>NET programmer needs a PHP file interpreted

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
bluebay
Forum Newbie
Posts: 3
Joined: Fri Jun 18, 2010 4:30 pm

>NET programmer needs a PHP file interpreted

Post by bluebay »

Hi Folks,

I am a .NET programmer so know very little about PHP.

One of my clients websites, built using .NET, was recently compromised and 2 folders containing a single PHP script were somehow added to the root of their site. The folders had gibberish names like "bkzrw" and "cftyu". The PHP scripts in both folders were exactly the same but had different file names.

I cant seem to upload the file as an attachment to this forum and I don't want to post the code directly in case it falls into the wrong hands so if anyone would like to help me further with this, please contact me and I will send you the PHP file.

This file may be malicious so PLEASE do not run it on your own machine. I would just like someone to browse the file via a text editor and interpret it that way if possible.

I have never had this type of thing happen before so I am interested to learn all I can about this to try and stop it from happening again.

If anyone has any information about how this may have happened, or has experienced something similar, I would also like to hear from you.

I appreciate your help.

Cheers
Kev
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: >NET programmer needs a PHP file interpreted

Post by requinix »

Those things are (a) typically obfuscated really hard, and (b) easily available already. Unless they're really large it'll be easier if you just post them.
More eyes looking at it and such.


As for tracking the hole in the site, you need to find a starting point. One strategy: check dates on the files and compare those with what's in the server access and/or error logs.
bluebay
Forum Newbie
Posts: 3
Joined: Fri Jun 18, 2010 4:30 pm

Re: >NET programmer needs a PHP file interpreted

Post by bluebay »

Thanks for the super fast reply!

I am currently working with my hosting company to try and track how this happened as you mentioned. It does appear that the code is highly obfuscated as you say. Anyway, I have posted the code below. It is quite long.

^^^Code removed for safety's sake :-)^^^^

Thanks again in advance.

Cheers
Kev
Last edited by bluebay on Fri Jun 18, 2010 10:24 pm, edited 1 time in total.
User avatar
McInfo
DevNet Resident
Posts: 1532
Joined: Wed Apr 01, 2009 1:31 pm

Re: >NET programmer needs a PHP file interpreted

Post by McInfo »

I just browsed the script. It appears to give a hacker read and write access to files on your server through the browser. The purpose may be to change hyperlinks or otherwise modify your HTML. It also gives the hacker access to system commands.
MrRSMan
Forum Newbie
Posts: 20
Joined: Sun Feb 03, 2008 8:11 am

Re: >NET programmer needs a PHP file interpreted

Post by MrRSMan »

Building on what McInfo said, it seems to also automatically altar files in a pre-defined way, rather than simply allowing somebody to do in manually. I suggest firstly removing it from your server ensuring that you do not visit the page in a browser. Secondly, it's probably not a great idea to have this floating around in a public forum- I'd recommend removing.
bluebay
Forum Newbie
Posts: 3
Joined: Fri Jun 18, 2010 4:30 pm

Re: >NET programmer needs a PHP file interpreted

Post by bluebay »

Thanks McInfo and MrRSMan for your help with this. I truly appreciate it.

I was nervous about posting the code as well so as I have the answer to my question, I have removed the code from my post.

MrRSMan, I had deleted the files from the server the day I found them. I also changed all my passwords immediately.

I checked the web logs and one of the files had been run once but nothing has happened to my site files that I have found yet.

What I don't understand is how they managed to appear in the file system in the first place. The only account with write privelidges is mine and you need a password to initiate it. I always thought my site was pretty secure but I will be revisiting my settings now.

Thanks again for your help guys. It's been very informative. I hope this may help somebody else in the future who suffers the same fate.

Cheers
Kev
Post Reply