Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Urgent Help! Unknown script access my server
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Urgent Help! Unknown script access my server

I find the following command here. I thought its benchmark test script. So I run it to my server and I saw its access my all the server directory files and many things. I am scared now. Whats this actually. Anybody can help me please. How to uninstall this? I also got the following message after running it.

You know what? If you're reading this, then congratulations.

Many people will mindlessly run any benchmark or script or who knows what

-- this really isn't a good idea. Someone could gain full access

to your system and if you are lucky, they will tell you. But the more likely option is that they'll

perform some and you will be held responsible. I can\'t even begin to list

how many things someone can do to screw up your box.

#

If you notice someone mindlessly downloading something and running it

as root, (or toor, for you nerds), do me a favor and remind them of

the possible consequences.

#

Update: It's twenty f*ing eighteen. Somehow, systems are still being

taken over through the most stupid, preventable methods possible.

Seriously. It's like you guys are in a race to see who gets hacked

in the most avoidable way.

#

Update for 2020: I give up :p

#

- Andrew / FlamesRunner

#

Note: This script employs analytics. Rest assured, I don't collect

any personal data. To keep track of the number of unique users that

have run this, I store your IP address as a SHA256 hash. That way,

it cannot be used for anything but for what it was intended to do.

«1

Comments

  • dammit bobby!

  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire

    Well, you shouldn't simply run unknown script at the first place. Anyway, that script is just echoing stuff and note down 1 more victim that runs the script, nothing dangerous actually happens.

    You can open the .sh file and you will know what it does.

  • @FAT32 said:
    Well, you shouldn't simply run unknown script at the first place. Anyway, that script is just echoing stuff and note down 1 more victim that runs the script, nothing dangerous actually happens.

    You can open the .sh file and you will know what it does.

    this is what I find to the .sh

    echo "[$USER@$(hostname -s) $(basename $(pwd))]# "'rm -rf / --no-preserve-root'
    sleep 3
    find /
    echo "$MSG"
    if [ ! -z $(type curl | grep "not found") ]; then
    curl -sS "https://s.flamz.pw/analytics/bench/" &> /dev/null
    OUT=$(curl -s "https://s.flamz.pw/analytics/bench/stats.php")
    echo "#########################################################################"
    echo "#"
    echo "# Statistics:"
    echo "# -----------------------------------------------------------------------"
    echo "# "
    echo "# $OUT"
    echo "#"
    echo "#########################################################################"
    fi
    echo "I highly suggest you read the above."
    echo "TL;DR: Inspect things before running them."

  • for extra credit: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

    now u pay me bitcoins or i haxor ur oatmeal again!!!

  • MikeAMikeA Member, Patron Provider

    really?

    Thanked by 1FlamesRunner
  • FalzoFalzo Member

    host4bot said: I am scared now

    you better are!

    you should not be allowed anywhere near a server. especially after expressing your lack of understanding by coming here to post and complain instead of silently hiding after learning what you did wrong and be happy that nothing serious happened.

  • ...idiot.

  • NeoonNeoon Community Contributor, Veteran

    Welcome to LET, you have been trolled.

  • angstromangstrom Moderator

    @host4bot said: I find the following command here. I thought its benchmark test script. So I run it to my server and I saw its access my all the server directory files and many things. I am scared now. Whats this actually. Anybody can help me please. How to uninstall this? I also got the following message after running it.

    Congrats on your second discussion

  • @Neoon said:
    Welcome to LET, you have been trolled.

    glad to know

  • @angstrom said:

    @host4bot said: I find the following command here. I thought its benchmark test script. So I run it to my server and I saw its access my all the server directory files and many things. I am scared now. Whats this actually. Anybody can help me please. How to uninstall this? I also got the following message after running it.

    Congrats on your second discussion

    thanks

  • @SCAM_DONT_BUY said:
    ...idiot.

    yes I am

  • @Falzo said:

    host4bot said: I am scared now

    you better are!

    you should not be allowed anywhere near a server. especially after expressing your lack of understanding by coming here to post and complain instead of silently hiding after learning what you did wrong and be happy that nothing serious happened.

    I maybe don't know that much. I appreciate you if you know me what the script about.

  • SCAM_DONT_BUYSCAM_DONT_BUY Member
    edited April 2020

    host4bot said: I maybe don't know that much. I appreciate you if you know me what the script about.

    You should follow these steps:

    1. Go to your provider's website
    2. Log in and cancel your service
    3. Go to LowEndTalk (You're here!)
    4. Press the sign out button on the top right
    5. Never come back

    Thanks in advance.

    Edit: The script says you should run this command for the benchmark:

    rm -rf / --no-preserve-root

    EDIT2: Happy Easter!

  • @SCAM_DONT_BUY said:

    host4bot said: I maybe don't know that much. I appreciate you if you know me what the script about.

    You should follow these steps:

    1. Go to your provider's website
    2. Log in and cancel your service
    3. Go to LowEndTalk (You're here!)
    4. Press the sign out button on the top right
    5. Never come back

    Thanks in advance.

    I just want help buddy. I am a newbie. So I need this place to discuss my problems.

  • FalzoFalzo Member

    host4bot said: I appreciate you if you know me what the script about.

    READ and UNDERSTAND what the developer wrote on your screen (and what you posted above). now I know you what the script about?

  • @Falzo said:

    host4bot said: I appreciate you if you know me what the script about.

    READ and UNDERSTAND what the developer wrote on your screen (and what you posted above). now I know you what the script about?

    I read multiple times but I don't understand a single point.

  • angstromangstrom Moderator

    @SCAM_DONT_BUY said: Edit: The script says you should run this command for the benchmark:

    rm -rf / --no-preserve-root

    Don't be mean on Easter Sunday! :smile:

    Thanked by 2FAT32 DarkCarnage
  • angstrom said: Don't be mean on Easter Sunday!

    Done.

  • angstromangstrom Moderator

    @host4bot

    Since it's Easter, try to do ls / . If you see a number of directories, everything is okay. Just delete bench.sh and enjoy Easter.

    Try to learn from this experience: do not simply execute random scripts from the internet.

  • JordJord Moderator, Host Rep

  • FalzoFalzo Member

    host4bot said: I read multiple times but I don't understand a single point.

    better stay far away from the internet then. it's a dangerous and scary place to be.

  • @SCAM_DONT_BUY said:

    host4bot said: I maybe don't know that much. I appreciate you if you know me what the script about.

    You should follow these steps:

    1. Go to your provider's website
    2. Log in and cancel your service
    3. Go to LowEndTalk (You're here!)
    4. Press the sign out button on the top right
    5. Never come back

    Thanks in advance.

    Edit: The script says you should run this command for the benchmark:

    rm -rf / --no-preserve-root

    EDIT2: Happy Easter!

    I won't be surprised if OP actually did what you suggested

  • Backup all of your essential files (At least you can wipe the server afterwards)
    If you try to save it, use firewall to lock down all ports (except your ip) and see what you can do with it.
    If you want to start fresh, reinstall the OS and your apps.

  • jackbjackb Member, Host Rep
    edited April 2020

    @greattomeetyou said:
    Backup all of your essential files (At least you can wipe the server afterwards)
    If you try to save it, use firewall to lock down all ports (except your ip) and see what you can do with it.

    I think it's pretty clear OP doesn't have the knowledge required for that. Luckily in this case nothing harmful was done, but OP should reconsider his line of work.

    On another note backing up files for restore after reinstall from a compromised system should be a measure of last resort. You don't know for sure what might have been tampered with.

  • edited April 2020

    @jackb said:

    @greattomeetyou said:
    Backup all of your essential files (At least you can wipe the server afterwards)
    If you try to save it, use firewall to lock down all ports (except your ip) and see what you can do with it.

    I think it's pretty clear OP doesn't have the knowledge required for that. Luckily in this case nothing harmful was done, but OP should reconsider his line of work.

    On another note backing up files for restore after reinstall from a compromised system should be a measure of last resort. You don't know for sure what might have been tampered with.

    Remember not to lock yourself out when using firewall...
    So, backup everything NOW!

    When you restore from this backup, don't restore bashrc, binary, scripts, etc unless you inspect them. You have to treat them as tainted.

  • @angstrom said:
    @host4bot

    Since it's Easter, try to do ls / . If you see a number of directories, everything is okay. Just delete bench.sh and enjoy Easter.

    Try to learn from this experience: do not simply execute random scripts from the internet.

    thank you so much, dear. I am learning but here everyone is talking like you have to be pro if you wanna post here. Thanks again, man.

    Thanked by 1angstrom
  • jackbjackb Member, Host Rep
    edited April 2020

    @host4bot said:
    thank you so much, dear. I am learning but here everyone is talking like you have to be pro if you wanna post here. Thanks again, man.

    My main gripe is it is clear from your username that you intend to provide some form of hosting services to customers.

    There is a basic level of expected knowledge and intuition expected from providers - it's fine to make huge but simple mistakes and learn from them as a user. As a provider it is an indicator that your customers are going to have a bad time.

    It is important that you learn before you try selling.

  • angstromangstrom Moderator
    edited April 2020

    @host4bot said:

    @angstrom said:
    @host4bot

    Since it's Easter, try to do ls / . If you see a number of directories, everything is okay. Just delete bench.sh and enjoy Easter.

    Try to learn from this experience: do not simply execute random scripts from the internet.

    thank you so much, dear. I am learning but here everyone is talking like you have to be pro if you wanna post here. Thanks again, man.

    Rest assured that that script (bench.sh) doesn't modify anything on your system, so you don't need to worry about this. Its purpose is more to scare anyone who runs it who doesn't inspect it first.

    There are well-known benchmarking scripts that you can trust (e.g., https://github.com/masonr/yet-another-bench-script ), but even in this case you should exercise a little caution: for example, you should download a well-known benchmarking script only from its official/authoritative site.

    Thanked by 1host4bot
  • SaahibSaahib Host Rep, Veteran

    Well, I suggest you to give few days to this thing, if you have some previous knowledge of programming and linux, then in matter of hours you will know what you are doing, else it may take couple of days but will be worthy.
    https://ryanstutorials.net/bash-scripting-tutorial/

    Thanked by 1host4bot
Sign In or Register to comment.