The problem:
On my webspace there are PHP files which all end with this:
Before
If you wrote the vulnerable web application yourself then you've already got a head start figuring out where to find most of the access points are which could be exploited. Unfortunately, that may not be good enough (writing and maintaining secure web applications is harder than most people think).
If you didn't write the application yourself, or if you're re-using large, complex, components that someone else wrote, or if you simply need help getting a handle on website security then there are commercial services that can crawl your site and try to figure out where they are vulnerable, e.g.:
http://www.qualys.com/products/qg_suite/was/
These services cost money, obviously, but you can usually get a "free trial" to see if they would be helpful. Good luck!
Looks like your server has been compromised, also are you on shared host?
You can find out security configuration of your server with:
PhpSecInfo
(source: phpsec.org)
Who are you hosted with? Some hosters have security leaks that can get exploited.
Are you using WordPress? There's also been an number of reported outbreaks. The best thing to do would be google it looking for people with similar problems, which will also lead to the cause, which will lead to the solutions.
As others have suggested, the vulnerability is most likely in some script you are using, maybe something you've written yourself or then a well known application that has known vulnerabilities. This might be a vulnerability in an upload script, but I want to point out that it is also possible to "upload" files through SQL injection, see the following thread for more details
This happened to me a while back in different manners. A work account was compromised through phpBB via a code exploit. Somehow, they even added themselves into the mySQL db users table. That caused us to completely remove the program and discontinue use.
An old Joomla install was the vulnerability that allowed people to do exactly what you speak of to my personal site. I had forgotten it was even out there, but it was enough to open the door for them to install malicious code on several different sites. I took the site down, changed permissions, updated Joomla, and scrubbed files.
My current production server gets "sniffed" for phpMyAdmin more than 1000 times per hour during some peak hack attempts. The bad guys are working overtime!
Bottom line, be wary of open source code and if you do use it, update, update, update.
I don't think that the problem is that you are using a shared host because I have found six others (degmsb, Benvolio, joomla01, DJ-Alien, valerione1979, and Kars) whose websites had the same script added. Also, it is doubtful that any of your files would be writable by others because files that are uploaded over FTP are subject to the file creation mode bits mask.
My best guess is that someone is cracking websites using either known exploits or exploits against common weaknesses, and that this person is identifying likely targets with Google hacking. degmsb's Wordpress website and Benvolio's Burning Board Lite website were likely cracked via known exploits (possibly known exploits of plugins to these software bases such as TinyMCE), and your website, since you wrote it yourself, was likely cracked via an exploit against a common website weakness.
Given that you allow file uploads (one of your PHP scripts accepts & saves files that are uploaded by your users), I would consider CWE-434: Unrestricted Upload of File with Dangerous Type. A CWE-434 exploit works like this: suppose you allow users to upload avatar images or pictures. The script to which uploaded images are POSTed might save the file to /images
using the same filename that the user supplied. Now imagine that someone uploads x76x09.gif.php
(or x76x09.gif.asp
, x76x09.gif.php4
, etc.). Your script will dutifully save this upload to /images/x76x09.gif.php
and all that the cracker needs to do to have the server run this script is browse to /images/x76x09.gif.php
. Even if the file is named x76x09.php.gif
, some web servers will execute the file.
Another possibility is that the filename of the upload that PHP receives, $_FILES['upload']['name']
, which is the filename
value in the Content-Disposition
header that is sent, was constructed to something like ..\modules\x.gif
. If your script saved the newly-uploaded file to str_replace('\\', '/', '/images/' . basename($_FILES['upload']['name']))
, or /images/../modules/x.gif
on a non-Windows host (http://codepad.org/t83dYZwa), and there was some way for the user to cause one of your PHP scripts to include
or require
any script in the modules
directory (say index.php?module=x.gif&action=blah
), then the cracker would be able to execute arbitrary PHP.
EDIT: It looks like x76x09.php
is some sort of unrestricted directory browser and file uploader. If a user manages to get this uploaded to your server, then they can basically do anything that you can do with your FTP access. Delete it.
EDIT2: Look for copies of this PHP source (the part gzuncompress(base64_decode("HJ3H...geFb//eeff/79z/8A"));
). Remove it from all of your PHP scripts.
EDIT3: Googling parts of the PHP script, I have found several webpages where this source is listed verbatim, and all of these pages have something to do with file uploading functionality for the respective websites. It therefore seems very likely that the hacker of your website used a CWE-434 exploit.