Doing a site fix after a file was uploaded through an exploit. After examining the file, discovered a script named "Syrian Shell".
I found a version of it on pastebin: http://pastebin.com/raw.php?i=MWRJYFyZ
Does anyone know it's core purpose? And how deep it can exploit the system?
I need to clean this particular server so if anyone has experience with it I appreciate your help. Thanks.
For all the weird kiddie hackers who are requesting to see the script, this paste is updated:
If your box is compromised, format it, and patch whatever security vulnerability was used in the first place. If you're crying about formatting it, then you clearly don't have a good server provisioning procedure in place. Next time, use standardized (automated) configurations and a configuration management system, like Puppet. Recreating a box doesn't take me personally more than a few keystrokes due to the kickstart configurations and our configuration management server.