) is the main thing doing all of the work. As you can tell with all of the variables.
$admin = "XXXXX"; $serverircs = array("irc.xxxxx.xxx"); $serverirc = $serverircs[rand(0,count($serverircs) - 1)]; $urldata = "http://xxxxxxx/xxxxxxx/casper/"; $injektor = "sh.txt"; $defacer = "def.txt"; $filepsy = "psy.tar.gz"; $portpsy = "6667"; $fileggdrop = "eggdrop.tar.gz"; $filebotphp = "bot.txt"; $crbots = 2; $filebotperl = "iso.txt"; $filebotscan = "scan.txt";
In the next section we will do a closer look at casper now that we poked around a bit.