latrodectus cyberneticus


latrodectus cyberneticus - probe web for insecure perl installations


Via command line arguments:

latro host1 //host2/bincgi //host3/bincgi/badperl

or via STDIN:

sed 's/ .*//' access_log | sort -u | latro


Latro is designed to probe whether your site or sites you control have been compromised by the insanely idiotic practice of placing a perl executable in the cgi-bin. If you have ever seen anyone post a URL like

then you know they have the problem. This is pathetically pervasive amongst (horrifically mismanaged) sub-Unix web sites.


Robert Heinlein once wrote:
Stupidity cannot be cured with money, or through education, or by legislation. Stupidity is not a sin, the victim can't help being stupid. But stupidity is the only universal capital crime; the sentence is death, there is no appeal, and execution is carried out automatically and without pity.

Consider this program such execution -- or at least the threat thereof.

You can do very evil things with this program. Very evil things. You can execute ANYTHING YOU WANT on their site, even sending over your own binaries instead of just Perl code. Please don't do anything (too) wicked. When you find such sites, please do the responsible and professional thing and mail their cluefully challenged webmaster about the problem.

My goal with this program is to shake up the web a little bit now lest a real poison spider should someday rip it to shreds and blame perl. It's not perl's fault. It's the idiocy of the PC web sites -- and the vendors and docs that tell them to do this ineffably idiotic and evil thing.


Tom Christiansen <>

Last update: Thu Mar 28 17:53:42 MST 1996

Fetch the source code.