rogerdodger Posted October 4, 2012 Share Posted October 4, 2012 i just discovered a file on my server that was created by my script from what appears to be a penetration test. now i have a file named " somecustominjectedheaderinjectedbywvs" but I cannot see or delete it on my apache server (through ssh). i discovered from a php script that was reading a directory. it printed out this file name as a result of this loop: foreach("/mydir/" as $file){ throush ssh i cannot remove the file because it doesn't exist. also PHP cannot open the file becuase it doesn't exist although it shows up in my scandir() result. Can someone please help me to get rid of it as it shouldn't be there? i also found another file that looks like it was named after a bash command that I cannot also remove. Please help Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted October 4, 2012 Share Posted October 4, 2012 foreach("/mydir/" as $file){ That's not your code, that would throw an error. You're saying the filesystem doesn't see it, but PHP does? If your server is compromised, you need to shut down its access to the internet right now and fix it. It could be involved in any number of things, including the DDoS that took down six major banks this week. Shut it down. Once it's shut down, remove any files that shouldn't be there or simply wipe the hard drive and restore from a backup. Quote Link to comment Share on other sites More sharing options...
rogerdodger Posted October 4, 2012 Author Share Posted October 4, 2012 thanks. no thats not the exact code. But yes PHP sees it but the filesystem doesn't i guess. also php cannot open the file either. Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted October 4, 2012 Share Posted October 4, 2012 PHP's unlink() deletes files. Quote Link to comment Share on other sites More sharing options...
rogerdodger Posted October 5, 2012 Author Share Posted October 5, 2012 thanks. i was able to get rid of them with unlink() also, strange that scandir() was able to see 3 files with the same name and readdir() did not see these files at all. also could not remove them with bash command rm also, i don't think my server was compromised since the attacker was assuming the POST was being used in a db. is there a better way of cleaning POST requests? Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted October 5, 2012 Share Posted October 5, 2012 You had files on your filesystem named after a common hacking tool, your server was compromised. What was the actual problem? There's hundreds of ways to cleanse $_POST, it depends on what the data is. Quote Link to comment Share on other sites More sharing options...
DavidAM Posted October 7, 2012 Share Posted October 7, 2012 file named " somecustominjectedheaderinjectedbywvs" I assume you cut and pasted that filename. I notice a space inside the double-quote, before the "s". It is possible the first "character" of the name was an ANSI escape sequence designed to change the font color or otherwise hide the name from the command line. Since the browser does not interpret ANSI escape sequences, you could see it from the PHP script and that sequence rendered as a space. rm *injectedbywvs should have removed it/them (assuming you don't have any other files you want to keep that end with that string). Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted October 7, 2012 Share Posted October 7, 2012 Good catch David, that's probably what it was. Non-printing characters in the filename. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.