Had to deal with a rogue PHP based backdoor situation recently. Two remote management scripts were installed somehow that would allow you to do something like what you describe. You probably want to download a fresh copy of the entire site (assuming you don't have remote shell access and/or the desire to use remote *nix commands to do any of this) and see if whatever your favorite editor is has a "find in files" function. Using this, I searched for all the files that may contain the PHP "eval" function, or "fopen" or other commands that could potentially allow editing/creating files or executing *nix commands or arbitrary PHP functions. Also, check the permissions on the files and directories on your site. Another thing I did was to use a version control software to see if any files changed after I redownloaded the site and if any new files were added. I'm sure there's a way to do this with SVN or CVS or GIT or something, but I used a Windows based system called Code Co-op. If/when you find the script that may have allowed this, you can look at your raw web logs and see who was accessing that file. You should be able to at least get their IP address and with that, you can get some information about them. Or just hand it over to the authorities or whatever you want to do. If you're really curious... if you find the backdoor script file, you can modify it to either not function, or appear to function but not really do anything bad, etc. More importantly, you could modify it to collect information (what little you can at least) about the person accessing it. This could include some javascript to get additional information about their browser, OS, etc. Google "Browserhawk" for an example of what information you can get from someone's browser. Anyway, just some thoughts. Good luck! -TG ----- Original Message ----- From: sono-io@xxxxxxxxxxxxx To: php-general@xxxxxxxxxxxxx Date: Sat, 4 Apr 2009 16:12:06 -0700 Subject: Possible Server Infection? > Hi all, > > I was wondering if someone might know about a problem I'm having on > my server. It appears that I've been infected by a rogue PHP > script(?). Something has gone through my server and placed .htaccess > files in every directory that didn't have one with contents that look > like this: > > Options -MultiViews > ErrorDocument 404 //graphics/cc/111152.php > > The path is different for each file and corresponds to the directory > that it's in. The php document name is a different number for each > file I've found. > > Does this sound familiar to anyone? What would be the purpose of > placing files like these in the directories? As far as I know, there > isn't a file called "111152.php" anywhere on my site, so this doesn't > make any sense to me. > > I realize that this is a very general question, but I'm hoping that > someone has seen or heard of this type of thing before and can help me > eliminate the problem. > > I'm using A2 Hosting and they don't know why this happened. > > Thanks, > Frank > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
