• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 820
  • Last Modified:

Rajoul_mok was here Backdor PHP

yesterday my server was hacking using a backdor php script, on source code can be read comments like "Rajoul_mok was here" and "http://emp3ror.com/kira//update/"

my server is linux fedora 8, apache httpd-2.2.4 and php-4.4.8.tar

my mistake was let empty the follow line on php.in
disable_functions =

now I changed it for:
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen

Do I need another change on my server? how can I check if there are others scripts?
1 Solution

if your site was exposed you need to do a thorough examination of the whole system (especially if apache was running with a super user). A good place to start would be the apache logs, system logs and the directory in which the hacked site resided. You mentioned that your mistake was not disabling a couple of functions, well the problem is probably somewhere before that, one of your php scripts allowed the perpetrator to upload his php files onto your server, check for places where file (any time of files) uploads are made, ensure that you are correctly filtering for the right extensions and that you white list only a set of characters (like a-zA-z0-9 and .)

I cannot tell if your full system was exposed or just the site, either way go to


and try to find if there are any rootkits running on your server (usually they leave a backdoor for future use). Needless to say change your passwords (including login&db etc).

And again I cannot emphasis this enough check the site for places where unwanted files could be uploaded or where unwanted code could pe run (for example if your using eval() on your site and your doing it on unescaped user input).

Good luck with your searches.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now