Rajoul_mok was here Backdor PHP

Posted on 2009-04-30
Last Modified: 2013-12-13
yesterday my server was hacking using a backdor php script, on source code can be read comments like "Rajoul_mok was here" and ""

my server is linux fedora 8, apache httpd-2.2.4 and php-4.4.8.tar

my mistake was let empty the follow line on
disable_functions =

now I changed it for:
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen

Do I need another change on my server? how can I check if there are others scripts?
Question by:david_2911
    1 Comment
    LVL 5

    Accepted Solution


    if your site was exposed you need to do a thorough examination of the whole system (especially if apache was running with a super user). A good place to start would be the apache logs, system logs and the directory in which the hacked site resided. You mentioned that your mistake was not disabling a couple of functions, well the problem is probably somewhere before that, one of your php scripts allowed the perpetrator to upload his php files onto your server, check for places where file (any time of files) uploads are made, ensure that you are correctly filtering for the right extensions and that you white list only a set of characters (like a-zA-z0-9 and .)

    I cannot tell if your full system was exposed or just the site, either way go to

    and try to find if there are any rootkits running on your server (usually they leave a backdoor for future use). Needless to say change your passwords (including login&db etc).

    And again I cannot emphasis this enough check the site for places where unwanted files could be uploaded or where unwanted code could pe run (for example if your using eval() on your site and your doing it on unescaped user input).

    Good luck with your searches.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    The viewer will learn how to dynamically set the form action using jQuery.
    This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now