ansaurus

Question

Unexpected PHP file showed up in OSCommerce

Answer 1

+2 A:

If you can provide the entire string within the base64_decode - Or, actually, instead of calling eval, call echo:

<?echo base64_decode("JGs9M...");

You'll be able to see what it does. But, typically, this is a signature of a backdoor/attacker, etc. I've seen this style before. And the fact its in the images/ directory maybe means they were able to get something like photo.gif.php uploaded ...

Probably not good at all.

Running it displays a single html textbox and a button that says, "Check."

Does it post to a page? Maybe the page receives whatever is in the textbox and executes it via system(), exec(), etc....

Mr-sk 2010-01-23 02:24:55

Answer 2

+4 A:

This is most likely something a hacker injected - encoded and minimized. You can echo the result of base64_decode(...) instead of evaluating it to see what it would try to perform. BTW, actually running it was probably a big mistake.

Max Shawabkeh 2010-01-23 02:25:32

+1 especially for 'running it was probably a big mistake'

fireeyedboy 2010-01-23 02:28:17

heh yeah, good call.

Mr-sk 2010-01-23 02:32:50

+1 <?php echo base64_decode(...);?>

Jay Zeng 2010-01-23 19:53:04

Actually, I would not suggest doing an echo of the decoded string as it could also contain all kinds of nasty surprises in that form.

code_burgar 2010-01-23 20:01:27

@code_burglar, that's a valid point. Echoing it through CLI would be safer. Still, at least this way you just give clientside access, which is much, much better than allowing arbitrary serverside code.

Max Shawabkeh 2010-01-23 21:27:42

For what it's worth, ran it on a dev box to see what it did. Did NOT run it on the live site. This particular site is on a shared server. Doesn't surprise me that someone may have made it it.

Brad 2010-01-24 03:28:18

Echoing it could hack browser if it is a drive by exploit. You should print it out on the commnadline.

Rook 2010-01-26 18:18:34

Answer 3

A:

I have absolutely no doubt in my mind that you have been hacked. You have discovered a backdoor and you must remove it immediately. These are often put in place by automated attack systems and then a hacker can come back at a later date and assume control over your server or use your server to break into web browsers that visit it. I have cleaned up hacks identical to this before. I'm surprised you aren't on google's walware list, that is usually peoples first indication.

I really want to find out the PHP code that is being eval'ed. Can you post the full base64? Maybe split it up by newlines so it will fit.

Rook 2010-01-23 19:43:18

Answer 4

+1 A:

Definitely a baddie you got there. As others have pointed out, it most probably serves as a nice backdoor for the attacker to run arbitrary commands on your system.

What you should, at a bare minimum, do is:

Notify your tech support and ask for them to find out what the attacker changed and when
If you are on a shared host, move to a dedicated server (or at least a VPS)
Back up your data, verifying it's clean in the process
Roll back to a backup made before the box has been compromised
Apply any and all security patches to the software you have been running, the OS, etc.
Reinstall your scripts then re-import the clean data

code_burgar 2010-01-23 19:56:12

Answer 5

A:

In my PHP framework, I do not allow files to be uploaded that apache might know how to execute upon retrieval.

If you must print out a thing like this, do it in a CLI version of PHP, don't send it to your browser! It might also include something that our browser will execute.

Don 2010-01-23 20:29:11

ansaurus

tags:

views:

answers:

Unexpected PHP file showed up in OSCommerce

related questions