Recently in Perl Category

Took this from another, larger project that I worked on and wrote something small but modular to get me the MD5, SHA1, and SHA256 values for any file I want...nothing novel (and extremely limited) here but more efficient for me and now I can have all my private functions in one customized perl module.  Here are the files:  filehash.tar.gz.

The package is EncryptTypes::Hash, thus your driver program called getfilehash.pl must be located in the same directory where your EncryptTypes directory sits.  Within your EncryptTypes directory, Hash.pm must be located.

Something like:
...
getfilehash.pl
EncryptTypes/
                Hash.pm
...
...
...

Captured about an hours worth of pcap traffic and decided to pull out those notorious spam templates being sent to and from my infected bot.  Will write a quick parser to pick through based on From, To, subject, User-agent,  message-id - all of which are assembled within the spam template and then spoofed out using your infected bot as the spamming engine.    Listed below are those spam templates from my infected vm bot, here is just one to give you an idea of what it looks like:
template1.txt

I noticed a project I worked on published their code in CPAN located at:  http://search.cpan.org/~mitrehc/HoneyClient-Manager-0.99/.  To my knowledge the project integrated with Caputre-HPC to handle their real-time integrity check functionality.  Additionally, if you want to find our more with the status of the project, you can visit their main site at:  http://honeyclient.org/trac.  If you are curious and don't know what a honeyclient is, it is " a dedicated host that drives specially instrumented applications to access remote servers to see if those servers are behaving in a malicious manner. Specifically, honeyclients can proactively detect exploits against client applications without known signatures.".  Some of my work can be found here as well:  http://search.cpan.org/src/MITREHC/HoneyClient-Manager-0.99/lib/HoneyClient/Manager/FW.pm
or
http://honeyclient.org/trac/browser/honeyclient/trunk/lib/HoneyClient/Manager/FW.pm

I added some more functionality to my homemade sniffer which now grabs all the outbound DNS packets from my infected bot.  The variant I am running I grabbed from sudosecure.net, 681554faf60a96ad2fcebcee4a8e0b53  StormCodec8.exe.  Some quick stats, in thirty minutes of sniffing, I grabbed 6781 unique DNS hostnames and 12383 ip address ( unique 6748 unique) going across the wire.  Here is a file with the latest printout of IPs => GeoIP lookup: 
042808_latest_run.txt


Here is a snippet of what hostnames I found coming from my box once infected, the file lists the hostname => # of ips it resolves to and all the IP addresses: 
dnsoutputfile.txt

Wrote a a sniffer written in perl to pull out all the unique IP addresses from my infected honeypot based on the stormcodec.exe variant.  From there, I stuff them into a mysql table for later analysis.  Script checks for duplicates beforing adding a row to the table.  Will start parsing UDPObj and TCPObj ->{data} for URLS so I can start potentially keeping track of FF domains.  I need to add some more functionlity to log first and last seen which should not be that hard.  I am using the Net::Pcap package to do all the heavy lifting here as I don't have to substring through the packets picking through the  TCP/UDP/ICMP header structure.  For specific cases, that might be necessary but this works for me now.  The code is version 0.1 so that should speak for itself.  DB schema is not listed but can be figured out very easily.  Alas, here it is: 
pcaplistener_pl.txt

Captured unique IP addresses and which is listed below:
storm_sniffer_geo.txt

During a 25 minute network traffic capture of on of my infected storm bots, I grabbed hundreds of IP addresses, either from spam propagation or found within the payload of the pcap.  Listed below is the file of urls.
domains.txt

Of those 58 URLs that were parsed out, I noticed 7 that came back with 20 unique A records, those were the following:

Hostname => Number of A records
didstill.com => 20
enoughfraction.com => 20
gladgave.com => 20
motherdry.com => 20
thinbring.com => 20
verbcase.com => 20
winghit.com => 20

Listed below are the IP's associated with those hostnames:
042308_ffoutput.txt and the ugly ass script that produced it:
ffcheck_pl.txt

Below is a perl script I used to pull out all the URL and email addresses out of tcpflow results from network traffic of an infected storm bot.  The script can be run using the following:

perl stormextraction -dir /data/tcpflowresults/

Here is the script:

#!/usr/bin/perl

# simple little hack to pull URL's out of tcpflow results from captured storm data
# JD Durick <jd@labgeek.net>
# runs on a directory after you have run:  tcpflow -r <storm pcap file>, this mainly contains email header information
# email address, subjects, and html links that you are asked to visit.
# version 0.1

# format of data: (really can be anything with a URL in the file)
#----------------
#To: <sms5672@daum.net>
#Subject: Holidays are near, but u know how not to give hangover a chance
#Date: Sat, 19 Apr 2008 12:13:18 -0400
#MIME-Version: 1.0
#Content-Type: text/plain;
#        format=flowed;
#        charset="windows-1250";
#        reply-type=original
#Content-Transfer-Encoding: 7bit
#X-Priority: 3
#X-MSMail-Priority: Normal
#X-Mailer: Microsoft Outlook Express 5.50.4133.2499
#X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2499
#
#Make your housewife happy with our original blue colored-tab!is http://starfoxguide.com

#TODO
# parse even more with URI to get just unique hostnames, something like $url->host()
# DNS resolver for each of URLS
# email domain breakdown

use Getopt::Long;
use MIME::Parser;                              # for later
use Digest::MD5 qw(md5 md5_hex md5_base64);    # for later
use URI::Find;
use warnings;
use strict;
my ( $dir, $output, $fullpathname,, $file, $fsize ) = "";
my ( @dir_contents, %url, %emails ) = ();
my $counter = 0;

GetOptions(
        "dir:s"    => \$dir,
        "output:s" => \$output
);

# get all the http:// urls that are found in all the emails sent out.
if ($dir) {
        opendir( DIR, $dir ) || die("Cannot open directory !\n");

        # Get contents of directory
        @dir_contents = readdir(DIR);

        # Close the directory
        closedir(DIR);
        foreach $file (@dir_contents) {
                if ( !( ( $file eq "." ) || ( $file eq ".." ) ) ) {
                        $counter++;
                        $fullpathname = $dir . $file;
                        open( FILE, "<$fullpathname" );

                        $fsize = ( stat($fullpathname) )[7];
                        #print "[$counter]:  Processing  $fullpathname and size = $fsize\n";
                        if ( $fsize < 90000 ) {
                                while (<FILE>) {
                                        find_uris(
                                                $_,
                                                sub {
                                                        my ( $uri, $orig_uri ) = @_;
                                                        $url{$orig_uri} = 1;
                                                }
                                        );
                                }
                                close FILE;
                        }
                        else {
                                next;
                        }

                        # lets get a list of all those email addresses we see

                        getEmail($fullpathname);
                }
        }
        open( OUT, ">httpfile.txt" );
        foreach my $u ( sort keys %url ) {

                # lets get rid of those http://
                        #       $u =~ s/http\:\/\///g;
                        #       $u =~ s/https\:\/\///g;
                print OUT "$u\n";
        }
        close OUT;
}

sub getEmail {
        my $filename = shift;

        open( FILE, "<$filename" );
        while (<FILE>) {
                next if ( $_ =~ /^\s*$/ );
                if ( $_ =~ /\b([A-Za-z_%+0-9]+@[A-Z0-9a-z._]+\.[A-Za-z]{2,4})\b/ ) {
                        $emails{$1} = 1;
                }
        }
        close FILE;
        open( EMAIL, ">email.txt" );
        foreach my $email ( keys %emails ) {
                print EMAIL "$email\n";
        }
        close(OUT);
}
__END__

just a reminder that if you want to reconfigue CPAN:
1. perl -MCPAN -e shell
2. cpan> o conf init

The init configuration option runs through all the configuration questions, which may be time consuming. For example, other o conf commands can be used to list, remove, and add mirror sites, and then to save the changes to disk.

cpan> o conf urllist
urllist
ftp://ftp.kernel.org/pub/CPAN/
Type 'o conf' to view configuration edit options

cpan> o conf urllist shift

cpan> o conf urllist push ftp://ftp-mirror.internap.com/pub/CPAN/

cpan> o conf urllist
urllist
ftp://ftp-mirror.internap.com/pub/CPAN/
Type 'o conf' to view configuration edit options

cpan> o conf commit
commit: wrote /usr/local/lib/perl5/5.6.1/CPAN/Config.pm

To manually edit the existing configuration file, either open the user-specific ~/.cpan/CPAN/MyConfig.pm directly, or locate the system-wide configuration file (stored somewhere under the perl @INC path list) to edit with the following command.

More information can be found at: http://sial.org/howto/perl/life-with-cpan/.

Someone (using perl) parses an excel spreadsheet into a ms access table..check it out, here is the LINK

Here is a problem I ran into when passing multiple arrays with SOAP, it seemed that when I passed multiple arrays into the function, it concatenated all arrays into one array when passing that into the function. So to solve my problem, I used a %HoA (hash of array) where the key is the array name which works fine for me - I also forgot to pass accept the $class (package name) - this might of been the problem all along, however, using Hash of Arrays seemed more efficient...below is an example of what I did: