Page 1 of 1

>NET programmer needs a PHP file interpreted

Posted: Fri Jun 18, 2010 4:53 pm
by bluebay
Hi Folks,

I am a .NET programmer so know very little about PHP.

One of my clients websites, built using .NET, was recently compromised and 2 folders containing a single PHP script were somehow added to the root of their site. The folders had gibberish names like "bkzrw" and "cftyu". The PHP scripts in both folders were exactly the same but had different file names.

I cant seem to upload the file as an attachment to this forum and I don't want to post the code directly in case it falls into the wrong hands so if anyone would like to help me further with this, please contact me and I will send you the PHP file.

This file may be malicious so PLEASE do not run it on your own machine. I would just like someone to browse the file via a text editor and interpret it that way if possible.

I have never had this type of thing happen before so I am interested to learn all I can about this to try and stop it from happening again.

If anyone has any information about how this may have happened, or has experienced something similar, I would also like to hear from you.

I appreciate your help.

Cheers
Kev

Re: >NET programmer needs a PHP file interpreted

Posted: Fri Jun 18, 2010 5:00 pm
by requinix
Those things are (a) typically obfuscated really hard, and (b) easily available already. Unless they're really large it'll be easier if you just post them.
More eyes looking at it and such.


As for tracking the hole in the site, you need to find a starting point. One strategy: check dates on the files and compare those with what's in the server access and/or error logs.

Re: >NET programmer needs a PHP file interpreted

Posted: Fri Jun 18, 2010 5:10 pm
by bluebay
Thanks for the super fast reply!

I am currently working with my hosting company to try and track how this happened as you mentioned. It does appear that the code is highly obfuscated as you say. Anyway, I have posted the code below. It is quite long.

^^^Code removed for safety's sake :-)^^^^

Thanks again in advance.

Cheers
Kev

Re: >NET programmer needs a PHP file interpreted

Posted: Fri Jun 18, 2010 5:34 pm
by McInfo
I just browsed the script. It appears to give a hacker read and write access to files on your server through the browser. The purpose may be to change hyperlinks or otherwise modify your HTML. It also gives the hacker access to system commands.

Re: >NET programmer needs a PHP file interpreted

Posted: Fri Jun 18, 2010 6:35 pm
by MrRSMan
Building on what McInfo said, it seems to also automatically altar files in a pre-defined way, rather than simply allowing somebody to do in manually. I suggest firstly removing it from your server ensuring that you do not visit the page in a browser. Secondly, it's probably not a great idea to have this floating around in a public forum- I'd recommend removing.

Re: >NET programmer needs a PHP file interpreted

Posted: Fri Jun 18, 2010 10:32 pm
by bluebay
Thanks McInfo and MrRSMan for your help with this. I truly appreciate it.

I was nervous about posting the code as well so as I have the answer to my question, I have removed the code from my post.

MrRSMan, I had deleted the files from the server the day I found them. I also changed all my passwords immediately.

I checked the web logs and one of the files had been run once but nothing has happened to my site files that I have found yet.

What I don't understand is how they managed to appear in the file system in the first place. The only account with write privelidges is mine and you need a password to initiate it. I always thought my site was pretty secure but I will be revisiting my settings now.

Thanks again for your help guys. It's been very informative. I hope this may help somebody else in the future who suffers the same fate.

Cheers
Kev