Jump to content

Is this file suspicious?


Lagman
Go to solution Solved by requinix,

Recommended Posts

Hi there,

We have turned on website monitoring and getting this alert: A suspicious file has been found on your system disk. It would be best for you first to confirm that the file meets the legal regulations and proceed.

 

The company that designed and set up the website doesn't exist any more. It looks like a PHP code. I am not sure what it does. Is it safe to leave the file on the website or remote it?

The content of the file is as follows:

 

<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
 *
 * @package PhpMyAdmin
 */

/**
 * Gets some core libraries
 */
require_once 'libraries/common.inc.php';
require 'libraries/StorageEngine.class.php';

/**
 * Validate vulnerable POST parameters
 */
if (! PMA_isValid($_POST['pdf_page_number'], 'numeric')) {
    die('Attack stopped');
}

/**
 * get all variables needed for exporting relational schema
 * in $cfgRelation
 */
$cfgRelation = PMA_getRelationsParam();

require_once 'libraries/transformations.lib.php';
require_once 'libraries/Index.class.php';
require_once 'libraries/schema/Export_Relation_Schema.class.php';

/**
 * get all the export options and verify
 * call and include the appropriate Schema Class depending on $export_type
 * default is PDF
 */

$post_params = array(
    'all_tables_same_width',
    'chpage',
    'db',
    'do',
    'export_type',
    'orientation',
    'paper',
    'names',
    'pdf_page_number',
    'show_color',
    'show_grid',
    'show_keys',
    'show_table_dimension',
    'with_doc'
);
foreach ($post_params as $one_post_param) {
    if (isset($_POST[$one_post_param])) {
        $GLOBALS[$one_post_param] = $_POST[$one_post_param];
    }
}

if (! isset($export_type) || ! preg_match('/^[a-zA-Z]+$/', $export_type)) {
    $export_type = 'pdf';
}
PMA_DBI_select_db($db);

$path = PMA_securePath(ucfirst($export_type));
if (!file_exists('libraries/schema/' . $path . '_Relation_Schema.class.php')) {
    PMA_Export_Relation_Schema::dieSchema(
        $_POST['chpage'],
        $export_type,
        __('File doesn\'t exist')
    );
}
require "libraries/schema/".$path.'_Relation_Schema.class.php';


$obj_schema = eval("new PMA_".$path."_Relation_Schema();");
 

Edited by requinix
title
Link to comment
Share on other sites

There's no way we can tell you whether this file meets "legal regulations" and, since we don't know anything about you, all we can do to judge whether the file is safe is to venture guesses.

It appears to be a valid file, even if it does some risky things - the scanner may have noticed the "eval" at the bottom, which allows executing arbitrary code - and follows some outdated and discouraged practices, and it does not appear to be malicious.

You should confirm that the file hasn't been modified recently: something like this should not have received any recent modifications, and likely would be dated to the same time frame as many other files on the site.

Link to comment
Share on other sites

  • requinix changed the title to Is this file suspicious?
  • Solution
2 minutes ago, requinix said:

the scanner may have noticed the "eval" at the bottom, which allows executing arbitrary code

If the scanner cannot be told to ignore this warning, there is a minor modification you can make to the code that I suspect will "resolve" it...

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.