views:

78

answers:

3

Soo, what is this? I haven't really experienced too much as far as "hacking" goes. I've dealt and solved most problems with PHP applications and I understand about 70% of this code.

but here is what I found, a Web Shell.. by Boff?

http://pastebin.com/kZeGHAHC

+1  A: 

It is hard to say, but generally to exploit something like this there is a loop hole in an include / require which is including a $_GET or $_POST variable that is not being filtered / checked.

IE:

include($_GET['page'] . '.php');

Which some people did / do to lessen the code, however, anyone could inject a URL here and it could write a new file etc.

To fix:

$page = !empty($_GET['page'])?$_GET['page']:index;

$whiteList = array('index', 'home');

if (!in_array($page, $whiteList)) {
    $page = 'index';
}

include($page . '.php');

But yea, this is just one way. I am sure there are many other methods as well.

Brad F Jacobs
well the site was running OSCommerce, so .... I guess this should be brought up to them?
Voltxion
Potentially. Just make sure you are running the latest version of OSCommerece or you probably won't get any help.
Brad F Jacobs
Includes are harder to exploit these days because "remote file includes" no longer work by default.
Rook
A: 

It looks like a remote administration tool, which could potentially be used as a back door.

Steven Sudit
A: 

Yes, you found a backdoor that the attacker is using to access your site. But this is only a symptom of a much larger problem. Is is likely that a web application or library that you have installed is vulnerable to attack. Someone used Exploit Code to drop this backdoor and unless you patch the site, the attacker will just drop another backdoor.

Make sure everything is up to date. Try and install a Web Application Firewall like Mod_Security.

Rook