Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.000 X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; 'else:': 0.03; 'syntax': 0.04; '-*-': 0.07; 'debug': 0.07; 'none,': 0.07; 'utf-8': 0.07; '%s"': 0.09; 'coding:': 0.09; 'except:': 0.09; 'f.close()': 0.09; 'try:': 0.09; 'cc:addr:python-list': 0.11; 'python': 0.11; '"system': 0.16; '-------': 0.16; 'addr': 0.16; 'c_int': 0.16; 'dumps': 0.16; 'syntaxerror:': 0.16; 'wrote:': 0.18; '<': 0.19; 'skip:f 30': 0.19; 'machine': 0.22; 'memory': 0.22; 'import': 0.22; 'cc:addr:python.org': 0.22; 'print': 0.22; 'this?': 0.23; 'bytes': 0.24; '---': 0.24; 'cc:2**0': 0.24; 'script': 0.25; 'header:In-Reply-To:1': 0.27; '----': 0.29; 'am,': 0.29; 'message- id:@mail.gmail.com': 0.30; 'url:mailman': 0.30; 'code': 0.31; 'ctypes': 0.31; 'anyone': 0.31; 'file': 0.32; 'thanks!': 0.32; 'url:python': 0.33; 'lab': 0.33; 'skip:# 10': 0.33; 'received:google.com': 0.35; 'google': 0.35; 'version': 0.36; 'url:listinfo': 0.36; 'url:org': 0.36; 'server': 0.38; 'does': 0.39; 'help,': 0.39; 'changed': 0.39; 'url:mail': 0.40; 'skip:o 30': 0.61; 'our': 0.64; '30,': 0.65; 'here': 0.66; 'invalid': 0.68; 'url:26': 0.68; 'unclear': 0.84; 'url:2013': 0.84; 'joel': 0.91; '2013': 0.98 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=ZRJBnkW3cLj65yo1iUhHZMkOCe3jfUeU+WAm71qWas0=; b=iXGt6kd/dh5Qf9BtCs+OzGl+EAfGwe0/xQWVrd7iQii+sxmp+s9ZfBi4nSAnAf29Jo to8Cw+VJVHcJTKRSPQNSjS+B/lDIKRcylXccjTpkte6u9faef2hrll29e/SM6Dx+NEqa 9eamG2ZDA2yZZLNxFtQkDxVYjWR6rH2PdLiQuQNf+DrUAvX6kUAPtk3CcsHSQurLsIg5 lxH72/Y62PT/33P0lNRyD43Qpeon+BTXzpy7BiqxuDrjtr+6EGDofJIdISi2L/mIdWlN XEIKi+dEGaLEkY9Rn+1SSKpHS588rxnhbkMhR7tSr/8d2EdNkN164GfBOgL8W0LgDQGe 6fww== MIME-Version: 1.0 X-Received: by 10.220.42.7 with SMTP id q7mr4820929vce.69.1367336208818; Tue, 30 Apr 2013 08:36:48 -0700 (PDT) In-Reply-To: References: Date: Tue, 30 Apr 2013 11:36:48 -0400 Subject: Re: shmid = shmget(SHM_KEY, SHM_SIZE, 0o666) - syntax error. From: Joel Goldstick To: tromeo@mdlogix.com Content-Type: multipart/alternative; boundary=047d7b3a901c03ed8504db95c5a5 Cc: "python-list@python.org" X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 175 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1367336212 news.xs4all.nl 15915 [2001:888:2000:d::a6]:39215 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:44545 --047d7b3a901c03ed8504db95c5a5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, Apr 30, 2013 at 11:27 AM, wrote: > > Please help me to debug > > ------- > shmid =3D shmget(SHM_KEY, SHM_SIZE, 0o666) > ^ > SyntaxError: invalid syntax > > If you google 0o666 python you see that if some version of python need 06= 66 It was unclear to me whether this changed after 2.6. Does anyone else have experience with this? > > ---- > here is the code > Ref: > http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor= -in-the-wild-serves-blackhole/ > > --- > #!/usr/bin/env python > # -*- coding: utf-8 -*- > # > # This script dumps the content of a shared memory block > # used by Linux/Cdorked.A into a file named httpd_cdorked_config.bin > # when the machine is infected. > # > # Some of the data is encrypted. If your server is infected and you > # would like to help, please send the httpd_cdorked_config.bin > # to our lab for analysis. Thanks! > # > # Marc-Etienne M.L=C3=A9veill=C3=A9 > # > > from ctypes import * > > SHM_SIZE =3D 6118512 > SHM_KEY =3D 63599 > > OUTFILE=3D"httpd_cdorked_config.bin" > > try: > rt =3D CDLL('librt.so') > except: > rt =3D CDLL('librt.so.1') > > shmget =3D rt.shmget > shmget.argtypes =3D [c_int, c_size_t, c_int] > shmget.restype =3D c_int > shmat =3D rt.shmat > shmat.argtypes =3D [c_int, POINTER(c_void_p), c_int] > shmat.restype =3D c_void_p > > shmid =3D shmget(SHM_KEY, SHM_SIZE, 0o666) > if shmid < 0: > print "System not infected" > else: > addr =3D shmat(shmid, None, 0) > > f =3D file(OUTFILE, 'wb') > f.write(string_at(addr,SHM_SIZE)) > f.close() > > print "Dumped %d bytes in %s" % (SHM_SIZE, OUTFILE) > > > -- > http://mail.python.org/mailman/listinfo/python-list > --=20 Joel Goldstick http://joelgoldstick.com --047d7b3a901c03ed8504db95c5a5 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable



On Tue, Apr 30, 2013 at 11:27 AM, <tromeo@mdlogix.com> wrote:

Please help me to debug

-------
shmid =3D shmget(SHM_KEY, SHM_SIZE, 0o666)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0^
SyntaxError: invalid syntax

If you google 0o666 python you see that if some versi= on of python need 0666

It was unclear to me whether this = changed after 2.6.=C2=A0 Does anyone else have experience with this?

----
here is the code
Ref: http://www.= welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-= serves-blackhole/

---
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# This script dumps the content of a shared memory block
# used by Linux/Cdorked.A into a file named httpd_cdorked_config.bin
# when the machine is infected.
#
# Some of the data is encrypted. If your server is infected and you
# would like to help, please send the httpd_cdorked_config.bin
# to our lab for analysis. Thanks!
#
# Marc-Etienne M.L=C3=A9veill=C3=A9 <leveille@eset.com>
#

from ctypes import *

SHM_SIZE =3D 6118512
SHM_KEY =3D 63599

OUTFILE=3D"httpd_cdorked_config.bin"

try:
=C2=A0 rt =3D CDLL('librt.so')
except:
=C2=A0 rt =3D CDLL('librt.so.1')

shmget =3D rt.shmget
shmget.argtypes =3D [c_int, c_size_t, c_int]
shmget.restype =3D c_int
shmat =3D rt.shmat
shmat.argtypes =3D [c_int, POINTER(c_void_p), c_int]
shmat.restype =3D c_void_p

shmid =3D shmget(SHM_KEY, SHM_SIZE, 0o666)
if shmid < 0:
=C2=A0 print "System not infected"
else:
=C2=A0 addr =3D shmat(shmid, None, 0)

=C2=A0 f =3D file(OUTFILE, 'wb')
=C2=A0 f.write(string_at(addr,SHM_SIZE))
=C2=A0 f.close()

=C2=A0 print "Dumped %d bytes in %s" % (SHM_SIZE, OUTFILE)


--
http://mail.python.org/mailman/listinfo/python-list



--
--047d7b3a901c03ed8504db95c5a5--