Re: Possible Server Infection?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Had to deal with a rogue PHP based backdoor situation recently.  Two remote 
management scripts were installed somehow that would allow you to do 
something like what you describe.

You probably want to download a fresh copy of the entire site (assuming you 
don't have remote shell access and/or the desire to use remote *nix 
commands to do any of this) and see if whatever your favorite editor is 
has a "find in files" function.

Using this, I searched for all the files that may contain the PHP "eval" 
function, or "fopen" or other commands that could potentially allow 
editing/creating files or executing *nix commands or arbitrary PHP 
functions.

Also, check the permissions on the files and directories on your site.


Another thing I did was to use a version control software to see if any 
files changed after I redownloaded the site and if any new files were 
added.  I'm sure there's a way to do this with SVN or CVS or GIT or 
something, but I used a Windows based system called Code Co-op.

If/when you find the script that may have allowed this, you can look at 
your raw web logs and see who was accessing that file.  You should be 
able to at least get their IP address and with that, you can get some 
information about them.  Or just hand it over to the authorities or 
whatever you want to do.


If you're really curious... if you find the backdoor script file, you can 
modify it to either not function, or appear to function but not really do 
anything bad, etc.  More importantly, you could modify it to collect 
information (what little you can at least) about the person accessing it. 
 This could include some javascript to get additional information about 
their browser, OS, etc.  Google "Browserhawk" for an example of what 
information you can get from someone's browser.

Anyway, just some thoughts.  Good luck!

-TG

----- Original Message -----
From: sono-io@xxxxxxxxxxxxx
To: php-general@xxxxxxxxxxxxx
Date: Sat, 4 Apr 2009 16:12:06 -0700
Subject:  Possible Server Infection?

> Hi all,
> 
> 	I was wondering if someone might know about a problem I'm having on  
> my server.  It appears that I've been infected by a rogue PHP  
> script(?).  Something has gone through my server and placed .htaccess  
> files in every directory that didn't have one with contents that look  
> like this:
> 
> Options -MultiViews
> ErrorDocument 404 //graphics/cc/111152.php
> 
> 	The path is different for each file and corresponds to the directory  
> that it's in.  The php document name is a different number for each  
> file I've found.
> 
> 	Does this sound familiar to anyone?  What would be the purpose of  
> placing files like these in the directories?  As far as I know, there  
> isn't a file called "111152.php" anywhere on my site, so this doesn't  
> make any sense to me.
> 
> 	I realize that this is a very general question, but I'm hoping that  
> someone has seen or heard of this type of thing before and can help me  
> eliminate the problem.
> 
> 	I'm using A2 Hosting and they don't know why this happened.
> 
> Thanks,
> Frank
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux