Knowledgebase

Suspicious File Alert

Posted by CyberDaemon, 05-30-2013, 07:58 PM
Hello everyone, I'm getting an email alert Cpanel with a suspicious file. Follows the content of the email: And below the contents of the file in question "/ tmp / plugin.php" I checked the account and it has installed Joomla 1.5. Does anyone know what the contents of the file plugin.php trying to do? I already deleted it but returned minutes later. This account is hosted with the same system for more than one year, but I started getting these warnings yesterday. Thank´s
Posted by net, 05-30-2013, 08:31 PM
Moved > Hosting Security and Technology .
Posted by activelobby4u, 05-31-2013, 12:21 AM
Seems like userxpto is testing something in his hosting account. Get an update from him for better clarification. To be on the safer side, chmod to 000 and add an attribute to the file to prevent it from changes.
Posted by CyberDaemon, 05-31-2013, 01:35 AM
thanks for the reply. I did as recommended and added to the file chmod 000. As the recommendation of Cpanel / tmp is mounted noexec This hosting account is administered by ourselves, anyone has access to it. I imagine that could be a breach of security of Joomla old. We are now proceeding with update. But I was curious about what this PHP code file plugin.php could try. I examined the file but I could not understand. Someone with more knowledge in PHP could parse the file and explain what is the logic of the script?
Posted by activelobby4u, 05-31-2013, 02:15 AM
The script itself cant do any harm as it simply handles the request parameter, unless it is a part of something bigger . But yeah, its always a good idea to update your joomla.
Posted by zoid, 05-31-2013, 02:59 AM
The script itself doesnt do a lot. It processes the request array and then based on a particular logic base64 decodes one HTTP header and turns into a PHP eval statement. Here a more readable version It does not assign it to anything though, so it wont get executed. It is difficult to say what this should be used for and it is not necessarily something malicious but I do agree it that this looks rather suspicious (especially the eval part with externally injected code) and requires clarification.


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
domain name provider? (Views: 622)
Script which resiezes all images in one folder on cron job (Views: 594)
Setting Up Cronjob to Kill Exim Mail Queue (Views: 576)
Problems with my Dedicated Server, please help (Views: 604)
Most recommended USA host on this forum with CPanel (Views: 600)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.