shmid = shmget(SHM_KEY, SHM_SIZE, 0o666) - syntax error.

Joel Goldstick joel.goldstick at gmail.com
Tue Apr 30 11:36:48 EDT 2013


On Tue, Apr 30, 2013 at 11:27 AM, <tromeo at mdlogix.com> wrote:

>
> Please help me to debug
>
> -------
> shmid = shmget(SHM_KEY, SHM_SIZE, 0o666)
>                                                                    ^
> SyntaxError: invalid syntax
>
> If you google 0o666 python you see that if some version of python need 0666

It was unclear to me whether this changed after 2.6.  Does anyone else have
experience with this?

>
> ----
> here is the code
> Ref:
> http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
>
> ---
> #!/usr/bin/env python
> # -*- coding: utf-8 -*-
> #
> # This script dumps the content of a shared memory block
> # used by Linux/Cdorked.A into a file named httpd_cdorked_config.bin
> # when the machine is infected.
> #
> # Some of the data is encrypted. If your server is infected and you
> # would like to help, please send the httpd_cdorked_config.bin
> # to our lab for analysis. Thanks!
> #
> # Marc-Etienne M.Léveillé <leveille at eset.com>
> #
>
> from ctypes import *
>
> SHM_SIZE = 6118512
> SHM_KEY = 63599
>
> OUTFILE="httpd_cdorked_config.bin"
>
> try:
>   rt = CDLL('librt.so')
> except:
>   rt = CDLL('librt.so.1')
>
> shmget = rt.shmget
> shmget.argtypes = [c_int, c_size_t, c_int]
> shmget.restype = c_int
> shmat = rt.shmat
> shmat.argtypes = [c_int, POINTER(c_void_p), c_int]
> shmat.restype = c_void_p
>
> shmid = shmget(SHM_KEY, SHM_SIZE, 0o666)
> if shmid < 0:
>   print "System not infected"
> else:
>   addr = shmat(shmid, None, 0)
>
>   f = file(OUTFILE, 'wb')
>   f.write(string_at(addr,SHM_SIZE))
>   f.close()
>
>   print "Dumped %d bytes in %s" % (SHM_SIZE, OUTFILE)
>
>
> --
> http://mail.python.org/mailman/listinfo/python-list
>



-- 
Joel Goldstick
http://joelgoldstick.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20130430/3fa23375/attachment.html>


More information about the Python-list mailing list