What is /home/dot-cpan-060422

[ladydi711]

I've been doing some security monitoring, and I'm wondering what this directory is for?

I have found some sub-directories with 777 permissions and malicious scripts being loaded into some of them.

Anyone know what this is for?

Thanks in Advance,
Diane

 

[david510]

paste the files and dirs starting with with dot-cpan-060422 here.

cd /home
ls -al dot-cpan*

 

[ladydi711]

Here is the file list from /home/dot-cpan* and /home/dot-cpan-060422/build
build/Readonly-1.03 and build/Term-ReadLine-Perl-1.03 are the directories that I found files in.

Thanks

cd /home
ls -la dot-cpan*
total 6732
drwxr-xr-x 5 root root 4096 Apr 12 2005 ./
drwxr-xr-x 70 root root 4096 Oct 7 11:38 ../
drwxr-xr-x 51 root root 4096 Apr 22 06:24 build/
drwxr-xr-x 3 root root 4096 Apr 12 2005 Bundle/
-rw-r--r-- 1 root root 6857377 Apr 22 06:22 Metadata
drwxr-xr-x 4 root root 4096 Mar 11 2006 sources/

cd dot-cpan/build
ls -la
total 204
drwxr-xr-x 51 root root 4096 Apr 22 06:24 ./
drwxr-xr-x 5 root root 4096 Apr 12 2005 ../
drwxr-xr-x 6 501 501 4096 Apr 22 06:22 Archive-Tar-1.29/
drwxr-xr-x 7 1000 users 4096 Apr 22 06:22 Archive-Zip-1.16/
drwx------ 4 501 games 4096 Apr 22 06:22 BSD-Resource-1.25/
drwxr-xr-x 3 1000 1000 4096 Apr 22 06:23 Business-OnlinePayment-2.01/
drwxr-xr-x 4 1000 1000 4096 Apr 22 06:23 Business-OnlinePayment-AuthorizeNet-3.15/
drwxr-xr-x 6 1001 1001 4096 Dec 24 2005 CGI.pm-3.15/
drwxr-xr-x 6 1001 1001 4096 Apr 22 06:23 CGI.pm-3.19/
drwxr-xr-x 6 501 games 4096 Apr 22 06:24 Class-Std-Utils-0.0.2/
drwxr-xr-x 7 501 501 4096 Apr 22 06:24 Class-Std-v0.0.8/
drwxr-xr-x 7 1000 1000 4096 Dec 24 2005 CPAN-1.80/
drwxr-xr-x 7 1000 1000 4096 Jan 3 2006 CPAN-1.81/
drwxr-xr-x 6 500 proftpd 4096 Apr 22 06:23 Crypt-SSLeay-0.51/
drwxr-xr-x 4 1000 users 4096 Apr 22 06:23 Digest-SHA1-2.11/
drwxr-xr-x 5 501 games 4096 Jan 11 2006 Digest-SHA-5.32/
drwxr-xr-x 4 501 501 4096 Apr 22 06:23 File-Copy-Recursive-0.20/
drwxr-xr-x 3 root root 4096 Apr 22 06:23 Filesys-Statvfs_Statfs_Df-0.79/
drwxr-xr-x 4 10008 dip 4096 Apr 22 06:23 File-Tail-0.99.3/
drwxr-xr-x 5 113 wheel 4096 Jan 11 2006 File-Temp-0.16/
drwxr-xr-x 6 1000 users 4096 Apr 22 06:23 GDGraph-1.4307/
drwxr-xr-x 7 1000 users 4096 Apr 22 06:22 HTML-Parser-3.51/
drwxr-xr-x 6 500 proftpd 4096 Apr 22 06:23 HTML-Template-2.8/
drwxr-xr-x 6 501 501 4096 Apr 22 06:23 IO-Interactive-v0.0.3/
drwxr-xr-x 9 501 501 4096 Apr 22 06:23 IO-Socket-SSL-0.97/
drwx--S--- 3 500 200 4096 Apr 22 06:23 IO-Stty-.02/
drwxr-xr-x 14 1832 1832 4096 Apr 22 06:23 Mail-SpamAssassin-3.1.1/
drwxr-xr-x 7 501 501 4096 Apr 22 06:22 Module-Build-0.2612/
drwxr-xr-x 7 1001 1001 4096 Jan 11 2006 Module-Signature-0.51/
drwxr-xr-x 7 501 501 4096 Dec 14 2005 Net-DNS-0.55/
drwxr-xr-x 7 501 80 4096 Apr 22 06:24 Net-DNS-0.57/
drwx------ 7 500 proftpd 4096 Apr 22 06:24 Net-OSCAR-1.925/
drwx--x--x 5 1000 1000 4096 Dec 28 2005 Net_SSLeay.pm-1.30/
drwxr-xr-x 5 501 501 4096 Dec 28 2005 PathTools-3.15/
drwxr-xr-x 6 31978 2000 4096 Apr 22 06:24 Quota-1.5.1/
drwxrwxrwx 4 root root 4096 Oct 9 14:42 Readonly-1.03/
drwxr-xr-x 6 500 proftpd 4096 Apr 22 06:23 Scalar-List-Utils-1.18/
drwxr-xr-x 7 502 502 4096 Apr 22 06:24 SOAP-Lite-0.67/
drwxrwxrwx 9 root root 4096 Apr 22 06:23 Spreadsheet-WriteExcel-2.16/
drwxrwxrwx 4 root root 4096 Oct 9 14:48 Term-ReadLine-Perl-1.03/
drwxr-xr-x 4 1000 513 4096 Apr 22 06:23 Text-CSV_XS-0.23/
drwxr-xr-x 4 501 501 4096 Apr 22 06:24 Tie-Watch-1.2/
drwxr-xr-x 5 500 users 4096 Apr 22 06:23 TimeDate-1.16/
drwx------ 6 501 games 4096 Dec 17 2005 Time-HiRes-1.86/
drwx------ 6 501 games 4096 Apr 22 06:24 Time-HiRes-1.87/
drwxr-xr-x 4 501 501 4096 Apr 22 06:24 Unix-PID-v0.0.6/
drwxr-xr-x 8 1000 users 4096 Apr 22 06:22 version-0.59/
drwxr-xr-x 4 501 games 4096 Apr 22 06:24 XML-NamespaceSupport-1.09/
drwxr-xr-x 7 501 501 4096 Apr 22 06:24 XML-SAX-0.13/
drwxr-xr-x 5 1000 1000 4096 Apr 22 06:24 XML-Simple-2.14/
drwxr-xr-x 5 501 501 4096 Jan 9 2006 YAML-0.50/

 

[Phenomenon]

Files look valid tbh