7

I found a php file that was uploaded to our web server that had sneaked past our form validation. I did some searching and there was very little information regarding this file, however the small amount I found definitely made it seem malicious.

Here is the content of the file: http://pastebin.com/zfbHMe9M

What was this file trying to accomplish? Is there anything I should check or be concerned about? I have removed the file from my site.

Vecta
  • 369
  • 1
  • 5

3 Answers3

7

It's a script for uploading more files onto the server.

The code looked familiar to me, so I Googled one of the strings in it: it's a modified version of the sample PHP file upload code from this page. Unlike the sample code, however, the modified version sets the $uploaddir variable to the same directory it's run from, so anyone using it can upload more files to the same directory (and even overwrite the script with something else, if they want).

Curiously, the script doesn't seem to allow uploading files to any other directories than the one it's placed in. Still, if an attacker manages to upload this script to your site and execute it, that means they'll presumably be able to run any other scripts they upload using it too.

As for whether (and how much) you should be concerned, that depends on whether the attacker actually managed to run the script. The mere fact that it was uploaded doesn't necessarily mean the attack was successful, if file permissions or webserver configuration stopped the server from executing it as PHP code. Still, the presence of the script on your server does at least mean that somebody tried to hack into it.

Ilmari Karonen
  • 9,102
  • 1
  • 24
  • 41
2

Yes you should be concerned. You need to review the webserver access_log and search for the filename that was uploaded and see if it's associated with a 200 status code. If it is, there will be an ip address associated with it. Take that ip address and search the access_log further to see what else on the server that ip address accessed. It's best to search for the entire range rather than just one ip address.

Range Example: 123.12.14.xxx instead of 123.12.14.15

It's important to determine if they managed to upload any other files on the server with elevated permissions.

JMC
  • 3,280
  • 1
  • 19
  • 19
  • Note that an access log entry with a 200 status code doesn't necessarily mean the attack worked: depending on how the server was configured, it might have allowed someone to download the file but not execute it as PHP. But if you're not sure, it's safer to assume the attack did work. (Also, if you see any POST requests to that script in the logs, that makes it a lot more likely that the attack did succeed.) – Ilmari Karonen Mar 10 '12 at 14:04
0

On all my WordPress sites I use a plugin called WordPress file monitor http://wordpress.org/extend/plugins/wordpress-file-monitor/ this emails me whenever files have been modified on the server.

I keep plugins and core apps up to date, scan for vulnerabilities, and use the file monitoring plugin just in case of some XSS attack. Typically it's a plugin which has some vulnerability.

If you're site runs WordPress I would suggest using the plugin to get emailed as soon as any files are added or modified to your server.

If you are not running WordPress ask your developers to implement PHPIDS https://phpids.org/

Anagio
  • 11,195
  • 1
  • 26
  • 49