Weird file appeared in hosting. Anyone know what it is?

[matmat is verified member.]

Hi,

Hoping that some of you can confirm if this is a normal file or anything malicious? I don't want to take any chances. The website is Wordpress based.

In public_html a file appeared just over a week ago.

Name: ftpd0pFi5.cgi

Code inside:

#!/usr/bin/perl
use strict;
use warnings;

print "Content-Type: text/html\n\n";

unlink $0;
my $root = $ENV{DOCUMENT_ROOT_REAL};

chdir $root;
exec 'tar', 'c', '../.';


Thanks.

 

[TallBloke]

Don't know what that is.

tar is a file archive utility ...so has a backup plugin been installed recently or failed??

 

[davedevelopment]

I'd say that was malicious, the `exec 'tar', 'c', '../.'` is effectively "drop down a directory, zip everything up and send that as the response to the web request".

The `unlink $0` will remove the file(ftpd0pFi5.cgi) as soon as it has been run.

 

[matmat is verified member.]

Thanks for the help,

Regarding what you said TallBloke and the description of what is being run from Dave, this sounds like it could be my hosts full site backup utility. I do actualy remember it failing around the time as I was trying to get a backup to my desktop.

I will keep the file deleted.

Thanks,

Mat