Hello, i found potentionally malicious script on my hosting shared cpanel account. What does this script do please? Here im pasting it safelly in text form: http://pastebin.com/5v8h0Hm2
Looks like a perl script which attempts to extract config files from a load of well known systems on your webserver. A small search for "ScripT Extracting Config !n Serv ~v² 2o12~" gives a handful of infected servers, I guess you're not the only target. I assume you've already removed this script, if for whatever reason you haven't, do it pronto! Also, I'd suggest researching in which permission scope this script has been put. In worst case scenario, all neighboring virtual hosts have been compromised, in that situation I'd suggest informing all the users of your webserver that they've been compromised and that their websites potentially leaked all info from their configs. Advise them to change their credentials to all services related to the website, including database and all the users registered in the databases. Ofcourse, if you're not the owner of the webserver, then report the situation immediately to the webmaster.
Thanks, pls can be anyhow checked whether this script actually got permissions to read mentioned config files? Which log files or how? It is cpanel/whm server with CentOS thx
I'm not entirely sure how a PERL script would be handled permissions wise. I'd first check where the script was placed and which owner and group the file was placed. Also you might want to check the history files of other users (/home/users/{username}/.bash_history) if you can find if they run any suspicious commands. You might want to use "grep" for that. Other then that, I'd assume the worst, to be safe. Edit: I'm not really sure how cpanel's virtual hosts data is structured, but this script assumes that it's stuctured in /home/{user}/public_html/. If your path's are different, you might not be compromised. Edit 2: Cpanel does seem to handle that scructure, according to this page: http://www.webhostingbuzz.com/wiki/common-paths-cpanel-and-whm/