Yeah, as I type this, I’m getting hit with an attack. I’m not precisely sure of the motive. I just know that there are two directories on my server that should not be there and the attack appears to be coming through a specific URL. It’s been happening for several days nowIt just started today, according to my server logs, and the attacker is using / attempting to use PHP functions that interact with the shell.

He was also able to grab a whole bunch of data about my server as you can see from the above-linked code. I have my suspicions about how it is getting through, but nothing I can prove just yet. I’m going to look into it and see what I can come up with.

In the meantime, I’m just going to ask nicely that he (assuming this is a guy) please, please stop, and don’t mess up any of my stuff while visiting.

And please take steps to disable certain system-affecting functions in your php.ini file (if you have access).

UPDATE: This crack appears to involve a ShellBOT as well.

UPDATE 2: ShellBOTs are bad. Apparently they open a connection to an IRC server allowing all kinds of nasty things to happen. So hoping nothing serious was compromised.

UPDATE 3: Interesting to know: when working in the shell, your file name does not need to have the ‘proper‘ extension that it would on a web server in order to be executed.

Let’s say you have a plain text file named ‘hello.txt.’ It contains one line: <?php echo 'hello world';?>. In order for this file to run as a web page, it would need to have a .php (or whatever is designated in your server configuration file). But as a shell script, it could have just about any name and still be executed by typing ‘php hello.txt’ at the command line.

In this case, the attacker grabbed (or attempted to grab) a ShellBOT written in Perl from another server (file name b.txt) and execute it by sending the ‘perl b.txt’ after the wget command.

UPDATE 4: I’m pretty sure my suspicions have been confirmed. It seems that at least one other person has had an issue with WP Super Cache opening their server to attack. I suspected this early on, and deleted the plugin and its associated files. As an added measure, I disabled those functions that can execute system commands. So far, so good. I can’t say my server is now secure, but I’m hoping that hole has been filled.