its not good what ever they are doing - first off its from somewhere in russia - so thats immediately bad. the other is that they are trying to execute command line `uname -a` which outputs a single line with the name of the machine and the operating system version.
They are doing their homework before they attack. I would check your processing powers and see if it has sky rocketed, they may have anything on the server now.... if so its time for a rebuild.
just check your server permissions and see if any have been changed, its more than likely that you have a weak password on an ftp account back to your server, delete all unnecessary ftp accounts, whilst your at it and make sure you re new all your passwords a mixture of letters and numbers and perhaps a few caps
Without decoding the static elements of the scripts, I would guess the script collects as much information about the client/server and then transmits it by including a remote file with the data in the URL. These are the lines that will give you the greatest insight:
Code:
base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9")
base64_decode("aHR0cDovLw==")
base64_decode("dXNlcjkubXNodG1sLnJ1")
base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")
You should review the permissions and ownership of the files that were placed on your server. If they're owned by the user "nobody", perhaps your compromise is minimal.
Edit: Here is the output of those commands:
Code:
http://bis.iframe.ru/master.php?r_addr=
http://
user9.mshtml.ru
The commands.php script gathers as much information as it can, then provides it to bis.iframe.ru. I assume this is to assist the malicious user in his efforts to steal the identities of others.
The Server has definitely been hacked/cracked but it's possible that it is not
owned.
What kernel version is being used?
(if not sure, look under WHM > Server Status > Server Information: System Information)
run this command as 'root' in shell: locate code2.php .Free.php md.pl
if any of those files are found and your running kernel 2.6.xx (where xx is less than 17) then odds are the hackers only found a way to upload the defacement and spammer scripts.
That would mean an OS reload or someone going through the entire Server to find & delete the hacker files "and" setup security to stop them from doing it again.
if you don't own your server then perhaps this is something that you should alk to your hosting company about.
Take care
--------------- Added [DATE]1224949432[/DATE] at [TIME]1224949432[/TIME] ---------------
Just remembered
Check your Code in .htaccess and see if anythings changed there normally these hackers add a file like this...
Code:
Options -MultiViews
ErrorDocument 404 //e107_plugins/htnbook/820220.php
Also view your index.php and make sure the file as no extra lines in along the lines of...
Code:
<title>Hacked By GHoST61</title>
<center><img border="0" src="http://ghst61.by.ru/gh.jpg" weight="30" heigth="35" style="border:0px dashed black; ">
<p align="center"><font face ="Showcard Gothic" size="8"><font color="#bb1122"> Hacked By GHoST61
<HR color=gray SIZE=4>
<p align="center"><font face ="Bradley Hand ITC" size="6"><font color="#0000cc">Copyright �2006 - 2008 By GHoST61
<h1><center>For T?rkiye<h1><center>
This is just a front screen for these hackers but check anyway.
--------------- Added [DATE]1224950097[/DATE] at [TIME]1224950097[/TIME] ---------------
Whilst i've been looking into this it looks like it's a "pay per click" scam.
They hack your site with these bogus files then seed search engines to go there, and just sit back and collect for every click.
Check your file/folder permissions.
FILE permissions shouldn't be higher than
644
FOLDER permissions shouldn't be higher than
755
More Information