Can somebody explane what is this php files..
 

I find this 2 php files and i dont remember if i have uploaded this files on my ftp...
Can explane somebody what is this..?

lolz im never know this is a vbulletin files ;)

Looks like someone has uploaded a malicious file. I have not had time to decode the file - but I can assume that it was designed to hack you or something similar.

They definately look like rogue files, change all your passwords to your server and FTP.

Just keep an eye on any attachments you allow your members to post

:cool:

thanks guys..but can somebody explane to me exsacly what the code can do?
I think my last hosting company have to do with that...

its not good what ever they are doing - first off its from somewhere in russia - so thats immediately bad. the other is that they are trying to execute command line `uname -a` which outputs a single line with the name of the machine and the operating system version.

They are doing their homework before they attack. I would check your processing powers and see if it has sky rocketed, they may have anything on the server now.... if so its time for a rebuild.

just check your server permissions and see if any have been changed, its more than likely that you have a weak password on an ftp account back to your server, delete all unnecessary ftp accounts, whilst your at it and make sure you re new all your passwords a mixture of letters and numbers and perhaps a few caps ;)

Without decoding the static elements of the scripts, I would guess the script collects as much information about the client/server and then transmits it by including a remote file with the data in the URL. These are the lines that will give you the greatest insight:

You should review the permissions and ownership of the files that were placed on your server. If they're owned by the user "nobody", perhaps your compromise is minimal.

Edit: Here is the output of those commands:

The commands.php script gathers as much information as it can, then provides it to bis.iframe.ru. I assume this is to assist the malicious user in his efforts to steal the identities of others.

The Server has definitely been hacked/cracked but it's possible that it is not owned.;)

What kernel version is being used?
(if not sure, look under WHM > Server Status > Server Information: System Information)

run this command as 'root' in shell: locate code2.php .Free.php md.pl

if any of those files are found and your running kernel 2.6.xx (where xx is less than 17) then odds are the hackers only found a way to upload the defacement and spammer scripts. :eek:

That would mean an OS reload or someone going through the entire Server to find & delete the hacker files "and" setup security to stop them from doing it again.

if you don't own your server then perhaps this is something that you should alk to your hosting company about.

Take care

--------------- Added [DATE]1224949432[/DATE] at [TIME]1224949432[/TIME] ---------------

Just remembered :eek:

Check your Code in .htaccess and see if anythings changed there normally these hackers add a file like this...

Also view your index.php and make sure the file as no extra lines in along the lines of...


This is just a front screen for these hackers but check anyway.

;)

--------------- Added [DATE]1224950097[/DATE] at [TIME]1224950097[/TIME] ---------------

Whilst i've been looking into this it looks like it's a "pay per click" scam.

They hack your site with these bogus files then seed search engines to go there, and just sit back and collect for every click.

Check your file/folder permissions.

FILE permissions shouldn't be higher than 644

FOLDER permissions shouldn't be higher than 755

Thank you very much "UKBusinessLive"
I have create new hosting account to new hosting company.
I have find more files like this on my forum folder:
This was on forums root folder:
34914.php
141171.php
and i have find more on:
images/avatar
forum root/modules (this is for CMPS)
includes/
install/
======================
All the files i have find with numbers example 54656.php is deleted
and all the forum is loaded to new server and new company.
I have a data base backup and with this i will restore my forum on the new server.
You think this is enough?

Just make sure the following permissions are set...


FILE permissions shouldn't be higher than 644

FOLDER permissions shouldn't be higher than 755

and make sure you use a high strenght password, do regular checks of your image folders as they will most probably try to upload a file as an image.

Regulate and moderate your attachments and exactly what your allowing your members to upload to your server, Set user permissions so that banned, unregistered and guest CANNOT upload anything to your server, i know people will say but we do that anyway, you'll be suprised at the amount of people that apparently leave a "Back Door" open.

Above all just be carefull

Take care

;)

ok thank you very much.
cu.