Lagman Posted August 22, 2023 Share Posted August 22, 2023 (edited) Hi there, We have turned on website monitoring and getting this alert: A suspicious file has been found on your system disk. It would be best for you first to confirm that the file meets the legal regulations and proceed. The company that designed and set up the website doesn't exist any more. It looks like a PHP code. I am not sure what it does. Is it safe to leave the file on the website or remote it? The content of the file is as follows: <?php /* vim: set expandtab sw=4 ts=4 sts=4: */ /** * * @package PhpMyAdmin */ /** * Gets some core libraries */ require_once 'libraries/common.inc.php'; require 'libraries/StorageEngine.class.php'; /** * Validate vulnerable POST parameters */ if (! PMA_isValid($_POST['pdf_page_number'], 'numeric')) { die('Attack stopped'); } /** * get all variables needed for exporting relational schema * in $cfgRelation */ $cfgRelation = PMA_getRelationsParam(); require_once 'libraries/transformations.lib.php'; require_once 'libraries/Index.class.php'; require_once 'libraries/schema/Export_Relation_Schema.class.php'; /** * get all the export options and verify * call and include the appropriate Schema Class depending on $export_type * default is PDF */ $post_params = array( 'all_tables_same_width', 'chpage', 'db', 'do', 'export_type', 'orientation', 'paper', 'names', 'pdf_page_number', 'show_color', 'show_grid', 'show_keys', 'show_table_dimension', 'with_doc' ); foreach ($post_params as $one_post_param) { if (isset($_POST[$one_post_param])) { $GLOBALS[$one_post_param] = $_POST[$one_post_param]; } } if (! isset($export_type) || ! preg_match('/^[a-zA-Z]+$/', $export_type)) { $export_type = 'pdf'; } PMA_DBI_select_db($db); $path = PMA_securePath(ucfirst($export_type)); if (!file_exists('libraries/schema/' . $path . '_Relation_Schema.class.php')) { PMA_Export_Relation_Schema::dieSchema( $_POST['chpage'], $export_type, __('File doesn\'t exist') ); } require "libraries/schema/".$path.'_Relation_Schema.class.php'; $obj_schema = eval("new PMA_".$path."_Relation_Schema();"); Edited August 22, 2023 by requinix title Quote Link to comment https://forums.phpfreaks.com/topic/317211-is-this-file-suspicious/ Share on other sites More sharing options...
requinix Posted August 22, 2023 Share Posted August 22, 2023 There's no way we can tell you whether this file meets "legal regulations" and, since we don't know anything about you, all we can do to judge whether the file is safe is to venture guesses. It appears to be a valid file, even if it does some risky things - the scanner may have noticed the "eval" at the bottom, which allows executing arbitrary code - and follows some outdated and discouraged practices, and it does not appear to be malicious. You should confirm that the file hasn't been modified recently: something like this should not have received any recent modifications, and likely would be dated to the same time frame as many other files on the site. Quote Link to comment https://forums.phpfreaks.com/topic/317211-is-this-file-suspicious/#findComment-1611331 Share on other sites More sharing options...
Solution requinix Posted August 22, 2023 Solution Share Posted August 22, 2023 2 minutes ago, requinix said: the scanner may have noticed the "eval" at the bottom, which allows executing arbitrary code If the scanner cannot be told to ignore this warning, there is a minor modification you can make to the code that I suspect will "resolve" it... Quote Link to comment https://forums.phpfreaks.com/topic/317211-is-this-file-suspicious/#findComment-1611332 Share on other sites More sharing options...
Lagman Posted August 22, 2023 Author Share Posted August 22, 2023 I appreciate the prompt reply. This file date has not changed. It's the same as all the other files in the folder. Quote Link to comment https://forums.phpfreaks.com/topic/317211-is-this-file-suspicious/#findComment-1611334 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.