rivdiv Posted November 27, 2013 Share Posted November 27, 2013 The attached PHP files were found in our FTP directories. I'm a .NET developer and we're not sure what they actually do. I want to make sure they're not malicious or anything like that. I feel pretty stupid asking this, but can someone take a quick look and let me know what the code actually does? (On first glance it almost looks like a standard PHP mail class but I'm not naive enough to believe it's just that.) Thank you. kenguruYd9e.zip Quote Link to comment https://forums.phpfreaks.com/topic/284333-what-does-this-php-code-do/ Share on other sites More sharing options...
rivdiv Posted November 27, 2013 Author Share Posted November 27, 2013 Attached is the second file. kenguruW0kWD.zip Quote Link to comment https://forums.phpfreaks.com/topic/284333-what-does-this-php-code-do/#findComment-1460368 Share on other sites More sharing options...
Solution ignace Posted November 27, 2013 Solution Share Posted November 27, 2013 (edited) You'd do best to remove these files asap. They are used to mail (spam) from your server and it allows them to send arbitrary cmd's to your server. In the order of # rm -rf / Edited November 27, 2013 by ignace Quote Link to comment https://forums.phpfreaks.com/topic/284333-what-does-this-php-code-do/#findComment-1460369 Share on other sites More sharing options...
rivdiv Posted November 27, 2013 Author Share Posted November 27, 2013 You'd do best to remove these files asap. They are used to mail (spam) from your server and it allows them to send arbitrary cmd's to your server. In the order of # rm -rf / Thanks. (We did remove them as soon as we discovered them.) Quote Link to comment https://forums.phpfreaks.com/topic/284333-what-does-this-php-code-do/#findComment-1460373 Share on other sites More sharing options...
ignace Posted November 27, 2013 Share Posted November 27, 2013 Simply removing them is not sufficient. You need to change your FTP credentials and try to track down how they were placed on your server and fix it. Quote Link to comment https://forums.phpfreaks.com/topic/284333-what-does-this-php-code-do/#findComment-1460374 Share on other sites More sharing options...
rivdiv Posted November 27, 2013 Author Share Posted November 27, 2013 Simply removing them is not sufficient. You need to change your FTP credentials and try to track down how they were placed on your server and fix it. True. We had changed our credentials as well... but we have yet to find the source. Thanks for the suggestions. Quote Link to comment https://forums.phpfreaks.com/topic/284333-what-does-this-php-code-do/#findComment-1460383 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.