Soo, what is this? I haven't really experienced too much as far as "hacking" goes. I've dealt and solved most problems with PHP applications and I understand about 70% of this code.
but here is what I found, a Web Shell.. by Boff?
Soo, what is this? I haven't really experienced too much as far as "hacking" goes. I've dealt and solved most problems with PHP applications and I understand about 70% of this code.
but here is what I found, a Web Shell.. by Boff?
It is hard to say, but generally to exploit something like this there is a loop hole in an include
/ require
which is including a $_GET
or $_POST
variable that is not being filtered / checked.
IE:
include($_GET['page'] . '.php');
Which some people did / do to lessen the code, however, anyone could inject a URL here and it could write a new file etc.
To fix:
$page = !empty($_GET['page'])?$_GET['page']:index;
$whiteList = array('index', 'home');
if (!in_array($page, $whiteList)) {
$page = 'index';
}
include($page . '.php');
But yea, this is just one way. I am sure there are many other methods as well.
It looks like a remote administration tool, which could potentially be used as a back door.
Yes, you found a backdoor that the attacker is using to access your site. But this is only a symptom of a much larger problem. Is is likely that a web application or library that you have installed is vulnerable to attack. Someone used Exploit Code to drop this backdoor and unless you patch the site, the attacker will just drop another backdoor.
Make sure everything is up to date. Try and install a Web Application Firewall like Mod_Security.