They HaX0r3D my PHP!
May 11, 2009 5:34 PM   Subscribe

I discovered that my DreamHost account appears to have been "hacked". What does this PHP code do and what's a good way to get rid of it?

When I was playing around with my websites tonight I noticed tons of PHP files that weren't there before. This link is an example of one of the files that I found.

In general, it appears that it takes any file matching *.(php|html|phps), renames it to filename<random alpha in A-Za-z>.php and sticks something similar to the above-linked PHP doc in it.

I notified Dreamhost of the problem, hoping that they could dig through my backups and let me know when these files were created, but I'm not holding my breath.

1. Has anyone seen these before? They're quite hard to search Google for since it's almost completely random data.
2. What does it do? I'm assuming it's some sort of bot net drone code of some sort.
3. It appears to have only created copies of files that are accessible from a Google search. e.g. I have a few "private" web pages that have obscure directory names that only I know. These files were not modified (but are clearly read/writeable with PHP).
4. How do I clean it up nicely? I don't see any modifications to existing files, so I think I can just delete the files that were created. File sizes, names, etc. are all different.

Thanks in advance!
Sorry for the meta-question. I'd be able to narrow it down to one more specific question if I could Google it.
posted by yellowbkpk to Computers & Internet (2 answers total) 2 users marked this as a favorite
1) change ALL your passwords. Every single one. Every single one. RIGHT NOW RIGHT NOW RIGHT NOW. make sure they are secure and not easy to guess. that includes database and ftp and web panel and email!
2) change your FTP access to secure FTp(shftp).


your site, however, may not be the source of the exploit. so

3) BACK UP YOUR CONTENT! not your site, per se, but your content. you may have to delete and recreate in order to make sure the back door is gone. you can rebuild a web site but chances are that your content is irreplacable. So do it now.

they're trying to create random spam pages, probably pharmaceutical. i had the same thing happen to me on dreamhost. it wasn't my site, even though they claimed it was. i had the developers for the CMS software working with me hand in hand because they were very concerned that their software was exploitable. it wasn't. it was another site on my shared server. Dreamhost were asses about it.

Eventually they found the backdoor and closed it and the problem went away. But I was lucky, nothing happened to my content. Other people on dreamhost that I know were not so lucky.

This is a big reason my site is no longer hosted on Dreamhost.
posted by micawber at 5:58 PM on May 11, 2009 [2 favorites]

Huh, that's some real script-kiddie stuff, isn't it. Here's a de-obfuscated version of the file you posted. As you can see it's basically just a remote-control interface— it allows someone who knows it's there to read and write files, change file modes or timestamps, etc.. Presumably, whoever broke into the account will come back later and use it to put up the pharma-spam or phishing pages for a botnet to point to, but if all the other files are like that one, then your account hasn't been, er, activated yet.

(Micawber is right, though; you should consider the possibility that other accounts you have are compromised, passwords may have been gathered, etc.)
posted by hattifattener at 10:43 PM on May 11, 2009

« Older Can you recommend some autobiographic titles for...   |   How much is a 5-year-old oboe worth? Newer »
This thread is closed to new comments.